| /* ### | |
| * IP: GHIDRA | |
| * | |
| * Licensed under the Apache License, Version 2.0 (the "License"); | |
| * you may not use this file except in compliance with the License. | |
| * You may obtain a copy of the License at | |
| * | |
| * http://www.apache.org/licenses/LICENSE-2.0 | |
| * | |
| * Unless required by applicable law or agreed to in writing, software |
| import dataclasses | |
| class int32(int): | |
| @staticmethod | |
| def p(x): | |
| return p32(x) | |
| class int16(int): | |
| @staticmethod | |
| def p(x): |
| # Create a stub hook for exported functions, with a poormans backward-edges CFI check | |
| #@author nick0ve | |
| #@category elf | |
| import os | |
| from ghidra.program.model.symbol import RefType | |
| from ghidra.app.util.opinion import ElfLoader | |
| from ghidra.util import NumericUtilities |
| Java.perform(function () { | |
| // Get PINActivity instance | |
| var PINActivityInstance; | |
| Java.choose('org.wormcon.vaultgame.PINActivity', { | |
| onMatch: function (instance) { | |
| PINActivityInstance = instance; | |
| }, | |
| onComplete: function () { } | |
| }); |
https://stackoverflow.com/questions/20380204/how-to-load-multiple-symbol-files-in-gdb
python
# Note: Replace "readelf" with path to binary if it is not in your PATH.
READELF_BINARY = 'readelf'
class AddSymbolFileAuto (gdb.Command):
"""Load symbols from FILE, assuming FILE has been dynamically loaded (auto-address).
Usage: add-symbol-file-auto FILE [-readnow | -readnever]
| // Futex Waiter Kernel Stack Use After free | |
| // Vuln inspired by CVE-2021-3347 | |
| // exploit tech ref https://elongl.github.io/exploitation/2021/01/08/cve-2014-3153.html | |
| // leak kernel stack and overwrite kernel stack return address to userspace ( SMAP & SMEP disable) | |
| // gcc exp.c -static -masm=intel -o exp | |
| #define _GNU_SOURCE /* See feature_test_macros(7) */ | |
| #include <sys/socket.h> | |
| #include <string.h> | |
| #include <linux/futex.h> | |
| #include <stdint.h> |
| 5yyyy-MM-dd HH:mm:ssyyyy_MM_dd_HH_mm_ss<br><hr>ObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlobAESMicrosoft Primitive ProviderCONNECTIONKEEP-ALIVEPROXY-AUTHENTICATEPROXY-AUTHORIZATIONTETRAILERTRANSFER-ENCODINGUPGRADE%startupfolder%\%insfolder%\%insname%/\%insfolder%\Software\Microsoft\Windows\CurrentVersion\Run%insregname%SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\RunTrue%GETMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0OKhi_keep_searching\ttYSELECT * FROM Win32_ProcessorName MBUnknownCOCO_-_.zip yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time: MM/dd/yyyy HH:mm:ssUser Name: Computer Name: OSFullName: CPU: RAM: IP Address: New Recovered!User Name: OSFullNameuninstallSoftware\Microsoft\Windows NT\CurrentVersion\WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera BrowserOpera Software\Opera StableYandex BrowserYandex\YandexBrowser\User DataIridiu |
| #Checks system calls for command injection patterns | |
| #@author | |
| #@category HackOvert | |
| #@keybinding | |
| #@menupath | |
| #@toolbar | |
| from ghidra.app.decompiler import DecompileOptions | |
| from ghidra.app.decompiler import DecompInterface | |
| from ghidra.program.model.pcode import Varnode |
| # source:http://reocities.com/SiliconValley/heights/7052/opcode.txt | |
| From: mark@omnifest.uwm.edu (Mark Hopkins) | |
| Newsgroups: alt.lang.asm | |
| Subject: A Summary of the 80486 Opcodes and Instructions | |
| (1) The 80x86 is an Octal Machine | |
| This is a follow-up and revision of an article posted in alt.lang.asm on | |
| 7-5-92 concerning the 80x86 instruction encoding. | |
| The only proper way to understand 80x86 coding is to realize that ALL 80x86 |