Skip to content

Instantly share code, notes, and snippets.

View oopsmishap's full-sized avatar

mishap oopsmishap

41 followers · 2 following
View GitHub Profile
@oopsmishap
oopsmishap / 5obuppquxz.txt
Last active September 27, 2022 19:28
handletest_x86.dmp.trace
This file has been truncated, but you can view the full file.
0x4010c0 handletest_x86.exe|push ebp|ebp=0x19ff74|esp=0x19ff2c
0x4010c1 handletest_x86.exe|mov ebp, esp|esp=0x19ff28
0x4010c3 handletest_x86.exe|push 0x41e9bc|esp=0x19ff28
0x4010c8 handletest_x86.exe|call 0x401080|esp=0x19ff24|eip=0x4010c8
0x401080 handletest_x86.exe|push ebp|ebp=0x19ff28|esp=0x19ff20
0x401081 handletest_x86.exe|mov ebp, esp|esp=0x19ff1c
0x401083 handletest_x86.exe|sub esp, 8|esp=0x19ff1c
0x401086 handletest_x86.exe|lea eax, [ebp + 0xc]|ebp=0x19ff1c
0x401089 handletest_x86.exe|mov dword ptr [ebp - 4], eax|ebp=0x19ff1c|eax=0x19ff28
0x40108c handletest_x86.exe|mov ecx, dword ptr [ebp - 4]|ebp=0x19ff1c
@oopsmishap
oopsmishap / stl_types.py
Created October 28, 2022 09:24
STLTypes by Rolf Rolles with string
# (C) Rolf Rolles, Mobius Strip Reverse Engineering, 9/21/2021.
import idaapi
from functools import reduce
stl_map_keyvalue_fmt = ("struct {2}_{3}_keyvalue_t"
"{{"
"{0} key;"
"{1} value;"
"}};")
@oopsmishap
oopsmishap / DispatchDeviceControl.c
Last active November 7, 2022 21:45
DispatchDeviceControl
__int64 __fastcall DispatchDeviceControl(PDEVICE_OBJECT DeviceObject, IRP *arg_irp)
{
__int64 idx; // rdi
_IO_STACK_LOCATION *CurrentStackLocation; // rbx
ULONG_PTR len; // rdi
ULONG InputBufferLength; // esi
unsigned __int64 OutputBufferLength; // r12
int v8; // esi
void *SystemBuffer; // r15
char v10; // al
@oopsmishap
oopsmishap / _rhadamanthys_stage3_unpacker.py
Last active March 18, 2023 16:10
Rhadamanthys stage3 unpacker
import struct
def extract_stage3(stage3_buffer):
# struct stage3_header
# {
# uint32_t magic;
# uint16_t block_count;
# uint16_t header_size;
# uint32_t entry_offset;
@oopsmishap
oopsmishap / astaroth_hide_timewasters.py
Created January 31, 2023 21:33
Astaroth hide timewaster function calls
import idautils
import idaapi
import ida_bytes
import ida_search
import ida_segment
import ida_nalt
def find_function(pattern):
text = ida_segment.get_segm_by_name('.text')
return ida_search.find_binary(text.start_ea, text.end_ea, pattern, 16, ida_search.SEARCH_DOWN)
@oopsmishap
oopsmishap / ref_sample.c
Created February 16, 2023 22:53
matching_crypt_compression_algo
int __stdcall sub_10001100(_DWORD *a1, unsigned int a2, unsigned int a3)
{
_DWORD *v3; // edi
unsigned int v4; // ebx
unsigned int v5; // esi
int v6; // edx
unsigned int v7; // eax
int v8; // ecx
unsigned int v9; // edx
unsigned __int16 *v10; // edx
@oopsmishap
oopsmishap / _hellowrold.ipynb
Last active May 28, 2023 22:20
hellowrold malware
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@oopsmishap
oopsmishap / pattern.h
Created June 11, 2023 11:53
Pattern
#pragma once
#include <stdint.h>
#include "win_helper.h"
namespace poc_kit
{
namespace pattern
{
@oopsmishap
oopsmishap / pxor_string_decrypt_wip.py
Last active November 26, 2023 22:19
WIP: pxor string via janky emulation
import time
from typing import List
import pefile
from capstone import *
from capstone.x86 import *
import re
import struct
# SAMPLE_PATH = 'bin/enc_string_test.bin32'
SAMPLE_PATH = 'bin/2cd2f077ca597ad0ef234a357ea71558d5e039da9df9958d0b8bd0efa92e74c9.bin32'
@oopsmishap
oopsmishap / _jmp_deobfuscator.md
Last active June 27, 2024 07:44
IDA Jmp Deobfuscation Script