Skip to content

Instantly share code, notes, and snippets.

View rmmh's full-sized avatar

Ryan Hitchman rmmh

74 followers · 5 following
  • Boulder, Colorado
View GitHub Profile
@rmmh
rmmh / stripe_ctf_2011.txt
Created February 23, 2013 08:46
Stripe Postmortems
level01: e9gx26YEb2
$ cat > date << EOF
#!/usr/bin/env python
print open("/home/level02/.password").read()
EOF
$ chmod +x date
$ export PATH=.:$PATH
$ /levels/level01
@rmmh
rmmh / aht.py
Created March 5, 2013 10:23
android app hacking helper script. depends on apktool, dex2jar, fernflower, android tools
#!/usr/bin/python2.7
import os
import re
import sys
import subprocess
def usage():
print '''usage: %s pull <name> | push <dir>''' % sys.argv[0]
sys.exit(1)
@rmmh
rmmh / DCPU16_cycle_count.md
Last active December 14, 2015 12:49
DCPU16 Cycle Count Proposal

Motivations

  • simplify cycle counting so it's easier to understand
  • make the time it takes to emulate 100kcycles more regular

Theory

Memory access has inconsistent costs currently. When decoding instructions it costs cycles, but things like [A] don't. For both a "real" DCPU and the emulator (assuming typical cache behavior), memory accesses are more expensive than register accesses.

@rmmh
rmmh / castledoctrineviz.py
Last active December 15, 2015 12:49
CastleDoctrine interaction graph generator. Requires CastleDoctrine source code, Python 3, graphviz, imagemagick.
#!/usr/bin/env python3
import collections
import os
import re
import sys
import subprocess
State = collections.namedtuple('State', 'num properties name sprite')
Edge = collections.namedtuple('Edge', 'events begin end')
@rmmh
rmmh / ecc.c
Last active December 16, 2015 05:29
Simple single-byte error correction for short messages using two check bytes.
// Single-byte error correction for messages <255 bytes long
// using two check bytes. Based on "CA-based byte error-correcting code"
// by Chowdhury et al.
//
// rmmh 2013
//
// This code is released into the public domain.
uint8_t lfsr(uint8_t x) {
return (x >> 1) ^ (-(x&1) & 0x8E);
@rmmh
rmmh / DPU16.txt
Created August 27, 2013 15:52
DCPU-16 protection unit spec.
DCPU-16 Hardware Info:
Name: DPU16 -- DCPU Protection Unit (16-process version)
ID: 0x1071c17b, version: 0x1000
Manufacturer: 0xcafe31aa
Description:
The DPU prevents unauthorized access to memory and hardware peripherals.
Access permissions are determined by the process ID's bit being set in the
corresponding mask.
@rmmh
rmmh / compression.s
Created December 21, 2013 07:02
"slidec" Compression algorithm from the N64 devkit
/******************************
* Data Decompress Ver1.10 *
* Programmed By Melody-Yoshi *
******************************/
/* How to use this function.
void slidstart(unsigned char *,unsigned char *);
first argument is top address of compress data.(align 4)
next argument is top address of decompress.
*/
@rmmh
rmmh / gist:8515577
Created January 20, 2014 05:53
MSP430 Alphanumeric Instructions
[0-9a-zA-Z]{2}
30-39,41-5a,61-7a
a:61 z:7a A:41 Z:5a 0:30 9:39
MSP430 alphanumeric shellcode is hard. There's no way to write to memory,
no word-sized reg-reg operations, and all we have is add/sub/mov and a few conditional jumps.
@rmmh
rmmh / gist:8660838
Last active January 4, 2016 18:29
NanoCorruption CPU Spec
NanoCorruption:
Goal: A fun-sized machine for more game-like hacking operations.
The machine is a balanced ternary computer operating entirely on trytes.
Trytes range in value from -364 to 364.
A tryte is composed of 6 balanced ternary digits, called trits.
Each trit has a value (-1 or T, 0, 1), meaning base conversions look like:
@rmmh
rmmh / dcpu-16.txt
Last active August 29, 2015 13:57
DCPU Spec Proposals
DCPU-16 Specification
Copyright 2012 Mojang
Version 1.1 (Check 0x10c.com for updated versions)
* 16 bit words
* 0x10000 words of ram
* 8 registers (A, B, C, X, Y, Z, I, J)
* program counter (PC)
* stack pointer (SP)
* extra/excess (EX)