Skip to content

Instantly share code, notes, and snippets.

Avatar

Igor Skochinsky skochinsky

View GitHub Profile
View dump_hdr.py
#! python2
#-------------------------------------------------------------------------------
# Name: dump_hdr.py
# Purpose: dump header of a FujiFilm FinePix firmware update
# see https://reverseengineering.stackexchange.com/questions/22549/identifying-rom-segment-in-unknown-firmware-update-file
# Author: Igor Skochinsky
#
# Created: 16-11-2019
# Copyright: (c) Igor Skochinsky 2019
# Licence: MIT
View scan_jmp.idc
/*scan for far jumps or calls and print their location and destinations
jmp: 1= search for jumps(0= calls)
low16: only consider destinations with offset < 16
*/
static scan_jmp_call(jmp, low16)
{
// start at the minimal address
auto a = 0;
auto x, seg, offs, dest;
for (a = 0; x != BADADDR; a = x + 5 )// skip 5 bytes (size of far jmp/call opcode)
@skochinsky
skochinsky / qt5res.py
Created Sep 5, 2018
Qt5 resourse dumper for IDA
View qt5res.py
## parse and dump Qt resources in current IDB
from PyQt5 import QtCore
import os.path
f = LocByName("?qRegisterResourceData@@YA_NHPBE00@Z")
for x in XrefsTo(f, idaapi.XREF_ALL):
if x.type==fl_CN:
callea = x.frm
push1 = DecodePreviousInstruction(callea)
if push1.itype != idaapi.NN_push:
print "no push at %08X!"% push1.ea
View cap2bin.py
# convert Intel firmware update capsules to plain binaries
import sys
import os.path
import struct
fn = sys.argv[1]
inf = open(fn, "rb")
inf.seek(0xC8)
e=[]
@skochinsky
skochinsky / rich.py
Created Apr 13, 2017
MSVC PE Rich header parser with compiler version display
View rich.py
# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
import sys
import struct
# I'm trying not to bury the magic number...
CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
RICH_TEXT = 'Rich'
RICH_TEXT_LENGTH = len(RICH_TEXT)
PE_START = 0x3c
PE_FIELD_LENGTH = 4
View gist:181e6e338d90bb7f2693098dc43c6d54
struct PFRegionEntry
{
UINT32 FileOffset;
UINT32 Size;
UINT64 FlashAddress;
UINT32 NameOffset; //absolute offset
};
struct PFHeader
{
View gist:6cd55c768f99e08d45b11041940d9562
{
real_time:956280.161440 global_time:588919, event:`SYSCALL: socketcall' (state:ENTERING_SYSCALL) tid:18704, ticks:260023746443
eax:0xffffffda ecx:0xbfb415f4 edx:0x0 ebx:0x11 esp:0xbfb414fc ebp:0x80f48ef8 esi:0xb5f50000 edi:0x0 eip:0x70000002 eflags:0x246 xcs:0x73 xss:0x7b xds:0x7b xes:0x7b xfs:0x0 xgs:0x33 orig_eax:0x66
}
{
real_time:956280.161458 global_time:588920, event:`SYSCALLBUF_RESET' tid:18704, ticks:260023746443
}
{
real_time:956280.161644 global_time:588921, event:`SYSCALL: socketcall' (state:EXITING_SYSCALL) tid:18704, ticks:260023746443
eax:0xfffffff5 ecx:0xbfb415f4 edx:0x0 ebx:0x11 esp:0xbfb414fc ebp:0x80f48ef8 esi:0xb5f50000 edi:0x0 eip:0x70000002 eflags:0x246 xcs:0x73 xss:0x7b xds:0x7b xes:0x7b xfs:0x0 xgs:0x33 orig_eax:0x66
@skochinsky
skochinsky / guids.txt
Created Jul 4, 2016
UEFI file/section GUIDs collection
View guids.txt
; AMI
[GUID_FILE]
; ACPI tables
16D0A23E-C09C-407d-A14A-AD058FDD0CA1=ACPI
11D8AC35-FB8A-44d1-8D09-0B5606D321B9=DSDT
95DFCAE5-BB28-4d6b-B1E2-3AF3A6BF434F=PTID
FB045DB2-598E-485A-BA30-5D7B1B1BD54D=AOAC
60AC3A8F-4D66-4CD4-895A-C3F06E6665EE=iFfsAcpiTables
5B232086-350A-42c7-A70E-3497B5765D85=OEMSSDT
299141BB-211A-48a5-92C0-6F9A0A3A006E=PPMACPI
View checkcast.j
.version 49 0
.class public super com/intel/crypto/NotInitializedException
.super com/intel/crypto/CryptoException
.method public <init> : ()V
.code stack 1 locals 1
L0: aload_0
L1: invokespecial Method com/intel/crypto/CryptoException <init> ()V
L4: return
@skochinsky
skochinsky / oath10.j
Last active Jun 19, 2016
from Intel IPT OATH Application_fw10.0.0_v3.0.jeff
View oath10.j
; class 0/41
.class public super com/intel/dal/ipt/framework/AppletImpl
.super com/intel/util/IntelApplet
.field protected mIptf Lcom/intel/dal/ipt/framework/IptFramework;
.field mReplyBuffer [B
.field mInitialized Z
You can’t perform that action at this time.