Skip to content

Instantly share code, notes, and snippets.

Igor Skochinsky skochinsky

Block or report user

Report or block skochinsky

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View scan_jmp.idc
/*scan for far jumps or calls and print their location and destinations
jmp: 1= search for jumps(0= calls)
low16: only consider destinations with offset < 16
*/
static scan_jmp_call(jmp, low16)
{
// start at the minimal address
auto a = 0;
auto x, seg, offs, dest;
for (a = 0; x != BADADDR; a = x + 5 )// skip 5 bytes (size of far jmp/call opcode)
@skochinsky
skochinsky / qt5res.py
Created Sep 5, 2018
Qt5 resourse dumper for IDA
View qt5res.py
## parse and dump Qt resources in current IDB
from PyQt5 import QtCore
import os.path
f = LocByName("?qRegisterResourceData@@YA_NHPBE00@Z")
for x in XrefsTo(f, idaapi.XREF_ALL):
if x.type==fl_CN:
callea = x.frm
push1 = DecodePreviousInstruction(callea)
if push1.itype != idaapi.NN_push:
print "no push at %08X!"% push1.ea
View cap2bin.py
# convert Intel firmware update capsules to plain binaries
import sys
import os.path
import struct
fn = sys.argv[1]
inf = open(fn, "rb")
inf.seek(0xC8)
e=[]
@skochinsky
skochinsky / rich.py
Created Apr 13, 2017
MSVC PE Rich header parser with compiler version display
View rich.py
# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
import sys
import struct
# I'm trying not to bury the magic number...
CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
RICH_TEXT = 'Rich'
RICH_TEXT_LENGTH = len(RICH_TEXT)
PE_START = 0x3c
PE_FIELD_LENGTH = 4
View gist:181e6e338d90bb7f2693098dc43c6d54
struct PFRegionEntry
{
UINT32 FileOffset;
UINT32 Size;
UINT64 FlashAddress;
UINT32 NameOffset; //absolute offset
};
struct PFHeader
{
View gist:6cd55c768f99e08d45b11041940d9562
{
real_time:956280.161440 global_time:588919, event:`SYSCALL: socketcall' (state:ENTERING_SYSCALL) tid:18704, ticks:260023746443
eax:0xffffffda ecx:0xbfb415f4 edx:0x0 ebx:0x11 esp:0xbfb414fc ebp:0x80f48ef8 esi:0xb5f50000 edi:0x0 eip:0x70000002 eflags:0x246 xcs:0x73 xss:0x7b xds:0x7b xes:0x7b xfs:0x0 xgs:0x33 orig_eax:0x66
}
{
real_time:956280.161458 global_time:588920, event:`SYSCALLBUF_RESET' tid:18704, ticks:260023746443
}
{
real_time:956280.161644 global_time:588921, event:`SYSCALL: socketcall' (state:EXITING_SYSCALL) tid:18704, ticks:260023746443
eax:0xfffffff5 ecx:0xbfb415f4 edx:0x0 ebx:0x11 esp:0xbfb414fc ebp:0x80f48ef8 esi:0xb5f50000 edi:0x0 eip:0x70000002 eflags:0x246 xcs:0x73 xss:0x7b xds:0x7b xes:0x7b xfs:0x0 xgs:0x33 orig_eax:0x66
@skochinsky
skochinsky / guids.txt
Created Jul 4, 2016
UEFI file/section GUIDs collection
View guids.txt
; AMI
[GUID_FILE]
; ACPI tables
16D0A23E-C09C-407d-A14A-AD058FDD0CA1=ACPI
11D8AC35-FB8A-44d1-8D09-0B5606D321B9=DSDT
95DFCAE5-BB28-4d6b-B1E2-3AF3A6BF434F=PTID
FB045DB2-598E-485A-BA30-5D7B1B1BD54D=AOAC
60AC3A8F-4D66-4CD4-895A-C3F06E6665EE=iFfsAcpiTables
5B232086-350A-42c7-A70E-3497B5765D85=OEMSSDT
299141BB-211A-48a5-92C0-6F9A0A3A006E=PPMACPI
View checkcast.j
.version 49 0
.class public super com/intel/crypto/NotInitializedException
.super com/intel/crypto/CryptoException
.method public <init> : ()V
.code stack 1 locals 1
L0: aload_0
L1: invokespecial Method com/intel/crypto/CryptoException <init> ()V
L4: return
@skochinsky
skochinsky / oath10.j
Last active Jun 19, 2016
from Intel IPT OATH Application_fw10.0.0_v3.0.jeff
View oath10.j
; class 0/41
.class public super com/intel/dal/ipt/framework/AppletImpl
.super com/intel/util/IntelApplet
.field protected mIptf Lcom/intel/dal/ipt/framework/IptFramework;
.field mReplyBuffer [B
.field mInitialized Z
@skochinsky
skochinsky / jeff_core10.j
Last active Jun 19, 2016
core java classes from ME 10.0.25.1048
View jeff_core10.j
; found JEFF at 0x00022C04?
; JEFF length=00020D94
; class 0/235
.class public super abstract com/intel/crypto/CertificateChain
.super java/lang/Object
.const [o304] = Int 16384 ; 0x00004000
.field protected static final MAX_CERTIFICATE_CHAIN_LENGTH I
You can’t perform that action at this time.