Skip to content

Instantly share code, notes, and snippets.

View skochinsky's full-sized avatar

Igor Skochinsky skochinsky

230 followers · 5 following
View GitHub Profile
@skochinsky
skochinsky / ftab_split.py
Created August 5, 2021 11:36 — forked from matteyeux/ftab_split.py
#!/usr/bin/env python3
# initial script by b1n4r1b01 but he deleted his repo
# https://gist.github.com/woachk/6092f9ae950455dcdf8428c3ce2d639e
# added python3 support
import sys
import struct
import os
@skochinsky
skochinsky / shift_dfa.md
Created August 2, 2021 12:41 — forked from pervognsen/shift_dfa.md
Shift-based DFAs

A traditional table-based DFA implementation looks like this:

uint8_t table[NUM_STATES][256]

uint8_t run(const uint8_t *start, const uint8_t *end, uint8_t state) {
    for (const uint8_t *s = start; s != end; s++)
        state = table[state][*s];
    return state;
}
@skochinsky
skochinsky / arm64_sysregs_ios.py
Created December 8, 2020 23:02 — forked from bazad/arm64_sysregs_ios.py
Label iOS arm64 system registers in IDA Pro
#
# arm64_sysregs_ios.py
# Brandon Azad
#
# Based on https://github.com/gdelugre/ida-arm-system-highlight by Guillaume Delugre.
#
import idautils
import idc
@skochinsky
skochinsky / httpzip.py
Created September 16, 2020 21:14
import zipfile
import httpio
import sys
def usage():
print("httpzip.py <url> [filename]")
if len(sys.argv)>1:
url = sys.argv[1]
else:
@skochinsky
skochinsky / dump_hdr.py
Created November 16, 2019 20:30
Fujifillm
#! python2
#-------------------------------------------------------------------------------
# Name: dump_hdr.py
# Purpose: dump header of a FujiFilm FinePix firmware update
# see https://reverseengineering.stackexchange.com/questions/22549/identifying-rom-segment-in-unknown-firmware-update-file
# Author: Igor Skochinsky
#
# Created: 16-11-2019
# Copyright: (c) Igor Skochinsky 2019
# Licence: MIT
@skochinsky
skochinsky / scan_jmp.idc
Last active October 30, 2020 13:46
/*scan for far jumps or calls and print their location and destinations
jmp: 1= search for jumps(0= calls)
low16: only consider destinations with offset < 16
*/
static scan_jmp_call(jmp, low16)
{
// start at the minimal address
auto a = 0;
auto x, seg, offs, dest;
for (a = 0; x != BADADDR; a = x + 5 )// skip 5 bytes (size of far jmp/call opcode)
@skochinsky
skochinsky / qt5res.py
Created September 5, 2018 17:15
Qt5 resourse dumper for IDA
## parse and dump Qt resources in current IDB
from PyQt5 import QtCore
import os.path
f = LocByName("?qRegisterResourceData@@YA_NHPBE00@Z")
for x in XrefsTo(f, idaapi.XREF_ALL):
if x.type==fl_CN:
callea = x.frm
push1 = DecodePreviousInstruction(callea)
if push1.itype != idaapi.NN_push:
print "no push at %08X!"% push1.ea
@skochinsky
skochinsky / cap2bin.py
Created September 2, 2017 19:18
# convert Intel firmware update capsules to plain binaries
import sys
import os.path
import struct
fn = sys.argv[1]
inf = open(fn, "rb")
inf.seek(0xC8)
e=[]
@skochinsky
skochinsky / rich.py
Created April 13, 2017 13:03
MSVC PE Rich header parser with compiler version display
# based on code from http://trendystephen.blogspot.be/2008/01/rich-header.html
import sys
import struct
# I'm trying not to bury the magic number...
CHECKSUM_MASK = 0x536e6144 # DanS (actuall SnaD)
RICH_TEXT = 'Rich'
RICH_TEXT_LENGTH = len(RICH_TEXT)
PE_START = 0x3c
PE_FIELD_LENGTH = 4
@skochinsky
skochinsky / gist:181e6e338d90bb7f2693098dc43c6d54
Last active November 29, 2017 14:13
Phoenix $PFH trailer
struct PFRegionEntry
{
UINT32 FileOffset;
UINT32 Size;
UINT64 FlashAddress;
UINT32 NameOffset; //absolute offset
};
struct PFHeader
{