Skip to content

Instantly share code, notes, and snippets.

View slicer_bw.py
from binaryninja import *
class Slicer():
def __init__(self, instruction):
self.visited = set()
self.instruction = instruction
self.function = instruction.function
def visit_backward(self, instruction):
for var in instruction.vars_read:
View slicer_init.py
class Slicer():
def __init__(self, instruction):
self.visited = set()
self.instruction = instruction
self.function = instruction.function
View hook_payload_test.c
uint8_t payload[] = {
0x48, 0xb8, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, // movabs rax, 0x4142434445464748
0x48, 0x89, 0x02 // mov qword ptr [rdx], rax
};
LPVOID pHookBody = myVirtualAlloc(0x1000, PAGE_EXECUTE_READWRITE);
hook_body_offset = pHookBody;
// copy payload
myVirtualProtect((LPVOID)sectionInfo.SectionAddress, sectionInfo.SectionSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
View LoadLibrary.c
HMODULE user32 = LoadLibrary("user32.dll");
MsgBox = GetProcAddress(user32, "MessageBoxA");
MsgBox(NULL, "Text", "Caption", 0, 0);
View calc_damaged_instructions.c
int calc_damaged_instructions(uint8_t *data, size_t len_erased) {
size_t max_len = 50;
size_t decoded_len = 0;
// Initialize decoder context.
ZydisDecoder decoder;
ZydisDecoderInit(
&decoder,
ZYDIS_MACHINE_MODE_LONG_64,
ZYDIS_ADDRESS_WIDTH_64);
View get_bait_code.c
int get_bait_code(uint8_t * trampoline_code_out, uint64_t addr) {
uint8_t trampoline_code[] =
{
0x68, 0x44, 0x33, 0x22, 0x11, // push 0x11223344
0xc7, 0x44, 0x24, 0x04, 0x88, 0x77, 0x66, 0x55, //mov dword ptr [rsp+4], 0x55667788
0xc3 //ret
};
uint32_t addr_right = (uint32_t)(addr & 0xffffffff);
uint32_t addr_left = (uint32_t)((addr & 0xffffffff00000000) >> 32);
View get-gacha.js
{
onEnter: function (log, args, state) {
log("get_gacha(" + args[0].toInt32() + "," + args[1].toInt32() + "," + args[2].toInt32() + "," + ")");
this.args1 = args[1];
this.args2 = args[2];
var myfunc = new NativeFunction(Module.findExportByName('libnative-lib.so', 'get_gacha'), 'uint32', ['uint32', 'pointer', 'pointer']);
log('-----');
a1 = Memory.alloc(4);
View frida1.js
{
onEnter: function (log, args, state) {
log("get_gacha(" + args[0].toInt32() + "," + args[1].toInt32() + "," + args[2].toInt32() + "," + ")");
log(hexdump(args[1], { length: 4 }));
log(hexdump(args[2], { length: 4 }));
this.args1 = args[1];
this.args2 = args[2];
}
onLeave: function (log, retval, state) {
log(hexdump(this.args1, { length: 1 }));
View GachaAPI.java
public class GachaAPI
{
static
{
System.loadLibrary("native-lib");
}
public static native int[] getGacha(int paramInt);
}
View gacha-onReceive.java
public void onReceive(Context paramContext, Intent paramIntent)
{
Log.i(a, "onReceive: action=" + paramIntent.getAction());
if (!paramIntent.getAction().equals("com.tm.ctf.trendgacha.GET_GACHA")) {
return;
}
paramIntent = paramIntent.getExtras();
if (paramIntent != null) {}
for (int i = Integer.valueOf(paramIntent.getString("TryLoop", "1")).intValue();; i = 1)
{
You can’t perform that action at this time.