sl4v sl4v
sl4v
/ shellcode.asm
Created
April 18, 2017 10:04
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| xor rdx, rdx | |
| push rdx | |
| mov rax, 0x68732f2f6e69622f | |
| push rax | |
| mov rdi, rsp | |
| xor rsi, rsi | |
| xor rax, rax | |
| mov al, 0x3b | |
| syscall |
sl4v
/ gacha-onReceive.java
Created
June 25, 2017 09:05
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public void onReceive(Context paramContext, Intent paramIntent) | |
| { | |
| Log.i(a, "onReceive: action=" + paramIntent.getAction()); | |
| if (!paramIntent.getAction().equals("com.tm.ctf.trendgacha.GET_GACHA")) { | |
| return; | |
| } | |
| paramIntent = paramIntent.getExtras(); | |
| if (paramIntent != null) {} | |
| for (int i = Integer.valueOf(paramIntent.getString("TryLoop", "1")).intValue();; i = 1) | |
| { |
sl4v
/ GachaAPI.java
Created
June 25, 2017 09:14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class GachaAPI | |
| { | |
| static | |
| { | |
| System.loadLibrary("native-lib"); | |
| } | |
| public static native int[] getGacha(int paramInt); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| onEnter: function (log, args, state) { | |
| log("get_gacha(" + args[0].toInt32() + "," + args[1].toInt32() + "," + args[2].toInt32() + "," + ")"); | |
| log(hexdump(args[1], { length: 4 })); | |
| log(hexdump(args[2], { length: 4 })); | |
| this.args1 = args[1]; | |
| this.args2 = args[2]; | |
| } | |
| onLeave: function (log, retval, state) { | |
| log(hexdump(this.args1, { length: 1 })); |
sl4v
/ get-gacha.js
Created
June 25, 2017 10:35
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| onEnter: function (log, args, state) { | |
| log("get_gacha(" + args[0].toInt32() + "," + args[1].toInt32() + "," + args[2].toInt32() + "," + ")"); | |
| this.args1 = args[1]; | |
| this.args2 = args[2]; | |
| var myfunc = new NativeFunction(Module.findExportByName('libnative-lib.so', 'get_gacha'), 'uint32', ['uint32', 'pointer', 'pointer']); | |
| log('-----'); | |
| a1 = Memory.alloc(4); |
sl4v
/ get_bait_code.c
Created
December 13, 2017 23:49
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int get_bait_code(uint8_t * trampoline_code_out, uint64_t addr) { | |
| uint8_t trampoline_code[] = | |
| { | |
| 0x68, 0x44, 0x33, 0x22, 0x11, // push 0x11223344 | |
| 0xc7, 0x44, 0x24, 0x04, 0x88, 0x77, 0x66, 0x55, //mov dword ptr [rsp+4], 0x55667788 | |
| 0xc3 //ret | |
| }; | |
| uint32_t addr_right = (uint32_t)(addr & 0xffffffff); | |
| uint32_t addr_left = (uint32_t)((addr & 0xffffffff00000000) >> 32); |
sl4v
/ calc_damaged_instructions.c
Created
December 14, 2017 00:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int calc_damaged_instructions(uint8_t *data, size_t len_erased) { | |
| size_t max_len = 50; | |
| size_t decoded_len = 0; | |
| // Initialize decoder context. | |
| ZydisDecoder decoder; | |
| ZydisDecoderInit( | |
| &decoder, | |
| ZYDIS_MACHINE_MODE_LONG_64, | |
| ZYDIS_ADDRESS_WIDTH_64); |
sl4v
/ LoadLibrary.c
Last active
December 14, 2017 21:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| HMODULE user32 = LoadLibrary("user32.dll"); | |
| MsgBox = GetProcAddress(user32, "MessageBoxA"); | |
| MsgBox(NULL, "Text", "Caption", 0, 0); |
sl4v
/ hook_payload_test.c
Last active
December 14, 2017 20:51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| uint8_t payload[] = { | |
| 0x48, 0xb8, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, // movabs rax, 0x4142434445464748 | |
| 0x48, 0x89, 0x02 // mov qword ptr [rdx], rax | |
| }; | |
| LPVOID pHookBody = myVirtualAlloc(0x1000, PAGE_EXECUTE_READWRITE); | |
| hook_body_offset = pHookBody; | |
| // copy payload | |
| myVirtualProtect((LPVOID)sectionInfo.SectionAddress, sectionInfo.SectionSize, PAGE_EXECUTE_READWRITE, &dwOldProtect); |
sl4v
/ slicer_init.py
Created
May 19, 2018 15:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class Slicer(): | |
| def __init__(self, instruction): | |
| self.visited = set() | |
| self.instruction = instruction | |
| self.function = instruction.function |