Tim Strazzere
strazzere
strazzere
/ yara_fn.py
Created Aug 18, 2016
— forked from williballenthin/yara_fn.py
generate a yara rule that matches the basic blocks of the current function in IDA Pro
View yara_fn.py
| ''' | |
| IDAPython script that generates a YARA rule to match against the | |
| basic blocks of the current function. It masks out relocation bytes | |
| and ignores jump instructions (given that we're already trying to | |
| match compiler-specific bytes, this is of arguable benefit). | |
| If python-yara is installed, the IDAPython script also validates that | |
| the generated rule matches at least one segment in the current file. | |
| author: Willi Ballenthin <william.ballenthin@fireeye.com> |
strazzere
/ gist:195b439480eab1de3c43f73781d5502a
Created Jul 23, 2016
osx + irssi + chinese utf-8 characters
View gist:195b439480eab1de3c43f73781d5502a
| screen -U -S irc | |
| /set term_charset utf-8 | |
| /set recode_autodetect_utf8 ON | |
| /set recode_fallback ISO-8859-15 | |
| /set recode_out_default_charset ISO-8859-15 | |
| /set recode_transliterate ON | |
| /set recode ON |
View gist:f76df7e24dd554268f0ba284fda7587c
| [54%]diff@rocksteady:[repo] $ git clone --verbose https://git01.codeplex.com/veracrypt | |
| Cloning into 'veracrypt'... | |
| POST git-upload-pack (gzip 1440 to 623 bytes) | |
| remote: Counting objects: 8996, done. | |
| remote: Compressing objects: 100% (6843/6843), done. | |
| remote: Total 8996 (delta 7179), reused 2812 (delta 2010) | |
| Receiving objects: 100% (8996/8996), 43.16 MiB | 1.46 MiB/s, done. | |
| error: RPC failed; curl 56 SSLRead() return error -9806 | |
| Resolving deltas: 100% (7179/7179), done. |
strazzere
/ Api2$ApiPhoneCall.smali
Last active Nov 2, 2015
View Api2$ApiPhoneCall.smali
| .class public final Lcom/google/grandcentral/api2/Api2$ApiPhoneCall; | |
| .super Lcom/google/protobuf/GeneratedMessageLite; | |
| .source "Api2.java" | |
| # annotations | |
| .annotation system Ldalvik/annotation/EnclosingClass; | |
| value = Lcom/google/grandcentral/api2/Api2; | |
| .end annotation |
View decrypt.py
| #!/usr/bin/python | |
| # | |
| # | |
| # Decompling something being loaded in through powershell | |
| # | |
| # | |
| # diff <diff@sentinalone.com> | |
| # | |
| # |
View Makefile
| LOCAL_PATH := $(call my-dir) | |
| include $(CLEAR_VARS) | |
| LOCAL_SRC_FILES := \ | |
| uree_toy.c | |
| LOCAL_C_INCLUDE := ${ANDROID_NDK_ROOT}/platforms/android-14/arch-arm/usr/include/ | |
| LOCAL_MODULE := uree_toy | |
| LOCAL_MODULE_TAGS := optional |
View test.java
| @Override | |
| public void setUp() throws Exception { | |
| super.setUp(); | |
| mockReader = mock(IntReader.class); | |
| // Mock the string section data | |
| when(mockReader.readInt()).thenReturn( | |
| 7 * 4, // size | |
| 0x02, // string count | |
| 0x00, // style count | |
| 0x00, // string chunk flags |
View test.rule
| rule Signed_APK_with_dex | |
| { | |
| meta: | |
| author = "Tim Strazzere" | |
| twitter = "@timstrazz" | |
| date = "10/25/2012" | |
| version = "1.0" | |
| tag = "Android" | |
| comment = "Attempted to detect an APK file with a classes.dex that is signed" |
View waffles.c
| #include <unistd.h> | |
| #include <sys/socket.h> | |
| #include <linux/netlink.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <sys/mman.h> | |
| #define NETLINK_SOCK_DIAG NETLINK_INET_DIAG | |
| #define SOCK_DIAG_BY_FAMILY 20 |
strazzere
/ string_add.patch
Created Aug 20, 2015
View string_add.patch
| diff --git a/pfp/fields.py b/pfp/fields.py | |
| index cf4ee31..77da4eb 100644 | |
| --- a/pfp/fields.py | |
| +++ b/pfp/fields.py | |
| @@ -1720,7 +1720,7 @@ class String(Field): | |
| :returns: TODO | |
| """ | |
| - if isinstance(other, String): | |
| + if isinstance(other, str): |
NewerOlder