Skip to content

Instantly share code, notes, and snippets.

View sysopfb's full-sized avatar

sysopfb

191 followers · 8 following
View GitHub Profile
@sysopfb
sysopfb / gist:8c71915b065a54e458b188fec8333c22
Created February 10, 2023 21:32
qbot sxor_3 double decode
#stager 1 versions (sxor_3)
def decode_data4(data):
key = hashlib.sha1(b'bUdiuy81gYguty@4frdRdpfko(eKmudeuMncueaN').digest()
rc4 = ARC4.new(key)
t = rc4.decrypt(data)
tt = qbot_helpers.qbot_decode(t[20:])
return(tt)
#qbot_decode is just the oldschool decode of qbots:
def qbot_decode(data):
@sysopfb
sysopfb / sharpext.md
Created July 29, 2022 17:01
kimusky sharpext data

Not sure if this is victim related data or what

   "NewTabPage": {
        "PrevNavigationTime": "13292560510726665"
    }, 
    "gaia_cookie": {
        "hash": "2gW6ZW+guv8Us/fjpeX7conzXoo=", 
        "last_list_accounts_data": "[\"gaia.l.a.r\",[[\"gaia.l.a\",1,\"Sang Hyun Lee\",\"leesh65@gmail.com\",\"https://lh3.googleusercontent.com/-daipoVZf-r8/AAAAAAAAAAI/AAAAAAAAAAA/TagFXSnGLoE/s48-c/photo.jpg\",1,1,0,null,1,\"100934410837439495113\",null,null,null,null,1]]]", 
        "changed_time": 1640301806.63822
@sysopfb
sysopfb / decode.md
Created July 8, 2022 20:29
lockbit black blob decoding POC

Blobs in lockbit black are decoded similar to BlackMatter but with a new LCG based on 64 bit

The init seed for the sample I REd was at the start of .pdata

POC decoding, pretty quick and dirty due to time constraints

def mul64(a1, a2):
    return(a1 * a2)
@sysopfb
sysopfb / UpdateAgent Golang
Created June 2, 2022 19:17
UpdateAgent - GolangVersion
2aaebf0282463c60aa8866e733799eee97f41af1e3ac8ae7855279595217aa2f
SnapITool.zip
```
https://vzhqu.snapitool.com/SnapITool.zip
```
```
@sysopfb
sysopfb / lznt1_no_error_checking.py
Created October 23, 2021 16:10
pure python LZNT1 wrapped in try block to allow for partial decompression or decompression of data that doesn't error out on extra data at the end
# Rekall Memory Forensics
# Copyright 2014 Google Inc. All Rights Reserved.
#
# Author: Michael Cohen scudette@google.com.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
@sysopfb
sysopfb / s.md
Created October 19, 2021 20:31
FlawedGrace partial strings
@sysopfb
sysopfb / sc_in_jquery.yar
Created September 2, 2021 15:43
sc_in_jquery.yar
rule sc_in_jquery
{
strings:
$a = {5? 8b [1-3] 83 ?? 04 8b [1-2] 31 [1-2] 83 ?? 04 5? 8b [1-2] 31 ?? 8?}
$b = "jquery.org/license" nocase
condition:
all of them
}
@sysopfb
sysopfb / sift4.py
Created August 24, 2021 15:34
Sift4 in python
"""
Based on: https://gist.github.com/lbenedix/8275d01c2289a7a20d2c6c27ee8ae68e
Moved an if block and added a double empty string check for input validation
"""
def sift4_simple(s1, s2, max_offset=5):
"""
@sysopfb
sysopfb / decoder.py
Created August 2, 2021 19:37
Black Matter blob decoder
# Python2 just because
# Samples:
# 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6
# c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99
import pefile
import struct
import sys
@sysopfb
sysopfb / Gopclntab.py
Created May 7, 2021 16:26
My version of IDAGolangHelper is older than current
import idc
import idautils
import idaapi
import ida_bytes
import ida_funcs
import ida_search
import ida_segment
import Utils
info = idaapi.get_inf_structure()