Skip to content

Instantly share code, notes, and snippets.

View sysopfb's full-sized avatar


View GitHub Profile
sysopfb / certs.txt
Last active September 25, 2016 19:20 — forked from crazybyte/certs.txt
View certs.txt
NOTE: HTTP SSL keys are all in PEM format (base64 encoded)
#From PEM format to DER
openssl x509 -in $1.crt -out $1.der -outform DER
#From DER format to PEM
openssl x509 -in $1.der -inform DER -out $1.pem -outform PEM
#Transforming RSA key to DER format
openssl rsa -in oberon.key -inform PEM -out oberon_key.der -outform DER
sysopfb /
Created October 13, 2016 17:01
aplib python library
# this is a standalone single-file merge of aplib compression and decompression
# taken from my own library Kabopan
# (no other clean-up or improvement)
# Ange Albertini, BSD Licence, 2007-2011
# from kbp\comp\ ##################################################
def find_longest_match(s, sub):
"""returns the number of byte to look backward and the length of byte to copy)"""
if sub == "":
sysopfb /
Last active August 17, 2021 10:13 — forked from mak/
Extract everything from WannaCry
import re
import os,sys
import pefile
import struct
import zipfile
import hashlib
import StringIO
from Crypto import Random
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5,AES
sysopfb / v5.proto
Created July 25, 2017 15:55
Emotet v5 protocol
View v5.proto
message regrequest {
required int32 command = 1;
required string botId = 2;
required fixed32 osVersion = 3;
required fixed32 crc32 = 4;
required string procList = 5;
required string mailClient = 6;
required string unknown = 7;
sysopfb / gist:92887be2b46659bb929fba28de7206eb
Created September 21, 2018 16:47
Domains for fake zeus leading TDS
View gist:92887be2b46659bb929fba28de7206eb
sysopfb / common_lib_hashes.h
Created March 8, 2019 21:14
Common CRC32 hashes for library names
View common_lib_hashes.h
LIB_ROUTETAB = 0xefae77e3,
LIB_STOBJECT = 0xac6b1426,
LIB_MPRDDM = 0xd60496e1,
LIB_RASDLG = 0xd15380e4,
LIB_PNGFILT = 0x9b38a0bc,
LIB_NETAPI32 = 0x4681476c,
LIB_ITSS = 0x31ac798,
LIB_WMADMOD = 0x7a30b1f4,
LIB_WMADMOE = 0x47509844,
sysopfb / RE_Notes
Created April 19, 2019 16:37
Notes for hancitor/chanitor e4ad65ade2f04e05a886b398ef08261f5858b15cc822ef29b604cecaac3036b5 crypter
View RE_Notes
Fast travel:
VirtualProtect on text section before xor decoding next layer
next layer resolves dependencies and then virtualallocs before main code begins
Detection notes:
single byte xor of bytecode is incredibly easy to signature on
sysopfb / .NET with windbg and sos
Created May 9, 2019 01:09
Some quick notes on unpacking .NET malware with windbg and sos
View .NET with windbg and sos
Use x86 windbg with 32 bit malware and x64 with 64 bit else you'll get errors loading the correct files with sos
Talos has some stuff to get started with
Load up the .NET exe into windbg
sxe ld clr
sxe ld clrjit
sysopfb / tls.go
Created October 12, 2019 22:09
Unsafe golang TLS library with error detection removed
View tls.go
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446.
// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable
// it, set the GODEBUG environment variable (comma-separated key=value
// options) such that it includes "tls13=1". To enable it from within
sysopfb /
Created November 21, 2019 15:31
from z3 import *
x = BitVec('x',32)
y = BitVec('y',16)
s = Solver()
s.add(x * ZeroExt(16,y) == 0x7B5658DB)
s.add(ZeroExt(16,x) * ZeroExt(32, y) > 0x7B5658DB)