This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NOTE: HTTP SSL keys are all in PEM format (base64 encoded) | |
#From PEM format to DER | |
openssl x509 -in $1.crt -out $1.der -outform DER | |
#From DER format to PEM | |
openssl x509 -in $1.der -inform DER -out $1.pem -outform PEM | |
#Transforming RSA key to DER format | |
openssl rsa -in oberon.key -inform PEM -out oberon_key.der -outform DER |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# this is a standalone single-file merge of aplib compression and decompression | |
# taken from my own library Kabopan http://code.google.com/p/kabopan/ | |
# (no other clean-up or improvement) | |
# Ange Albertini, BSD Licence, 2007-2011 | |
# from kbp\comp\_lz77.py ################################################## | |
def find_longest_match(s, sub): | |
"""returns the number of byte to look backward and the length of byte to copy)""" | |
if sub == "": |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import re | |
import os,sys | |
import pefile | |
import struct | |
import zipfile | |
import hashlib | |
import StringIO | |
from Crypto import Random | |
from Crypto.PublicKey import RSA | |
from Crypto.Cipher import PKCS1_v1_5,AES |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
syntax="proto2"; | |
message regrequest { | |
required int32 command = 1; | |
required string botId = 2; | |
required fixed32 osVersion = 3; | |
required fixed32 crc32 = 4; | |
required string procList = 5; | |
required string mailClient = 6; | |
required string unknown = 7; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spcialsuivre.tk | |
majeurproduire.tk | |
alimentairimaginer.tk | |
humaincrire.tk | |
suivantarriver.tk | |
purraliser.tk | |
completexprimer.tk | |
localcontenir.tk | |
faibleremettre.tk | |
diverseffectuer.tk |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
enum COMMON_LIBS { | |
LIB_ROUTETAB = 0xefae77e3, | |
LIB_STOBJECT = 0xac6b1426, | |
LIB_MPRDDM = 0xd60496e1, | |
LIB_RASDLG = 0xd15380e4, | |
LIB_PNGFILT = 0x9b38a0bc, | |
LIB_NETAPI32 = 0x4681476c, | |
LIB_ITSS = 0x31ac798, | |
LIB_WMADMOD = 0x7a30b1f4, | |
LIB_WMADMOE = 0x47509844, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fast travel: | |
VirtualProtect on text section before xor decoding next layer | |
next layer resolves dependencies and then virtualallocs before main code begins | |
Detection notes: | |
single byte xor of bytecode is incredibly easy to signature on |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Use x86 windbg with 32 bit malware and x64 with 64 bit else you'll get errors loading the correct files with sos | |
Talos has some stuff to get started with https://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html | |
Load up the .NET exe into windbg | |
sxe ld clr | |
sxe ld clrjit | |
g |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Copyright 2009 The Go Authors. All rights reserved. | |
// Use of this source code is governed by a BSD-style | |
// license that can be found in the LICENSE file. | |
// Package tls partially implements TLS 1.2, as specified in RFC 5246, | |
// and TLS 1.3, as specified in RFC 8446. | |
// | |
// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable | |
// it, set the GODEBUG environment variable (comma-separated key=value | |
// options) such that it includes "tls13=1". To enable it from within |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from z3 import * | |
x = BitVec('x',32) | |
y = BitVec('y',16) | |
s = Solver() | |
s.add(x * ZeroExt(16,y) == 0x7B5658DB) | |
s.add(ZeroExt(16,x) * ZeroExt(32, y) > 0x7B5658DB) | |
vals=[] |
OlderNewer