Skip to content

Instantly share code, notes, and snippets.

View sysopfb's full-sized avatar


View GitHub Profile
sysopfb / certs.txt
Last active September 25, 2016 19:20 — forked from crazybyte/certs.txt
View certs.txt
NOTE: HTTP SSL keys are all in PEM format (base64 encoded)
#From PEM format to DER
openssl x509 -in $1.crt -out $1.der -outform DER
#From DER format to PEM
openssl x509 -in $1.der -inform DER -out $1.pem -outform PEM
#Transforming RSA key to DER format
openssl rsa -in oberon.key -inform PEM -out oberon_key.der -outform DER
sysopfb / v5.proto
Created July 25, 2017 15:55
Emotet v5 protocol
View v5.proto
message regrequest {
required int32 command = 1;
required string botId = 2;
required fixed32 osVersion = 3;
required fixed32 crc32 = 4;
required string procList = 5;
required string mailClient = 6;
required string unknown = 7;
sysopfb / gist:92887be2b46659bb929fba28de7206eb
Created September 21, 2018 16:47
Domains for fake zeus leading TDS
View gist:92887be2b46659bb929fba28de7206eb
sysopfb / common_lib_hashes.h
Created March 8, 2019 21:14
Common CRC32 hashes for library names
View common_lib_hashes.h
LIB_ROUTETAB = 0xefae77e3,
LIB_STOBJECT = 0xac6b1426,
LIB_MPRDDM = 0xd60496e1,
LIB_RASDLG = 0xd15380e4,
LIB_PNGFILT = 0x9b38a0bc,
LIB_NETAPI32 = 0x4681476c,
LIB_ITSS = 0x31ac798,
LIB_WMADMOD = 0x7a30b1f4,
LIB_WMADMOE = 0x47509844,
sysopfb / RE_Notes
Created April 19, 2019 16:37
Notes for hancitor/chanitor e4ad65ade2f04e05a886b398ef08261f5858b15cc822ef29b604cecaac3036b5 crypter
View RE_Notes
Fast travel:
VirtualProtect on text section before xor decoding next layer
next layer resolves dependencies and then virtualallocs before main code begins
Detection notes:
single byte xor of bytecode is incredibly easy to signature on
sysopfb / tls.go
Created October 12, 2019 22:09
Unsafe golang TLS library with error detection removed
View tls.go
// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Package tls partially implements TLS 1.2, as specified in RFC 5246,
// and TLS 1.3, as specified in RFC 8446.
// TLS 1.3 is available only on an opt-in basis in Go 1.12. To enable
// it, set the GODEBUG environment variable (comma-separated key=value
// options) such that it includes "tls13=1". To enable it from within
sysopfb /
Created November 21, 2019 15:31
from z3 import *
x = BitVec('x',32)
y = BitVec('y',16)
s = Solver()
s.add(x * ZeroExt(16,y) == 0x7B5658DB)
s.add(ZeroExt(16,x) * ZeroExt(32, y) > 0x7B5658DB)
sysopfb /
Last active January 11, 2020 19:34
8713179977a3ac6f2f55d5b566628ea3 notes on traffic
>>> a = "0c0d9d01000074030000789c9d934d4f02410c865fffc91e3ca8c9c27eb02ccb519460221135c60b17022b625408207ec4c493ffdb67ca488c091ecca4dd4ee77d3b6da7bba348bb3a50a2022b564d39df887d032bc79b283544ec757563154802b6b0fdb72f51856f1dbefbba581543d50cb163fa4a973ad68542f5d432cf40233d68a247db5d9b35d254cf5a28208f902c121de25f1a2255c60d29675dbcce53c37e4152eece585d75f4e6b30ab467b936c8638dca2da7fd4de64e3ecfcf3fd6bd884c42eb48685504d69b26ba613af259e478ebec52df956ddcd45819ba860ef48eb893cb0d2bb62a63cfcdecbc3096d319b738e499662ae98debcf184c681d9868a839dd5a20377428a083533ca34d6d6d30f7300378033a5d123300bf82796bcc25ef54d29bd267d7d6138c7bac198c2528c768a1fbbfdea78fbc5a8492c8ee9dfa7f46eee9444716ad60adeb8afc59c73316ccc8854ea9dee16ef12cc9a3c9f455b9d3ad8a55b222ea1c7b08efc166b3a23b90e32df1927fc7fb9ebabaff2b229ba1dcfc6f5437841bdbdf92f85988fcf4fd5ccef305148275f30b"
>>> b = binascii.unhexlify(a)
>>> struct.unpack_from('<HII', b)
(3340, 413, 884)
>>> len(b)
>>> c = zlib.decompress(b[10:])
>>> len(c)
sysopfb / .NET with windbg and sos
Created May 9, 2019 01:09
Some quick notes on unpacking .NET malware with windbg and sos
View .NET with windbg and sos
Use x86 windbg with 32 bit malware and x64 with 64 bit else you'll get errors loading the correct files with sos
Talos has some stuff to get started with
Load up the .NET exe into windbg
sxe ld clr
sxe ld clrjit
sysopfb / beacons.txt
Last active May 12, 2020 20:34
beacon pivots
View beacons.txt
Pivot from config at
C2_POSTREQ: [('_HEADER', 0, 'Content-Type: application/octet-stream'), ('BUILD', ('PARAMETER', 'id'))]
C2_REQUEST: [('BUILD', ('BASE64', 'HEADER', 'Cookie'))]