Minh-Triet Pham Tran trietptm

## gist:b0ebd61944c75f3852e0d1529a002b76
import os
import sys
import glob
import cPickle as pickle
from multiprocessing import Process

import config as CFG

number_of_jobs = CFG.number_of_jobs

## unpack_emotet.py
#!/usr/bin/env python3
# Name:
#   unpack_emotet.py
# Description:
#   This script accompanies my blog at
#   https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/
#   and can be used to statically unpack given sample in the blog
# Author:
#   https://twitter.com/mirshadx
#   https://www.linkedin.com/in/irshad-muhammad-3020b0a5/

## unpack_3rdstage_lokibot.py
import binascii
from itertools import cycle

SERVER_RESPONSE_FIE = "server_response.txt"
XOR_KEY = b"ZKkz8PH0"

with  open(SERVER_RESPONSE_FIE) as serverfd:
	resp_str = serverfd.read()

resp_str = resp_str[::-1]

## main.cpp
// Decoding.
bytes_t crypt = {120, 156, 251, 255, 127, 100, 3, 0, 8, 0, 255, 1};
bytes_t plain(196864);
z_stream stream;
inflateInit(&stream);
stream.next_in = crypt.data();
stream.avail_in = crypt.size();
stream.next_out = plain.data();
stream.avail_out = plain.size();
int ret = inflate(&stream, Z_FINISH);

## frida-libjpeg.py
import frida, sys

images = {}

def on_message(message, data):
    global image
    if message['type'] == 'send':
        if message['payload'].startswith('['):
            message = message['payload']
            save = message[message.index(']')+1:]

## copy_stuff.py
import uuid

import ida_bytes
import ida_hexrays
import ida_idaapi
import ida_kernwin

from PyQt5.Qt import QApplication

class Plugin(ida_idaapi.plugin_t):

## anonymize_idb.py
import ida_netnode

"""
You can also switch the shell into IDC mode and enter del_user_info().
You can also edit your `~/ida-x/cfg/ida.cfg` and set `STORE_USER_INFO` to `NO`.
"""


# This will replace the original user blob with the evaluation version blob.
ORIGINAL_USER = \

## deob_opaque_predicate.py
"""
search for and patch out known opaque predicates within IDA Pro workspaces.

just run the script and it will manipulate the open database.
therefore, you should probably create a backup first.
"""
import logging
from pprint import pprint

import ida_idp

## resources.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              0 stars
            
          
                trietptm
                / resources.md
            
            
              Last active
              December 2, 2020 16:11
                — forked from muff-in/resources.md
            
              
                A curated list of Assembly Language / Reversing / Malware Analysis -resources
              
          
    Assembly Language / Reversing / Malware Analysis -resources


⭐Assembly Language

Modern x64 Assembly

https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA

  
## export.json
{
    "1133": {
        "url": "http://crackmes.cf/users/.nalet./nalets_crackme_no1/download/NaLeTcrkMe.zip",
        "description": "First off don't give me that \"cr*pware\" things.\nYes, it's written in VB + P-Code, and all you need to do is find one serial.\nOh could someone rate it?!?",
        "difficulty": 2,
        "platform": "Windows",
        "language": "(Visual) Basic",
        "published": "2005-03-08T00:00:00",
        "downloads": 1235,
        "votes": 0
	import os
	import sys
	import glob
	import cPickle as pickle
	from multiprocessing import Process

	import config as CFG

	number_of_jobs = CFG.number_of_jobs
	#!/usr/bin/env python3
	# Name:
	# unpack_emotet.py
	# Description:
	# This script accompanies my blog at
	# https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/
	# and can be used to statically unpack given sample in the blog
	# Author:
	# https://twitter.com/mirshadx
	# https://www.linkedin.com/in/irshad-muhammad-3020b0a5/
	import binascii
	from itertools import cycle

	SERVER_RESPONSE_FIE = "server_response.txt"
	XOR_KEY = b"ZKkz8PH0"

	with open(SERVER_RESPONSE_FIE) as serverfd:
	resp_str = serverfd.read()

	resp_str = resp_str[::-1]
	// Decoding.
	bytes_t crypt = {120, 156, 251, 255, 127, 100, 3, 0, 8, 0, 255, 1};
	bytes_t plain(196864);
	z_stream stream;
	inflateInit(&stream);
	stream.next_in = crypt.data();
	stream.avail_in = crypt.size();
	stream.next_out = plain.data();
	stream.avail_out = plain.size();
	int ret = inflate(&stream, Z_FINISH);
	import frida, sys

	images = {}

	def on_message(message, data):
	global image
	if message['type'] == 'send':
	if message['payload'].startswith('['):
	message = message['payload']
	save = message[message.index(']')+1:]
	import uuid

	import ida_bytes
	import ida_hexrays
	import ida_idaapi
	import ida_kernwin

	from PyQt5.Qt import QApplication

	class Plugin(ida_idaapi.plugin_t):
	import ida_netnode

	"""
	You can also switch the shell into IDC mode and enter del_user_info().
	You can also edit your `~/ida-x/cfg/ida.cfg` and set `STORE_USER_INFO` to `NO`.
	"""


	# This will replace the original user blob with the evaluation version blob.
	ORIGINAL_USER = \
	"""
	search for and patch out known opaque predicates within IDA Pro workspaces.

	just run the script and it will manipulate the open database.
	therefore, you should probably create a backup first.
	"""
	import logging
	from pprint import pprint

	import ida_idp
	{
	"1133": {
	"url": "http://crackmes.cf/users/.nalet./nalets_crackme_no1/download/NaLeTcrkMe.zip",
	"description": "First off don't give me that \"cr*pware\" things.\nYes, it's written in VB + P-Code, and all you need to do is find one serial.\nOh could someone rate it?!?",
	"difficulty": 2,
	"platform": "Windows",
	"language": "(Visual) Basic",
	"published": "2005-03-08T00:00:00",
	"downloads": 1235,
	"votes": 0