https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import sys | |
import glob | |
import cPickle as pickle | |
from multiprocessing import Process | |
import config as CFG | |
number_of_jobs = CFG.number_of_jobs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# Name: | |
# unpack_emotet.py | |
# Description: | |
# This script accompanies my blog at | |
# https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/ | |
# and can be used to statically unpack given sample in the blog | |
# Author: | |
# https://twitter.com/mirshadx | |
# https://www.linkedin.com/in/irshad-muhammad-3020b0a5/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import binascii | |
from itertools import cycle | |
SERVER_RESPONSE_FIE = "server_response.txt" | |
XOR_KEY = b"ZKkz8PH0" | |
with open(SERVER_RESPONSE_FIE) as serverfd: | |
resp_str = serverfd.read() | |
resp_str = resp_str[::-1] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Decoding. | |
bytes_t crypt = {120, 156, 251, 255, 127, 100, 3, 0, 8, 0, 255, 1}; | |
bytes_t plain(196864); | |
z_stream stream; | |
inflateInit(&stream); | |
stream.next_in = crypt.data(); | |
stream.avail_in = crypt.size(); | |
stream.next_out = plain.data(); | |
stream.avail_out = plain.size(); | |
int ret = inflate(&stream, Z_FINISH); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import frida, sys | |
images = {} | |
def on_message(message, data): | |
global image | |
if message['type'] == 'send': | |
if message['payload'].startswith('['): | |
message = message['payload'] | |
save = message[message.index(']')+1:] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import uuid | |
import ida_bytes | |
import ida_hexrays | |
import ida_idaapi | |
import ida_kernwin | |
from PyQt5.Qt import QApplication | |
class Plugin(ida_idaapi.plugin_t): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import ida_netnode | |
""" | |
You can also switch the shell into IDC mode and enter del_user_info(). | |
You can also edit your `~/ida-x/cfg/ida.cfg` and set `STORE_USER_INFO` to `NO`. | |
""" | |
# This will replace the original user blob with the evaluation version blob. | |
ORIGINAL_USER = \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
search for and patch out known opaque predicates within IDA Pro workspaces. | |
just run the script and it will manipulate the open database. | |
therefore, you should probably create a backup first. | |
""" | |
import logging | |
from pprint import pprint | |
import ida_idp |
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"1133": { | |
"url": "http://crackmes.cf/users/.nalet./nalets_crackme_no1/download/NaLeTcrkMe.zip", | |
"description": "First off don't give me that \"cr*pware\" things.\nYes, it's written in VB + P-Code, and all you need to do is find one serial.\nOh could someone rate it?!?", | |
"difficulty": 2, | |
"platform": "Windows", | |
"language": "(Visual) Basic", | |
"published": "2005-03-08T00:00:00", | |
"downloads": 1235, | |
"votes": 0 |