I hereby claim:
- I am coldshell on github.
- I am coldshell (https://keybase.io/coldshell) on keybase.
- I have a public key ASDZXlbZhQYNgDhmihPYdIFOKn5-PcSgK0DCyT5FGJmMUgo
To claim this, I am signing this object:
coldshell
coldshell
/ keybase.md
Created
November 7, 2018 21:17
coldshell
/ decrypt_satan.py
Created
March 23, 2017 12:37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt_n_comment(func, func_name): | |
| """ | |
| Decryption of Satan string | |
| """ | |
| for xref in XrefsTo(LocByName(func_name)): | |
| # init retrieve arguments | |
| index_ea = search_inst(xref.frm, "push") | |
| index_op = GetOperandValue(index_ea, 0) | |
| buf = Appcall.buffer("\x00" * 512) |
coldshell
/ decrypt_cerber.py
Created
March 20, 2017 15:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt_n_comment(func, func_name): | |
| """ | |
| Decryption of cerber string | |
| """ | |
| for xref in XrefsTo(LocByName(func_name)): | |
| # init retrieve arguments | |
| string_ea = search_inst(xref.frm, "push") | |
| string_op = GetOperandValue(string_ea,0) | |
| size_ea = search_inst(PrevHead(string_ea), "push") | |
| size_op = GetOperandValue(size_ea,0) |
coldshell
/ spora-bitcoin.md
Last active
March 21, 2017 06:24
| first date | last date | bitcoin address |
|---|---|---|
| 01/18/2017 (first transaction) | 02/28/2017 (last transaction) | 137zbLqMQjc96kYcEyPonpT442eWuuvKYK |
| 15/03/2017 (official date on Spora store) | 14/04/2017 (in theory, 30 days validity) | 1EW2dYKBNNfjyabNrqMB4bE7jT5e9bZAU2 |
| 21/03/2017 (official date on Spora store) | 20/04/2017 (in theory, 30 days validity) | 1N5i6frmoCNKr9X8Nski3fWgYkavhR6Y3N |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import re | |
| import argparse | |
| from colorama import init, Fore, Style | |
| from terminaltables import DoubleTable | |
| def main(): | |
| args = usage() |
coldshell
/ decrypt_zeus.py
Last active
April 11, 2017 23:33
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def decrypt(func): | |
| """ | |
| Decryption of zeus strings | |
| """ | |
| ZBOT_INDEX_MIN = 0x0 | |
| ZBOT_INDEX_MAX = 0xe7 | |
| data = {} | |
| for i in range(ZBOT_INDEX_MIN, ZBOT_INDEX_MAX): | |
coldshell
/ decrypt_shamoon2.py
Created
February 10, 2017 13:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import idc | |
| def decrypt_n_comment(func, func_name): | |
| """ | |
| Decrypt and comment Shamoon2's strings | |
| """ | |
| data = {} | |
| for xref in XrefsTo(LocByName(func_name)): | |
| # init |