Skip to content

Instantly share code, notes, and snippets.

View neomafo88's full-sized avatar
๐Ÿ 
Remote

Neoma Fong neomafo88

๐Ÿ 
Remote
27 followers · 42 following
View GitHub Profile
@ARISTODE
ARISTODE / industroyer-codex-report.md
Created November 4, 2025 05:14

โ€ข Investigation Log

  • Connected to IDA session, captured module hashes, enumerated exports (DllEntryPoint, Crash) to frame analysis scope.
  • Decompiled Crash โ†’ LaunchConfiguredIec104Sessions:0x100014e0, observed config parsing call and thread fan-out via CreateThread (0x10001547), then traced worker entry StartAddress to identify IECโ€‘104 workflow.
  • Analyzed ParseIec104ConfigFile:0x10001610; confirmed _wfopen (0x10001674) and _fgets usage, mapped keywords target_ip, target_port, sequence, stop_comm_service, command_type, operation, shift, range, uselog at refs 0x100017B0โ€“0x10002004 to per-session structure fields.
  • Inspected RunIec104SessionWorker:0x10002FE0; documented service-kill logic (OpenProcess 0x1000303D / TerminateProcess 0x10003046), IEC-104 connect (Iec104Connect 0x10003079), handshake (SendStartupSequence 0x1000309D), sequence dispatch (range 0x1000315D, shift 0x100031AE) and command emission (IssueSingleCommand calls at 0x1000331A/0x1000335E/0x100034E6/0x10003507).
  • Reverse engineere
@ARISTODE
ARISTODE / cuba_ransomware.md
Created November 4, 2025 05:12
  • Step 1: Reviewed DriverEntry (0x140001000) to record the device pair \Device\KApcHelper1 / \DosDevices\KApcHelperLink1, blanket dispatch table, and registration of ProcessCreateNotifyHandler plus a dummy thread notify hook.
  • Step 2: Traced the init path into ResolveKernelApis (0x140001244) and LocateThreadFlagSetterPattern (0x1400014B0) to understand which kernel services and hidden thread helpers the driver depends on.
  • Step 3: Decompiled DeviceControlDispatcher (0x140001B70) to map IOCTLs, uncover the handshake scheme, and note how every command is obfuscated by the HandshakeSeed.
  • Step 4: Followed the command flow into HandleHandshakeSeed (0x140001124) to confirm token generation/validation and the use of HandshakeValidated as a global gate.
@ARISTODE
ARISTODE / pikabot-report-codex.md
Created November 4, 2025 05:10

In-memory loader decrypts and manually maps an embedded payload before handing execution to its DllMain.

Investigation Log

  • Step 1: Confirmed IDA attachment to pikabot.exe and enumerated entry points (start at 0x49f3a2, TLS callback at 0x519630) to understand initial execution vectors.
  • Step 2: Reviewed CRT startup at 0x49f22b and wWinMain_ManualLoaderEntry (0x519b8f) to see the real work funneled into ManualMapEmbeddedDll.
  • Step 3: Checked TlsCallback_ProcessDetach (0x519630) and its thunk TlsCallback_CleanupThunk โ†’
@superfashi
superfashi / flare-on-12-write-up.md
Last active November 27, 2025 03:49
Flare-On 12 Write-Up

Flare-On 12 Write-up

Screenshot_25-10-2025_3368_flare-on12.ctfd.io

1 - Drill Baby Drill!

We are given a game written in Python. Once again, the source code is given because this is the first and easiest challenge, so let's dig into it directly.

@0xBruno
0xBruno / CefSharpEnum.js
Last active October 26, 2025 21:31
Enumerate CefSharp JS to .NET bindings
for (const key of Object.keys(window)) {
const value = window[key];
const type = (value != null && typeof value.toString === 'function')
? value.toString()
: Object.prototype.toString.call(value);
if(type instanceof Promise){
console.log(`${key}: ${await window[key].toString()}`);
}
@samhenrigold
samhenrigold / diagnose_lid_sensor.sh
Created September 6, 2025 23:21
#!/bin/bash
# MacBook Lid Angle Sensor Diagnostic Script
# This script helps identify the lid angle sensor on different MacBook models
echo "=============================================="
echo "MacBook Lid Angle Sensor Diagnostic Tool"
echo "=============================================="
echo ""
@Ciarands
Ciarands / librewolf-hotpatcher.py
Last active November 28, 2025 22:18
import os
import sys
import shutil
import zipfile
import platform
import tempfile
MAX_BACKUPS = 5
PATCHES = {
"chrome/devtools/modules/devtools/server/actors/thread.js": {
@whitequark
whitequark / log_func_rename.py
Last active October 4, 2025 22:51
Binary Ninja snippets
#Extract function name from log calls
#
logger = "LogFuncRename"
def log_func_rename(log_function, name_index):
func_votes = defaultdict(lambda: defaultdict(lambda: 0))
for call_site in log_function.caller_sites:
if not isinstance(call_site.hlil.operands[0], HighLevelILConstPtr):
continue
if call_site.hlil.operands[0].constant != log_function.start:
@Lydxn
Lydxn / pycomment_writeup.md
Created March 10, 2025 07:57
"Pycomment" from KalmarCTF 2025

Pycomment (misc, 2 solves)

In this writeup, I will share how I solved "Pycomment" from KalmarCTF 2025. It was one of the tougher pyjails this year and makes use of two really unique ideas.

Thanks for the challenge, @ChattyPlatinumCool ๐Ÿ˜›

Description

Can you please help us comment our code? And please don't attack us.

@Ahmeth4n
Ahmeth4n / pairip_analysis.js
Created March 2, 2025 20:44
simple PairIP executeVM() analyzer frida script.
function hookNative() {
const jniOnLoad = moduleHandle.findExportByName("JNI_OnLoad");
if (!jniOnLoad) {
console.log("[-] JNI_OnLoad not found!");
return;
}
console.log("[+] JNI_OnLoad founded:", jniOnLoad);