I hereby claim:
- I am seth1002 on github.
- I am seth0421 (https://keybase.io/seth0421) on keybase.
- I have a public key ASDg8gnKLDUp1qZvxUgBNtyE4YyXBrq8BxTsKWzzqRaOmQo
To claim this, I am signing this object:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from __future__ import print_function | |
| import idc | |
| import idaapi | |
| import idautils | |
| import flare_emu | |
| import unicorn | |
| # test sample https://www.virustotal.com/gui/file/c7a9609c212f275415e678ac7452f19aa9fbc39f9c1fd2708f43629edfd28a3e/detection | |
| decrypted_blocks = [] |
seth1002
/ WoW64_call.cpp
Created
July 30, 2019 06:59
— forked from Cr4sh/WoW64_call.cpp
WoW64 Heaven's Gate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #define DB(_val_) __asm __emit (_val_) | |
| #define INVALID_SYSCALL (DWORD)(-1) | |
| // code selectors | |
| #define CS_32 0x23 | |
| #define CS_64 0x33 |
seth1002
/ HexCopy.py
Created
March 7, 2019 08:02
— forked from herrcore/HexCopy.py
IDA Plugin for quickly copying disassembly as encoded hex bytes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################ | |
| ## | |
| ## Quick IDA Hex Bytes Copy | |
| ## | |
| ## All credit for logic and code chunks: | |
| ## @tmr232 | |
| ## https://github.com/tmr232/Sark | |
| ## | |
| ## I simply removed dependencies and made it standalone. | |
| ## |
seth1002
/ ucl_nrv2b.py
Created
March 7, 2019 08:01
— forked from herrcore/ucl_nrv2b.py
UCL NRV2B Decompression Library - Full Python (compression used by Zeus variants)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| ################################################################################################ | |
| ## UCL NRV2B Decompression Library | |
| ## | |
| ## Code from "Clash of the Titans: ZeuS v SpyEye": | |
| ## https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393 | |
| ## Author: Harshit Nayyar, [email protected] | |
| ## | |
| ## NOTE: This is the compression algorithm used in the Zeus trojan and subsequent variants | |
| ## |
seth1002
/ smokeloader_decrypt_c2_cfg.py
Created
September 12, 2018 10:46
smokeloader decrypt c2 list
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| md5: | |
| bba9cae25f03dfa20d57ac3bafa4a0ae | |
| 05c03457934160ecf2acc4b89da99cad | |
| c2: | |
| http://hellopittysloiebe.com/ | |
| http://keinemachtdendrugis.ru/ | |
| http://hallokittyverseinsheimse.ru/ | |
| http://killermansopitu.com/ |