Skip to content

Instantly share code, notes, and snippets.

View LuaxY's full-sized avatar

Luax LuaxY

274 followers · 447 following
View GitHub Profile
@hackermondev
hackermondev / research.md
Last active March 18, 2026 08:31
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform

hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.

3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.

I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:

Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

@gm3197
gm3197 / vas.md
Last active February 28, 2026 12:18
Reverse Engineered Value Added Services Protocol Specification

Reverse Engineered VAS Protocol Specification

Research by Grayson Martin
Last Updated 7/8/23

Introduction

Value Added Services (VAS) is the protocol used by NFC capable passes in Apple Wallet. Access to this protocol is heavily restricted on both the device end (a special certificate issued by Apple is required to create these passes) and the reader end (NDA enforced confidentiality). As such, a desire arose to better understand the protocol in order to explore additional use cases and examine its cryptographic integrity. There are gaps in understanding in certain parts of this protocol, however this document contains the minimum necessary understanding to automatically select, read data from, and decrypt a pass.

Importantly, this specification does not enable a malicious actor to read the data from a pass for which they do not have both the reader's private key, and the pass type identifier. Imp

@d3vilbug
d3vilbug / frida-get-AES-keys
Created November 2, 2018 06:25
#!/usr/bin/env python3
from __future__ import print_function
import frida
import sys
import json
import time
def on_message(message, payload):
if(message['type'] == 'send'):
@tomekbielaszewski
tomekbielaszewski / main.go
Last active August 17, 2023 19:22
Example of RabbitMQ reconnect feature. Including recovering already registered consumers.
package main
import (
"fmt"
"log"
"time"
)
func main() {
queue := NewQueue("amqp://guest:guest@localhost:5672/", "hello")
@flexbox
flexbox / tinder-like.js
Last active April 15, 2023 09:09
Automation for https://tinder.com/app/matches
// Copy paste this script on your console
var disabled = false;
var r = confirm('Start the Autolike on this page?');
var min_time_to_decide = 300;
var max_additional_time_to_decide = 1000;
var time_to_decide = function() {
additional_time_to_decide = Math.floor(Math.random() * max_additional_time_to_decide);
return min_time_to_decide + additional_time_to_decide;
@crocandr
crocandr / plex-torrent-search.md
Last active May 4, 2025 17:56
@345161974
345161974 / GoMgoSample-1.go
Created June 12, 2017 06:27 — forked from ardan-bkennedy/GoMgoSample-1.go
Sample Go and MGO example
type (
// BuoyCondition contains information for an individual station.
BuoyCondition struct {
WindSpeed float64 `bson:"wind_speed_milehour"`
WindDirection int `bson:"wind_direction_degnorth"`
WindGust float64 `bson:"gust_wind_speed_milehour"`
}
// BuoyLocation contains the buoy's location.
BuoyLocation struct {
@worawit
worawit / eternalblue_merge_shellcode.py
Last active April 3, 2024 12:25
Windows x64 and x86 kernel shellcode for eternalblue exploit
# This file has no update anymore. Please see https://github.com/worawit/MS17-010
import sys
from struct import pack
if len(sys.argv) < 4:
print('Usage: {} sc_x86 sc_x64 sc_out'.format(sys.argv[0]))
sys.exit()
sc_x86 = open(sys.argv[1], 'rb').read()
sc_x64 = open(sys.argv[2], 'rb').read()
@kristovatlas
kristovatlas / cssbanner-beautified2.js
Last active March 9, 2018 21:49
cleaned up version of cssbanner.js
//beautified at http://jsbeautifier.org/ with default options
//and then manually modified
/*jslint bitwise: true */
self.onmessage = function (msg) {
var thecode = msg.data;
/**
* Ostensibly unused function
@atoponce
atoponce / gist:07d8d4c833873be2f68c34f9afc5a78a
Last active March 7, 2026 18:39 — forked from tqbf/gist:be58d2d39690c3b366ad
Cryptographic Best Practices

Cryptographic Best Practices

Putting cryptographic primitives together is a lot like putting a jigsaw puzzle together, where all the pieces are cut exactly the same way, but there is only one correct solution. Thankfully, there are some projects out there that are working hard to make sure developers are getting it right.

The following advice comes from years of research from leading security researchers, developers, and cryptographers. This Gist was [forked from Thomas Ptacek's Gist][1] to be more readable. Additions have been added from