AI Summary: The Android Unpacker tool facilitates the reverse engineering and unpacking of Android applications protected by various obfuscation techniques, including APKProtect and Bangcle. Its notable features include a native unpacker that operates without dependencies on GDB, scripts for unpacking specific protections, and methods for hiding debugging environments from detection. This tool is primarily intended for educational and research purposes in the field of malware analysis.

README

android-unpacker

Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0

AI Summary: The “Awesome Flipper Zero with Modules” repository is an enhanced resource collection for the Flipper Zero device, providing a variety of plugins, payloads, and databases to extend its functionality. Notable features include access to numerous pre-configured BadUSB payloads, IR device dumps, and various custom files for generating or interacting with Flipper Zero formats. This repository serves as a comprehensive toolkit for users looking to maximize their experience and capabilities with the Flipper Zero platform.

AI Summary: CTFs is a repository containing write-ups and resources for various Cyber Capture The Flag (CTF) challenges. It offers a comprehensive cheat sheet detailing strategies and techniques across diverse categories, including forensics, binary exploitation, web challenges, and cryptography. Notable features include curated educational resources, practice sites, and a web mirror for easy access.

README

CTFs

Writeups / Files for some of the Cyber CTFs that I’ve done

I’ve also included a list of CTF resources as well as a comprehensive cheat sheet covering tons of common CTF challenges

AI Summary: ctftool is an interactive command-line tool designed for exploring and experimenting with the CTF protocol used in Windows for Text Services. Its primary use case includes studying Windows internals, debugging Text Input Processors, and analyzing security within the CTF environment, with notable features such as support for scripting, automated interactions, and various commands for managing connections and clients. The tool is compatible with Windows 7, 8, and 10, supporting both 32-bit and x64 architectures.

AI Summary: CVE-2020-0796 is a Windows SMBv3 local privilege escalation exploit that targets a vulnerability in the SMB protocol, enabling unauthorized users to elevate their permissions. The tool includes proof of concept (PoC) and analysis references for users seeking to understand and replicate the exploit. Notable features include detailed documentation and references to further resources for in-depth exploitation and analysis of the vulnerability.

README

CVE-2020-0796

Windows SMBv3 LPE Exploit

AI Summary: CVE-2024-1086 is a universal local privilege escalation exploit targeting Linux kernels from v5.14 to v6.6, with a notable success rate of 99.4% in KernelCTF environments. It allows users to gain root access under specific conditions related to user namespaces and kernel configurations, while also showcasing a deliberate kernel panic after execution to deter malicious exploitation. The tool includes both source code for building as well as a compiled binary for ease of use.

AI Summary: The RootSec Archive is a comprehensive collection of tools and resources designed for conducting Distributed Denial-of-Service (DDoS) attacks, vulnerability scanning, and botnet management. Notable features include a variety of botnet variants (such as Mirai and QBot), password cracking tools, real-time statistics through DStat, and C2 sources for effective botnet control. This archive serves both as a point of reference and a toolkit for security testing and exploitation practices.

AI Summary: The DEFCON 31 Syscalls Workshop repository provides educational materials focusing on direct and indirect syscalls within Windows operating systems, particularly aimed at enhancing understanding of Win32 and Native APIs for Red Team activities. It includes theoretical content, practical exercises, and proof of concepts (POCs) to facilitate learning about syscall mechanisms and their implications in EDR evasion. Notable features include an emphasis on manual techniques over complex automation, offering foundational insights into call stacks and shellcode execution dynamics.

AI Summary: Dethrace is a recreation project aimed at reverse-engineering the 1997 game Carmageddon to enable it to run natively on contemporary systems. The tool supports building with CMake and SDL2, and allows users to leverage original game assets or demo versions for gameplay. Notably, it offers configuration options through an INI file and supports CD audio playback from compatible folders, enhancing the authenticity of the gaming experience.

README

Dethrace

AI Summary: Dumpulator is a dynamic code emulation library designed for analyzing minidump files, facilitating the reverse engineering of malware and other binaries. Its primary use case includes emulating function calls and tracing execution paths within dumped memory structures, allowing users to decrypt strings and execute code snippets easily. Notable features comprise memory allocation, UTF-16 string reading, and the ability to trace execution for debugging purposes, all while presenting a clean interface for integration within Python scripts.

AI Summary: E9Patch is a static binary rewriting tool designed for x86_64 Linux ELF binaries that enables users to modify and patch binaries without introducing dependencies, making the output a drop-in replacement. Notable features include its scalability for large binaries, fast rewriting capability, low overhead performance, and programmability for integration with other projects. With functionalities such as instruction instrumentation and various supported modes, E9Patch can effectively enhance binary behavior for tasks such as fuzzing and system call interception.

AI Summary: eDBG is a lightweight CLI debugger based on eBPF, designed for Android ARM64 platforms, which offers enhanced resistance to anti-debugging mechanisms compared to traditional ptrace-based debuggers. Its notable features include a user-friendly CLI interface akin to pwndbg, support for standard debugging functionalities, and a file and offset-based breakpoint registration system that facilitates fast startup and multi-threaded or multi-process debugging. Additionally, eDBG operates without direct program attachment, enabling stable dynamic analysis with minimal intrusion.

AI Summary: h-encore is a jailbreak tool for the PS Vita that enables kernel and user-mode modifications on firmware versions 3.65, 3.67, and 3.68. Its primary use case is to allow users to install plugins, run homebrew applications, and customize their device’s performance. Notable features include the ability to auto-exit the bootstrap menu, personalize savedata to remove trophy warnings, and a streamlined kernel ROP chain for enhanced stability and compatibility.

AI Summary: Hacking Windows is a comprehensive resource that provides insights into reverse engineering and hacking techniques specifically for Windows applications using Assembly language. It includes practical examples, tutorials, and chapters dedicated to debugging and analyzing various Windows API functions in both x86 and x64 architectures. Notable features include accessible self-study material, a free downloadable book, and hands-on exercises focused on real-world programming scenarios.

README

FREE Reverse Engineering Self-Study Course HERE

Hacking Windows

The book and code repo for the FREE Hacking Windows book by Kevin Thomas.

AI Summary: Hidden is a Windows driver designed for reverse engineering and research purposes, enabling users to conceal specific environmental indicators on their machines, such as debugging tools and virtual machine infrastructure. It offers advanced features to hide registry keys, files, directories, and processes, while providing a usermode interface through a library and command-line interface for comprehensive management capabilities. Notably, it includes the functionality to protect specific processes and exclude others from hiding features, all compatible with Windows Vista and later versions.

AI Summary: Hollows Hunter is a command-line tool designed to identify and dump potentially malicious implants in processes by utilizing the PE-sieve passive memory scanner. Its primary use case includes scanning processes based on various criteria, such as process name and creation time, and it offers capabilities for continuous memory scanning and ETW listening. Notable features include the ability to scan all processes if no specific targets are specified, and support for multiple input criteria for enhanced targeting.

AI Summary: HyperDbg is an open-source, hypervisor-assisted debugger designed for advanced analysis, fuzzing, and reversing of Windows applications at both user and kernel levels. It leverages modern hardware features like Intel VT-x and EPT, enabling stealthy operation that resists detection by classic anti-debugging techniques, while offering unique capabilities such as hidden hooks and code coverage measurement. This tool is tailored for users with deep low-level system knowledge, providing full control over the operating system for intricate debugging tasks.

AI Summary: The bcoles/kernel-exploits repository provides various updated local root exploit implementations targeting vulnerabilities in the Linux kernel, specifically those identified by their CVEs. Each exploit enables privilege escalation through vulnerabilities such as improper memory handling or mismanaged user namespaces, allowing attackers to gain root access under certain conditions. Notable features include detailed exploit descriptions and references to original sources for further investigation.

README

Kernel Exploits

Various kernel exploits

CVE-2021-22555

Linux local root exploit.

AI Summary: The xairy/kernel-exploits repository contains a collection of Linux kernel exploit code samples for various vulnerabilities, primarily focusing on local privilege escalation (LPE) and information leak scenarios. Each entry is associated with specific Common Vulnerabilities and Exposures (CVEs), detailing the exploit’s impact and vector, enhancing understanding and mitigation strategies for kernel security vulnerabilities. Notable features include the absence of licensing, making the code freely available for educational and research purposes.

AI Summary: The kernelpwn repository serves as a comprehensive resource for Capture The Flag (CTF) challenges focused on kernel exploitation, providing both challenge write-ups and educational material for beginners in the field. It features a collection of solved kernel-pwn challenges with detailed write-ups, covering various complex exploitation techniques such as SMEP, SMAP, KPTI, and KASLR bypasses. Notable features include a focus on both kernel and non-userland vulnerabilities, as well as an invitation for community contributions to enhance the repository’s challenge offerings.

AI Summary: KSM is a lightweight x64 hypervisor designed for Intel processors that functions primarily as an extra layer of protection for existing operating systems, rather than running other OS instances. Notable features include a self-contained physical memory introspection engine, userspace physical memory virtualization, IDT shadowing, and experimental support for nesting and APIC virtualization. It is compatible with both Windows and Linux kernels, making it suitable for security applications such as anti-virus and sandboxing.

AI Summary: The Learning Reverse Engineering repository provides a collection of programs aimed at enhancing skills in reverse engineering and malware analysis. It organizes content by specific concepts related to reverse engineering, delivers both source code and compiled binaries, and includes links to supplementary online courses and video playlists. Notable features include guidance on using various tools like Ghidra and IDA Pro, as well as instructions for compiling the source code with Microsoft’s C/C++ compiler.

AI Summary: The linux-kernel-exploits repository provides a catalog of various known vulnerabilities within the Linux kernel, detailing specific CVEs along with their descriptions and affected kernel versions. Its primary use case is to aid security researchers and penetration testers in identifying and exploiting kernel vulnerabilities for testing and mitigation purposes. Notable features include a comprehensive list of CVEs organized by year, along with linked folders containing additional exploit details.

README

linux-kernel-exploits

简介

linux-kernel-exploits

AI Summary: mal_unpack is a dynamic malware unpacker that leverages PE-sieve to deploy packed malware, allowing it to unpack and dump the payload while terminating the original process. Its primary use case is for malware analysis in controlled environments, with notable features including options for dumping implanted PEs, shellcodes, and modified artifacts, as well as performance enhancements through an auxiliary driver.

README

mal_unpack

AI Summary: MimiPenguin is a Linux tool designed to extract cleartext login passwords from the currently logged-in desktop user by dumping process memory. It utilizes a probability-based method to identify possible passwords by cross-referencing hashes from the /etc/shadow file and performing regex searches. Notably, version 2.0 features a C implementation aimed at enhancing speed and portability, while it maintains support for various desktop environments and authentication types including Gnome Keyring and LightDM.

AI Summary: Netcat for Windows is a TCP/IP utility designed for network diagnostics and exploration, functioning as a versatile “Swiss Army knife” for admins on the Windows platform. It supports both inbound and outbound connections over TCP or UDP, features built-in port scanning, DNS checks, and allows for custom local network configurations. Notably, this version excludes the potentially insecure -e switch to mitigate false positives from antivirus software, while also resolving issues encountered during telnet sessions.

AI Summary: PANDA is an open-source platform designed for architecture-neutral dynamic analysis, utilizing the QEMU whole system emulator to provide deep insights into code execution and data handling across various CPU architectures. It features capabilities for recording and replaying executions, allowing for compact and shareable replay logs, and supports a plugin architecture for enhanced code reusability in dynamic taint analysis and other complex analyses. The tool is developed in collaboration with academic institutions and is available as a Docker container as well as a Python interface for flexible integration into analysis workflows.

AI Summary: Paper Mario is an ongoing decompilation project aimed at recreating the original Paper Mario video game for multiple regions including US, JP, PAL, and iQue. The tool generates corresponding ROMs, providing a clear progress tracking system for each version. Notable features include a dedicated setup guide, active community support via Discord, and a public website for monitoring development progress.

README

Paper Mario

This is a work-in-progress decompilation of Paper Mario.

AI Summary: Paradoxia is a Remote Access Tool (RAT) designed for covert control of target systems, featuring a user-friendly console that allows users to easily build and deploy client applications. Notable capabilities include multithreading for multiple session management, full file access, keylogging, microphone recording, and remote execution commands, alongside stealth operation and persistent installation. This tool is intended for malicious use, as indicated by its detection as malware by security software.

AI Summary: PDBRipper is a utility designed for extracting information from PDB (Program Database) files, primarily used in software development and reverse engineering. Notable features include a graphical user interface and console mode for flexibility, as well as support for building on Windows using Visual Studio and Qt. The tool facilitates in-depth analysis and manipulation of debugging information contained within PDB files.

README

PDBRipper

PDBRipper is an utility for extract an information from PDB-files.

AI Summary: SPX (Simple Profiling eXtension) is a lightweight PHP profiling tool designed to enhance performance analysis without external dependencies, ensuring data privacy on user infrastructure. It offers seamless profiling activation, requiring minimal setup, and supports multiple metrics like execution time, memory usage, and object tracking. Its integrated web UI enables interactive visualizations, including timelines and Flamegraphs, to facilitate detailed performance insights and troubleshooting.

README

SPX - A simple profiler for PHP

AI Summary: Pixiewps is a C-based tool that performs offline brute-force attacks on WPS PINs utilizing the “pixie-dust attack,” allowing it to potentially recover vulnerable pins in seconds to minutes, as opposed to hours. Notably, since version 1.4, it can also retrieve WPA-PSK from passive captures and includes support for multi-threading to enhance performance. Designed primarily for educational purposes, Pixiewps requires specific input parameters related to WPS authentication, and offers various operational modes for advanced usage.

AI Summary: Pokémon Emerald is a decompilation project that allows users to build the ROM file for the Pokémon Emerald game. Its primary use case is for developers and enthusiasts looking to analyze, modify, or enhance the original game code. Notable features include the ability to reconstruct the game’s ROM and support for custom modifications.

README

Pokémon Emerald

This is a decompilation of Pokémon Emerald.

It builds the following ROM:

AI Summary: The Pokémon FireRed and LeafGreen repository provides a comprehensive decompilation of the popular Pokémon games, enabling users to create various ROM images of FireRed and LeafGreen. Its primary use case is for game developers and modders looking to analyze, modify, or enhance the original games. Notable features include the generation of multiple ROM versions, including revisions and switch-compatible formats, along with detailed SHA1 checksums for verification.

README

Pokémon FireRed and LeafGreen

This is a decompilation of English Pokémon FireRed and LeafGreen.

AI Summary: Pokémon Ruby and Sapphire is a comprehensive disassembly of the Game Boy Advance titles Pokémon Ruby and Sapphire, enabling developers to understand and modify the game’s code. The primary use case focuses on ROM development and enhancement, allowing users to compile the original game files, pokeruby.gba and pokesapphire.gba. Notable features include built-in support for building ROMs, making it an essential tool for enthusiasts involved in Pokémon game development and reverse engineering.

AI Summary: PrivEsc is a collection of privilege escalation scripts and exploits designed for Windows, Linux, and MySQL environments. Its primary use case is to help security professionals identify and exploit privilege escalation vulnerabilities in various systems. Notable features include compatibility with multiple operating systems and exploitation capabilities tailored for common service vulnerabilities.

README

PrivEsc by 1N3@CrowdShield

http://crowdshield.com

ABOUT:

A collection of Windows, Linux and MySQL privilege escalation scripts and exploits.

AI Summary: The r2book is a collaboratively maintained documentation resource for the Radare2 reverse engineering framework, serving as an updated version of the original radare1 book. Its primary use case is to provide users with comprehensive information and guidance on utilizing Radare2 effectively, while notable features include community contributions for continuous content improvement and online accessibility.

README

r2book

This book is an updated version maintained by the community of the original radare1 book written by pancake.

AI Summary: readpe is a comprehensive command line toolkit designed for the analysis and manipulation of PE (Portable Executable) binaries across multiple platforms. Its primary use case involves providing developers and security analysts with tools to inspect, modify, and understand the structure of PE files. Notable features include easy installation and building on various operating systems, as well as its background as a successor to the original pev tool, with enhanced functionality integrated into a single repository.

AI Summary: REDRIVER2 is a reverse-engineered reimplementation of the original game, translating MIPS code back to C without emulation, and significantly enhancing it beyond the original PlayStation version. The tool supports modding with replacement of textures and models, runs on multiple platforms including Windows and Linux, and integrates a custom porting layer based on the Psy-X emulator. It utilizes advanced reverse engineering methods, including debugging symbols and semi-automatic decompilation techniques to achieve a fully playable game experience.

AI Summary: ret-sync is a synchronization tool designed for reverse engineering, enabling the integration of various debugging environments (WinDbg, GDB, LLDB, etc.) with static analysis disassemblers (IDA, Ghidra, Binary Ninja). Its primary use case is to facilitate a seamless analysis workflow by synchronizing debugger states with disassembler views, allowing for real-time insights during dynamic analysis while providing the broader context from static analysis. Notable features include on-the-fly address rebasing, support for multiple simultaneous sessions across different systems, and the ability to pass contextual information between debug and disassembly tools.

AI Summary: SHAD0W is a modular command and control (C2) framework designed for advanced threat operations within mature environments, leveraging techniques to evade endpoint detection and antivirus systems. Built with Python and C, it enables the execution of payloads including .NET assemblies and scripts entirely in memory, while offering features such as HTTPS communication, dynamic process injection, and extensive modularity for tasking beacons. Notable components include built-in privilege escalation exploits, a live web proxy feature, and a robust command-line interface, facilitating customization and effective covert operations.

AI Summary: The Spectre Attack Example repository demonstrates an exploit based on the Spectre vulnerability (CVE-2017-5753 and CVE-2017-5715), which allows attackers to read sensitive information from memory by exploiting speculative execution. The tool constructs a scenario where out-of-bounds memory reads can leak data via cache timing attacks, highlighting how seemingly safe coding practices can inadvertently increase vulnerability. Notable features include the ability to test system vulnerability, read specified memory addresses, and compile with both GCC and Visual Studio.

AI Summary: THC-Hydra is a versatile password-cracking tool designed for testing the security of various network services by attempting to gain unauthorized access through brute-force attacks. It supports multiple protocols, including FTP, HTTP, SSH, and many others, enabling security researchers and consultants to evaluate password strength and recognize vulnerabilities across a wide range of applications. Notable features include its ability to conduct parallelized connection attempts and an extensible module engine for easy addition of new protocols.

AI Summary: TRX is an open-source reimplementation of the classic Tomb Raider games (I, II, and III), designed to enhance gameplay through decompilation and integration of open-source components. The engine supports distinct mechanics for all three titles and features enhancements such as customizable draw distances, a developer console, updated UI elements, and the capability to run custom levels. Notably, TRX is cross-platform, supporting Windows, Linux, and macOS, with extensive controller compatibility and customizable control options.

AI Summary: VAC is a user-mode anti-cheat system developed by Valve, designed to operate non-invasively on Windows systems. The tool utilizes a set of modules to gather critical system information, enumerate processes, and monitor game performance, primarily focusing on maintaining the integrity of online gaming environments. Notable features include the use of various encryption and hashing methods, such as MD5 and CRC32, to secure operations and information within its modules.

AI Summary: Validity90 is a tool focused on reverse engineering the communication protocol of various Validity fingerprint readers, such as models 138a:0090 and 138a:0094. It aims to create an open-source driver for integration with the libfprint library, featuring a Wireshark dissector for analyzing encrypted communication and a standalone prototype for testing device functionalities. Notably, the project is actively developing specifications and protocols for multiple devices, with partial implementation already achieving scan and internal database check capabilities.

AI Summary: The windows-kernel-exploits repository provides a collection of exploit code snippets for various vulnerabilities in the Windows kernel, leveraging known CVEs to demonstrate potential elevation of privilege and remote code execution attacks. This tool primarily serves security researchers and penetration testers conducting vulnerability assessments on Windows operating systems. Notable features include comprehensive listings of CVEs, along with links to proof-of-concept exploits and detailed descriptions for a wide range of Windows versions.

AI Summary: xAnalyzer is a plugin for the x64dbg debugger designed to enhance static code analysis of debugged applications. It leverages extensive API function call detection and provides detailed function definitions, argument types, and additional debugging information, greatly improving the user’s comprehension before commencing debugging tasks. Notable features include automatic loop detection, user-maintained definition files, and support for over 13,000 API definitions from approximately 200 DLLs.

README

AI Summary: Zygisk-Il2CppDumper is a tool designed for dumping IL2CPP data at runtime while leveraging Zygisk to effectively bypass various protections, encryptions, and obfuscations. Its primary use case is for developers and security researchers needing to extract and analyze IL2CPP binaries from Android applications. Notable features include its compatibility with Magisk, flexible installation methods, and the ability to automate the dumping process through GitHub Actions or Android Studio.

README

Zygisk-Il2CppDumper

Il2CppDumper with Zygisk, dump il2cpp data at runtime, can bypass protection, encryption and obfuscation.