# Day #1: Diving into Big O

`Name                           BigOConstant                       O(1)Linear                         O(n)Quadratic                      O(n²) Cubic                          O(n³) Exponential                    O(2^n)Logarithmic                    O(log(n))Log Linear                     O(nlog(n))`

## O(1)

`def PrintFirstElementOfArray(list):   print(list[0])`

## O(n)

`def printElementsOfArray(list):    for i in list:        print(i)`

## O(n²)

`def printAll(list):    for i in list:        for j in list:            print(i)            print(j)`

## O(2^n)

`def fibonacci(num):    if num <= 1:        return num    return fibonacci(num - 2) + fibonacci(num - 1)`

# Day #4: Unprotect Project — Detecting Drive Size

`BOOL GetDiskFreeSpaceExW(     LPCWSTR lpDirectoryName,     PULARGE_INTEGER lpFreeBytesAvailableToCaller,     PULARGE_INTEGER lpTotalNumberOfBytes,     PULARGE_INTEGER lpTotalNumberOfFreeBytes );`

# Day #6: Reviewing some Programming Concepts

`# Python dictionary my_dict = {'country': 'Scotland', 'region':'Highland', 'Distillery': "Glenmorangie", 'Whisky_age': 25}# Accessing the dictionary with its keyprint(my_dict['Distillery'])print(my_dict['Whisky_age'])# Output:>>> print(my_dict['Distillery'])Glenmorangie>>> print(my_dict['Whisky_age'])25`
`my_array = ["glenmorangie", "balvenie", "macallan", "balblair"]`
`Method       Descriptionappend()     Adds an element at the end of the listclear()      Removes all the elements from the listcopy()       Returns a copy of the listcount()      Returns the number of elements with the specified valueextend()     Add the elements of a list (or any iterable), to the              end of the current listindex()      Returns the index of the first element with the                        specified valueinsert()     Adds an element at the specified positionpop()        Removes the element at the specified positionremove()     Removes the first item with the specified valuereverse()    Reverses the order of the listsort()       Sorts the list`

# Day #7: Python Ctypes Library

`BOOL CreateProcessA(      LPCSTR lpApplicationName,      LPSTR lpCommandLine,      LPSECURITY_ATTRIBUTES lpProcessAttributes,           LPSECURITY_ATTRIBUTES lpThreadAttributes,      BOOL bInheritHandles,      DWORD dwCreationFlags,      LPVOID lpEnvironment,      LPCSTR lpCurrentDirectory,          LPSTARTUPINFOA lpStartupInfo,      LPPROCESS_INFORMATION lpProcessInformation);`
`# Import the kernel32 lib kernel32 = windll.kernel32  # creation flag CREATE_NEW_CONSOLE = 0x00000010 CREATE_SUSPENDED = 0x00000004 creation_flags = CREATE_NEW_CONSOLE | CREATE_SUSPENDED  startupinfo = STARTUPINFO() processinfo = PROCESS_INFORMATION() startupinfo.cb = sizeof(startupinfo)`
`try:      kernel32.CreateProcessA(None, exe, None, None, None, creation_flags, None, None, byref(startupinfo), byref(processinfo))    print("Process started as PID: {}".format(processinfo.dwProcessId))    kernel32.CloseHandle(processinfo.hProcess)    kernel32.CloseHandle(processinfo.hThread)except Exception as (e):    print(e)    kernel32.GetLastError()`

# Day #8: Binary Disassembling with Capstone Engine

`python capdis.py 771f5b0dfe59d6fafc705ca3712af5db7e479695f16ffee9626e1b7687912fdd[+] Sample is 64 bit[+] Number of imported functions: 216 [+] List of imported function: b’setstdhandle’b’exitthread’b’getcommandlinew’b’exitprocess’b’getmodulehandleexw’[Truncated]b’wsaioctl’b’closesocket’b’wsasend’b’shutdown’b’wsasocketw’b’socket’b’wsarecv’b’getsockopt’b’ioctlsocket’b’setsockopt’b’freeaddrinfow’b’getaddrinfow’b’htonl’b’htons’[+] Binary disassembled: 0x1000: dec eax0x1001: sub esp, 0x280x1004: call 0x18340x1009: dec eax0x100a: add esp, 0x280x100d: jmp 0xe840x1012: int3 0x1013: int3 0x1014: inc eax0x1015: push ebx0x1016: dec eax0x1017: sub esp, 0x200x101a: dec eax0x101b: mov ebx, ecx0x101d: xor ecx, ecx0x101f: call dword ptr [0x87aef]0x1025: dec eax0x1026: mov ecx, ebx0x1028: call dword ptr [0x87ade]0x102e: call dword ptr [0x87650]0x1034: dec eax0x1035: mov ecx, eax0x1037: mov edx, 0xc00004090x103c: dec eax0x103d: add esp, 0x20[Truncated]0x1349: dec ebp0x134a: xor ebx, ebx0x134c: dec esp0x134d: lea edx, [esp + 0x18]0x1351: dec esp0x1352: sub edx, eax0x1354: dec ebp0x1355: cmovb edx, ebx0x1358: dec esp0x135a: mov ebx, dword ptr [0x10]0x1361: dec ebp0x1362: cmp edx, ebx0x1364: bnd jae 0x137e0x1367: inc cx0x1369: and edx, 0x8d4df0000x136f: wait 0x1370: add al, dh`

# Day #11: PE Summary Extraction

`python3 pe_info.py calc.exe File type: b’PE32 executable (GUI) Intel 80386, for MS Windows’File name: calc.exeFile size: 114688 BytesCompile time: 2001–08–17 22:52:32Entry point: 0xcc00ffeeImage base: 0x01000000Hash MD5: 456acd3b82700c3cf60b8e4e477e128fHash SHA2: 3f272a69536934a38ab379f1ab40ac3016a54d334758f9e6548dad9a9c20f404Import hash: 08f6a1b121da8cedde2d1089d0906ed8Ssdeep: 1536:QEl14rQcWAkN7GAlqbkfAGQGV8aMbrNyrf1w+noPvLV6eBsCXKc:QYmZWXyaiedMbrN6pnoXL1BsC`

# Day #12: IDA Python Script

`from idautils import *from idc import *from idaapi import *# PE Entry Pointstart_add = BeginEA()# Check the function of the binaryfor func in Functions(SegStart(start_add), SegEnd(start_add)): func_name = GetFunctionName(func) func_start = func  # Print address and function name print(“%08x ” % func_start) print(“%s\n” %str(func_name))`

# Day #13: Learning Go

`package mainimport (    "encoding/base64"    "fmt"    "os")func main() {arg1 := os.Args[1]encoded := base64.StdEncoding.EncodeToString([]byte(arg1))    fmt.Println(encoded)decoded, err := base64.StdEncoding.DecodeString(encoded)    if err != nil {        panic("error")    }    fmt.Println(string(decoded))}`
`\$ go run go64.go "encode in base64"ZW5jb2RlIGluIGJhc2U2NA==encode in base64`

# Day #14: Caesar Cipher in Golang

`\$go run caesar.go “this is my secret text”[+] Clear text: this is my secret text[+] Encoded: qefp fp jv pbzobq qbuq[+] Decoded: this is my secret text`

# Day #15: Unprotect Project — Detect VM Mac address with GO

`C:\Go\bin\go.exe run .\macdetect.goVM detected!1 00:0C:29`

# Day #16: Learning Go — Variables and Types

`boolstringint  int8  int16  int32  int64uint uint8 uint16 uint32 uint64 uintptrbyte // alias for uint8rune // alias for int32 represents a Unicode code pointfloat32 float64complex64 complex128`
`// Declare a stringvar toto string// Assign a stringtoto = "This is my var"// Add to the string vartoto += "!!!"// Declare another stringvar tata string = "This is my seconf var"// Assign a var without declaring the typereminder := "Pratice is important!"`

# Day #17: Qiling Framework for binary emulation

`# setup Qiling engineql = Qiling("file.exe", "place/of/Windows/dll/")#, output = "debug")# disable strace logsql.filter = []# now emulate the EXEql.run()`
`# hook GetProcAddress() on exitql.set_api("GetProcAddress", GetProcAddress, QL_INTERCEPT.EXIT)`
`{‘hModule’: 270073856, ‘lpProcName’: ‘FlsAlloc’}{‘hModule’: 270073856, ‘lpProcName’: ‘FlsGetValue’}{‘hModule’: 270073856, ‘lpProcName’: ‘FlsSetValue’}{‘hModule’: 270073856, ‘lpProcName’: ‘FlsFree’}{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘DecodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘DecodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘EncodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘DecodePointer’}{‘hModule’: 270073856, ‘lpProcName’: ‘IsProcessorFeaturePresent’}`
`# Hook to IsProcessorFeaturePresentql.hook_address(stop, 0x0042B726)`

# Day #19: Using Frida for binary instrumentation

`HANDLE CreateMutexA(       LPSECURITY_ATTRIBUTES lpMutexAttributes,       BOOL bInitialOwner,      LPCSTR lpName );`
`frida-trace.exe --file mutex.exe -i CreateMutexA -X kernel32.dllInstrumenting…CreateMutexA: Loaded handler at “C:\\Users\\Scripts\\__handlers__\\KERNELBASE.dll\\CreateMutexA.js”Started tracing 1 function. Press Ctrl+C to stop.`
`-f: your executable-i: the function you want to intercept-X: the dll where the function is`
`{ onEnter: function (log, args, state) { log(‘CreateMutexA()’); log(‘lpName: ‘ + Memory.readUtf8String(args[2])); }, onLeave: function (log, retval, state) { }}`
`frida-trace.exe --file mutex.exe -i CreateMutexA -X kernel32.dllInstrumenting…CreateMutexA: Loaded handler at  /* TID 0x1408 */ 187 ms CreateMutexA() 187 ms lpName: COUCOUProcess terminated`

# Day #20 & Day #21: Mishmash Code & Update

## Day #22: Frida Python Binding

`C:\Users\> test_frid.py mutex.exe[!] Process mutex.exe was not running![+] Running process mutex.exe![+] CreateMutex addr: 0x75f53589[+] Entering to createMutex[+] lpName: COUCOU`

# Day #24: Mach-O loader in Golang

`go run main.go[+] ../file/macho.a.out opened[+] Mach-O 64 bit`

# Day #30: Unprotect Project — Wiping Mechanisms

## More from Thomas Roccia

Security Researcher

## Greedy Algorithms 🤑

Get the Medium app