Koray mq1n

## research.md

      
              1 file
            
          
              63 forks
            
          
                238 comments
              
            
              903 stars
            
          
                hackermondev
                / research.md
            
            
              Last active
              December 8, 2025 22:28
            
              
                Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
              
          
    hi, i'm daniel. i'm a 15-year-old high school junior. in my free time, i hack billion dollar companies and build cool stuff.
3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.
I'm publishing this writeup and research as a warning, especially for journalists, activists, and hackers, about this type of undetectable attack. Hundreds of applications are vulnerable, including some of the most popular apps in the world: Signal, Discord, Twitter/X, and others. Here's how it works:
Cloudflare

By the numbers, Cloudflare is easily the most popular CDN on the market. It beats out competitors such as Sucuri, Amazon CloudFront, Akamai, and Fastly. In 2019, a major Cloudflare outage k

  
## ioc_vulnerable_drivers.csv
SHA256,Name,Signer,Description
04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows
B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys

## focus_assist.cpp
//
// Not to be used in any serious manner
//

#include <Windows.h>
#include <iostream>
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

typedef struct _WNF_STATE_NAME
{

## gist:59c689a14f1fc2302d858ae0aa3f6b86
	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

## Wannacrypt0r-FACTSHEET.md

      
              1 file
            
          
              157 forks
            
          
                268 comments
              
            
              711 stars
            
          
                rain-1
                / Wannacrypt0r-FACTSHEET.md
            
            
              Last active
              May 14, 2025 19:15
                — forked from Epivalent/Wannacrypt0r-FACTSHEET.md
            
          
    WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm


Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

  
## ApiTracer.cpp
/*
 * ApiTracer, CC by: hasherezade@gmail.com
 * Runs with: Intel PIN (https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)
 *
 * Prints to <output_file> addresses of transitions from one sections to another
 * (helpful in finding OEP of packed file)
 * args:
 * -m	<module_name> ; Analysed module name (by default same as app name)
 * -o	<output_path> Output file
 *

## syscall_extractor.cpp
#include <stdio.h>
#include <Windows.h>

// based on: https://www.evilsocket.net/2014/02/11/on-windows-syscall-mechanism-and-syscall-numbers-extraction-methods/
// author: @evilsocket
// modified by: @hasherezade

#define IS_ADDRESS_BETWEEN( left, right, address ) ( (address) >= (left) && (address) < (right) )
PIMAGE_SECTION_HEADER SectionByRVA( PIMAGE_SECTION_HEADER pSections, DWORD dwSections, DWORD rva )
{

## GLSL-Noise.md

      
              1 file
            
          
              284 forks
            
          
                81 comments
              
            
              1853 stars
            
          
                patriciogonzalezvivo
                / GLSL-Noise.md
            
            
              Last active
              December 7, 2025 11:08
            
              
                GLSL Noise Algorithms 
              
          
    Please consider using http://lygia.xyz instead of copy/pasting this functions. It expand suport for voronoi, voronoise, fbm, noise, worley, noise, derivatives and much more, through simple file dependencies. Take a look to https://github.com/patriciogonzalezvivo/lygia/tree/main/generative
Generic 1,2,3 Noise

float rand(float n){return fract(sin(n) * 43758.5453123);}

float noise(float p){
	float fl = floor(p);
  float fc = fract(p);


## fnv_hash_example.cpp
// C++11 32bit FNV-1 and FNV-1a string hasing (Fowler–Noll–Vo hash)
//
// Requires a compiler with C++11 support
// See main(...) for examples

#include <iostream>
#include <cassert>

namespace hash
{
	SHA256,Name,Signer,Description
	04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162,ADV64DRV.sys,"""FUJITSU LIMITED """,
	05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
	4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
	6948480954137987A0BE626C24CF594390960242CD75F094CD6AAA5C2E7A54FA,Agent64.sys,Phoenix Technologies Ltd,DriverAgent Direct I/O for 64-bit Windows
	8CB62C5D41148DE416014F80BD1FD033FD4D2BD504CB05B90EEB6992A382D58F,Agent64.sys,"""eSupport.com, Inc""",DriverAgent Direct I/O for 64-bit Windows
	B1D96233235A62DBB21B8DBE2D1AE333199669F67664B107BFF1AD49B41D9414,Agent64.sys,"""eSupport.com, Inc.""",DriverAgent Direct I/O for 64-bit Windows
	7196187FB1EF8D108B380D37B2AF8EFDEB3CA1F6EEFD37B5DC114C609147216D,ALSysIO64.sys,Artur Liberman,ALSysIO
	7F375639A0DF7FE51E5518CF87C3F513C55BC117DB47D28DA8C615642EB18BFA,ALSys
	//
	// Not to be used in any serious manner
	//

	#include <Windows.h>
	#include <iostream>
	#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)

	typedef struct _WNF_STATE_NAME
	{
	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	/*
	* ApiTracer, CC by: hasherezade@gmail.com
	* Runs with: Intel PIN (https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)
	*
	* Prints to <output_file> addresses of transitions from one sections to another
	* (helpful in finding OEP of packed file)
	* args:
	* -m <module_name> ; Analysed module name (by default same as app name)
	* -o <output_path> Output file
	*
	#include <stdio.h>
	#include <Windows.h>

	// based on: https://www.evilsocket.net/2014/02/11/on-windows-syscall-mechanism-and-syscall-numbers-extraction-methods/
	// author: @evilsocket
	// modified by: @hasherezade

	#define IS_ADDRESS_BETWEEN( left, right, address ) ( (address) >= (left) && (address) < (right) )
	PIMAGE_SECTION_HEADER SectionByRVA( PIMAGE_SECTION_HEADER pSections, DWORD dwSections, DWORD rva )
	{
	// C++11 32bit FNV-1 and FNV-1a string hasing (Fowler–Noll–Vo hash)
	//
	// Requires a compiler with C++11 support
	// See main(...) for examples

	#include <iostream>
	#include <cassert>

	namespace hash
	{