Hi. Just a collection of random thoughts and technical dumps on things I sometimes look at or work on.

MSI Afterburner trivially obfuscates a couple config/definition files in their program folder used to define different models and the such. At a high level: Generate the CRC32 of MSIAfterburner.exe Use said CRC32 hash as the initial seed XOR a byte then rotate. Roughly: def rolling_xor(data, initial): state = initial result = bytearray(data) for idx in range(len(result)): # XOR with current keystream byte result[idx] ^= state & 0xFF # Update keystream state rotated = ror32(state, idx % 32) state = (idx + rotated) & 0xFFFFFFFF return bytes(result) The unobfuscated file should start with ; and a 3 letter extension such as OEM or DAT. ...

Edit 11/09/2020: It’s occurred to me that the AVC numbers may conform to this as well, and it appears they do. (Albeit to the sample size of 1 because I don’t have access to anyone else’s AVC except my own) Just noting down that NBNCo Location ID’s use the Verhoeff algorithm to generate their check digit, since nobody appears to have mentioned it in a Google-indexed, website to my knowledge. Remember to strip out the LOC and leading zeroes of course. ...

So it’s late February 2020 and we’re all starting to realise that we’re going to be sitting at home for a while. Some are cleaning, some are baking, and some of us order cheap routers off of AliExpress to flash and replace their old hardware with. I picked one of these, as the specifications seemed quite decent in comparison to the price that was being asked. (There is an almost identical in specifications unit being sold by the same manufacturer here, which through some sort of horrible coincidence has the exact same memory layout and ROP gadget addresses) ...

Late 2021 edit: They finally removed this in their driver now, so now they can be used in passthrough setups with their binary drivers. It appears that the Nvidia GPU drivers (both the Windows and Linux ones, after a certain point) don’t particularly want to be run under a hypervisor Microsoft Hv (The Hyper-V vendor id) VMWare VMwareVMware XenVMMXenVMM KVMKVMKVM Parallels In addition, some of these model specific registers from KVM (the KVM wallclock) arbitrarily anger their drivers. #define MSR_KVM_WALL_CLOCK_NEW 0x4b564d00 #define MSR_KVM_SYSTEM_TIME_NEW 0x4b564d01 #define MSR_KVM_ASYNC_PF_EN 0x4b564d02 #define MSR_KVM_STEAL_TIME 0x4b564d03 #define MSR_KVM_PV_EOI_EN 0x4b564d04 Luckily, parameters exist on KVM to modify both the CPUID, Hyper-V vendor id, and disable the KVM model specific registers. Xen on the other hand, has a somewhat obtuse looking option for modifying their CPUID (Sure, let me just type in the entire leaf in binary), and no current ability to modify the Hyper-V vendor id. I guess the quick and dirty way of working around that would be to either disable Hyper-V as one used to do on KVM, or modify these lines to change the ‘Microsoft Hv’ signature to something else. ...

Recently, I heard a certain game was giving away items to owners of a certain new device (The Motorola Droid Ultra and the Motorola Droid Maxx). Since I don’t live in the USA, and don’t particularly want a phone with a locked bootloader, or one labelled “a phone that doesn’t need to exist”, let’s break the APK apart and see what we can do. Let’s take a look at how they are checking for these devices. ...