Posts on Oyashoku - A Midnight Snack

MSI Afterburner file obfuscation

Sun, 24 May 2026 00:00:00 +0000

MSI Afterburner trivially obfuscates a couple config/definition files in their program folder used to define different models and the such.

At a high level:

Generate the CRC32 of MSIAfterburner.exe
Use said CRC32 hash as the initial seed
XOR a byte then rotate.

Roughly:

def rolling_xor(data, initial):
    state = initial
    result = bytearray(data)
    for idx in range(len(result)):
        # XOR with current keystream byte
        result[idx] ^= state & 0xFF
        
        # Update keystream state
        rotated = ror32(state, idx % 32)
        state = (idx + rotated) & 0xFFFFFFFF
    
    return bytes(result)

The unobfuscated file should start with ; and a 3 letter extension such as OEM or DAT.

NBN Location ID checksum/check digits

Thu, 22 Oct 2020 00:00:00 +0000

Edit 11/09/2020: It’s occurred to me that the AVC numbers may conform to this as well, and it appears they do. (Albeit to the sample size of 1 because I don’t have access to anyone else’s AVC except my own)

Just noting down that NBNCo Location ID’s use the Verhoeff algorithm to generate their check digit, since nobody appears to have mentioned it in a Google-indexed, website to my knowledge.

Remember to strip out the LOC and leading zeroes of course.

Exploiting CVE-2020-8597 to get RCE on a locked down router

Sun, 07 Jun 2020 00:00:00 +0000

So it’s late February 2020 and we’re all starting to realise that we’re going to be sitting at home for a while. Some are cleaning, some are baking, and some of us order cheap routers off of AliExpress to flash and replace their old hardware with.

I picked one of these, as the specifications seemed quite decent in comparison to the price that was being asked. (There is an almost identical in specifications unit being sold by the same manufacturer here, which through some sort of horrible coincidence has the exact same memory layout and ROP gadget addresses)

Nvidia’s CPUId Lockouts

Thu, 10 Sep 2015 00:00:00 +0000

Late 2021 edit: They finally removed this in their driver now, so now they can be used in passthrough setups with their binary drivers.

It appears that the Nvidia GPU drivers (both the Windows and Linux ones, after a certain point) don’t particularly want to be run under a hypervisor

Microsoft Hv (The Hyper-V vendor id)
VMWare
VMwareVMware
XenVMMXenVMM
KVMKVMKVM
Parallels In addition, some of these model specific registers from KVM (the KVM wallclock) arbitrarily anger their drivers.

#define MSR_KVM_WALL_CLOCK_NEW      0x4b564d00
#define MSR_KVM_SYSTEM_TIME_NEW     0x4b564d01
#define MSR_KVM_ASYNC_PF_EN         0x4b564d02
#define MSR_KVM_STEAL_TIME          0x4b564d03
#define MSR_KVM_PV_EOI_EN           0x4b564d04

Luckily, parameters exist on KVM to modify both the CPUID, Hyper-V vendor id, and disable the KVM model specific registers. Xen on the other hand, has a somewhat obtuse looking option for modifying their CPUID (Sure, let me just type in the entire leaf in binary), and no current ability to modify the Hyper-V vendor id. I guess the quick and dirty way of working around that would be to either disable Hyper-V as one used to do on KVM, or modify these lines to change the ‘Microsoft Hv’ signature to something else.

Editing Device Checks for Fun and Profit

Wed, 14 Aug 2013 00:00:00 +0000

Short journey modifying an apk to fool a device model check