Posts

Obscure Windows 7 File Types

Jun 25, 2023 · 215 mins read

Do you know all of the default Windows 7 file formats? I’ve certainly seen a few in my time, though I can’t say I’ve seen a corpus of all the samples in one place. As Binary Gold Grand Prix 4 (BGGP4) is starting up, I’m considering a Windows based submission and it would be in my best interest to document all of these in the same place. Even if this doesn’t end up being useful for myself, I’m sure this will be useful for others over time as it gets indexed by search engines.

EdgeLord: Schrödinger’s 0-Day

Mar 23, 2023 · EXTERNAL LINK

At GreyNoise we work with network protocols. When a new vulnerability is published we are quick to jump into investigation mode and gather any and all resources we can find in order to write a tag and provide messaging to our customers and community. GreyNoise doesn’t have much common need to detailed firmware analysis. If it’s happening on the internet, we already see it. However, when we do need to investigate vulnerabilities in embedded devices things can get very complicated very quickly if no information is publicly available. It can be fun and insightful to learn these skills for the rare case we need them.

Whispering PDF's

Mar 20, 2023 · 8 mins read

Hello, we’re going to be trying something a little bit different today. A colleague recommended this whisper.cpp thing, which is a port of open.ai’s whisper model to C/C++. So rather than type out this blog, the way that it’s going to be formed is I read a question that’s curious to me. And I’m going to talk about it, edit it up, and slap some screenshots and links and see what kind of blog that turns out as. So this may not be the best blog, but really I’m just trying to figure out if this workflow kind of works in general. So we’re going to start off with a question that I found on Reddit on r/asknetsec. You can find it below.

Astroturf. It's Real, Real Fake Grass: Part 1

Jan 25, 2023 · 6 mins read

The real motive of this series of blogs may take a few iterations to become clear to the reader, assuming of course I can actually pull it off. Let’s forget about the big picture for a moment and break things down into pieces I can wrap my head around. Mostly because I’ve already started, I’m already doing the things, and I don’t even know the right words to call them.

Adventures in Wi-Fi Direct (P2P): Part 1

Sep 12, 2022 · 9 mins read

This blog is far overdue and unfortunately isn’t really a “Part 1”. The truth is, I’ve poked around with Wi-Fi Direct for several months now with mild success and many dead-ends that resulted in learning a lot. The purpose of this blog is to retrace my steps and document some resources before diving into some fun stuff for Part 2.

BGGP3: Crash on the Cob

Jul 14, 2022 · 16 mins read

For this years Binary Golf Grand Prix I started off by learning to fuzz properly, use a debugger properly, and various tooling. The objective was originally to hit all of the bonus points: +1024 pts, if you submit a writeup about your process and details about the crash +1024 pts, if the program counter is all 3’s when the program crashes +2048 pts, if you hijack execution and print or return “3” +4096 pts, if you author a patch for your bug which is merged before the end of the competition Well, life happens, and I ended up using the majority of my 2 week break from work doing more important things like taking care of my sick infant son (He’s doing much better now).

BGGP3 Research Notes

Jul 5, 2022 · 12 mins read

The 3rd Annual Binary Golf Grand Prix (BGGP3) is to find the smallest file which will crash a specific program. https://tmpout.sh/bggp/3/ This blog is stream of consciousness for finding tooling and crashes. A formal writeup for the crash I want to submit will come at a later date.

DOing More Harm: Part 2

Jun 18, 2022 · 11 mins read

Where we last left off, I had done an initial reverse engineering pass of Windows Update Delivery Optimization see: DOing Harm. I got familiar with the protocol, how peer discovery works, etc… but mainly only looked at the first handshake as that was most interesting to me at the time.

DOing Harm

Apr 18, 2022 · 23 mins read

There’s this thing called Windows Delivery Optimization which allows “you to get Windows updates and Microsoft Store apps from sources in addition to Microsoft, like other PCs on your local network, or PCs on the internet that are downloading the same files.”

Adventures in Bluetooth: Part 2

Jan 22, 2022 · 7 mins read

Where last I left off in Adventures in Bluetooth: Part 1, I was originally attempting to flash custom firmware to a Fitbit Charge 2 smartwatch and ended up taking a quite large side-quest. Let’s see how far I can make it towards the objective this time!

The Shape of Data

Jan 17, 2022 · 13 mins read

Have you ever had an idea you couldn’t quite shake? Something that worms it’s way into your brain for one reason or another and just wont leave. Always on the backburner, thinking about it in the shower every day, in the bed as you go to sleep at night, zoning out in the living room, for as long as you can remember?

ProtonVPN TCP Accleration SYN+ACK Spoofing Analysis

Jan 8, 2022 · 7 mins read

I was a Private Internet Access (PIA) customer for many, many years. Some recent changes spurred me to look for a new VPN provider and I ended up landing on ProtonVPN which I’ve been using for a few months now. And I noticed something… TCP (SYN, ACK) messages aren’t “real” when using ProtonVPN. This isn’t necessarily a bad thing or a good thing or even a thing that most people notice because it’s generally not problematic. But it is a non-standard VPN thing that I noticed, so I wanted to write about it from the practical perspective of a user, how it works at a high level, and why something like this is being done.

Adventures in Bluetooth: Part 1

Nov 30, 2021 · 13 mins read

Symbian OS, Android, Radio Frequencies, BTSNOOZ, BTSNOOP, and getting kicked in the teeth. Below follows a chronicling of deciding to explore Bluetooth by hacking the firmware for a Fitbit Smartwatch and realizing I was in way over my head and slowly trying to regain any hope of understanding.

Writing a Nerf Arena Blast NoCD Crack

Oct 23, 2021 · 5 mins read

So far I’ve managed to have just enough reverse engineering skills as is useful to me at the time, but recently I’ve taken an interest in getting a bit more in depth. My son was ill last week and home from daycare, so I took it upon myself to take the time to watch HackadayU: Reverse Engineering with Ghidra (~4 hours). I unfortunately didn’t have time to do any of the exercises, but I learned a lot.

XSS to Reverse Shell: Only a Sith Deals in Absolutes

Oct 9, 2021 · 4 mins read

Recently I stumbled across a thread on Reddit r/AskNetsec Now, without looking at the post: What do you think the answers looked like? If you guessed a lot of people saying “You don’t” or “You can’t”, give yourself a pat on the back because you guessed correctly!

Anti-Debug JS/WASM by Hand

Aug 22, 2021 · 11 mins read

Last week a friend of mine asked me to debug/RE some phishing emails that had been sent to them. These phishing emails were visually very clever and looked identical to the real site! But as I looked at the javascript I frankly became embarassed for the developer. Sure, they’d run the code through an obfuscation engine and added some basic anti-debug tricks, but that’s nothing you can’t defeat with AST and proxying function calls.

Packet-Editing Games in Golang

Jul 16, 2021 · 8 mins read

It’s easy to set up an IDS or other infrastructure to drop packets that match rules. There are many tools for real-time inspection of connections that can handle higher level protocols like HTTP or TLS. This article aims to go a bit lower and address how to edit packets in flight. We’ll be looking at it through the lens of editing packets for a game using Golang.

Anti-Bot Client Puzzle Protocol in HTTP

Jul 7, 2021 · 6 mins read

This aims to explain and perform an example of how the Client-Puzzle-Protocol (CPP) may be implemented (almost) entirely in HTTP. Side Note: I’m _mattata on Twitter, you should give me a follow. I do stuff like this often. The Client Puzzle Protocol at a high level is a way to slow down automated bots crawling a site so that they approach the speed that humans would normally browse your site. The bots are slowed down by requiring them to solve a “puzzle” or show “proof of work” in order to obtain a secret that allows them to continue to access the site.

Bingolfing - WASM/GBA/7Zip in 584 Bytes.

Jun 23, 2021 · 10 mins read

Let’s build the smallest WASM / GBA ROM / 7Zip polyglot in 584 bytes for the Binary Golf Grand Prix 2021. Rules: The host file must be a binary executable. This is any binary executable that stores either machine code (such as ELF, PE etc.) or bytecode (wasm, pyc, etc.) Overlap with at least one additional file of any type to create a polyglot. The host binary must return or print the number 2 when executed. Entry: Valid WebAssembly binary that calls host.print(2) Gameboy Advance ROM that fills the screen with Green 7Zip Archive containing a single empty file named “a” Download: bggp.wasm (584 Bytes)

Crossing the Line of Death

Mar 27, 2021 · 3 mins read

In early 2017, @ericlaw wrote a blog post titled The Line of Death. The general premise is that there is some inherent user trust of any content that appears above the browser window and that considerations must be taken to ensure that browsers can not be manipulated to easily betray this trust.

Bitsquatting Windows.com

Mar 3, 2021 · 9 mins read

Earlier this month, I came back around to seriously considering an attempt at bitsquatting. While the prior link goes into great depth on the topic, I will attempt to give a very high level overview here: If this sort of thing interests you: I tend to do stuff like this weekly. Give me a follow @_mattata

META Gameboy Advance Blog

Feb 12, 2021 · 6 mins read

I’ve been doing weekly chaos engineering projects for a while now, so I decided to start a blog. A sort of dumping ground for all the things I do. If you’re interested in more projects like this, give me a follow on Twitter @_mattata. I’m always working on something fun.