Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Tavis Ormandy Profile picture
@taviso
Jul 20 9 tweets 3 min read Read on X
Scrolly
This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n Image
This is actually a screenshot of !analyze -v output, I think the author conflated "stack trace" and "minidump". Regardless, he only looks at the decoded exception record and concludes "it was a NULL pointer"...? 🤔 2/n
It is a plausible explanation, 0x9c is not NULL, but dereferencing near-NULL addresses can have the same root cause. He explains that the code was reading a field at offset 156 from a NULL object pointer. 3/n Image
Well, except... we can see in his screenshot that MSVC generated mov r9d, [r8]? That's really odd... I spend half my life looking at MSVC output, and I would expect to see mov r9d, [r8+0x9c], so what's up with that? 4/n Image
Maybe I'm wrong, let's test it in godbolt . Nope, the code doesn't match! The code is either more complicated, or his hypothesis is incorrect. There is a way to check, he could type `u` (unassemble) into kd and examine the surrounding code. 5/n godbolt.org/z/sdz4PGxxo
Image
He didn't, but we still can! His version of the faulting module has the bytes 45 8b 08 at csagent+0xe35a1, I found that version in VT, and had a look. In fact, there *is* a NULL check (test r8, r8; jz) immediately before the dereference, so his theory is provably *wrong* 🛑 6/n Image
This code is reading pointers from a table in a loop, and some are invalid. Perhaps an error parsing a configuration file left some entries uninitialized, and one just happened to be 0x9c? It's just a theory, but at least mine fits the facts😆 7/n
Here is the same crash seen by Patrick, except he saw the entry 0xffff9c8e00000008a, nowhere near NULL! If this is uninitialized data, perhaps it was okay during testing and that's why CS didn't catch it 🤷‍♂️ 8/n
It's amusing to me that Patrick (who actually knows what he's doing) realizes this is complicated, so hedged his analysis with "(initial) details"... but this guy just rocks up with "I'm a professional!!" and gets 25k retweets 😆 9/9

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Tavis Ormandy

Tavis Ormandy Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @taviso

Tavis Ormandy Profile picture
Jun 6
The libarchive e8 vulnerability is actually really cool, but the ZDI advisory doesn't explain why it's so wild lol. For some reason, I know about RAR filters, so let me provide the background. 🧵 1/n
E8 preprocessing is an old trick to improve compression of executables. All relative calls to the same function will be encoded differently, but... if you temporarily replace them with absolute calls, they'll be identical. More duplication = better compression! 2/n Image
I promise you will never guess how RAR implemented their e8 filter.... They added a bytecode interpreting VM called RarVM, and let you embed little programs for it into archives that the decompressor would automatically execute (!!!). 3/n Image
Read 11 tweets
Tavis Ormandy Profile picture
Jul 10, 2022
@gamozolabs Hear me out, this is what makes me think it's a bit! He spent hours questioning the "mobile" credentials of respected researchers, then posted this blog post where he stumbles around trying to identify an APK. That's funny. But... there are more layers...
@gamozolabs He spots a java type signature in the strings, and thinks it has something to do with smali, a dalvik assembler. How is it possible to know what a bytecode assembler is but not a type signature? That doesn't add up. 2/4
@gamozolabs You can see from his screenshot this is some serialized keystore object! He totally ignores a telltale filenames like classes.dex, but recognizes a serialized object? It's not possible! 3/4
Read 4 tweets
Tavis Ormandy Profile picture
Sep 28, 2020
I've been experiencing a really bad Windows 10 bug since the 2004 update. I got so annoyed I spent my weekend debugging it. A specific type of scheduled task can break CryptUnprotectData(). If you've seen apps losing state, eventid 8198, or NTE_BAD_KEY_STATE, could be this.
Here is how to check, run this powershell as Admin:

Get-ScheduledTask | foreach { If ($_.Principal.LogonType -eq 'S4U') { $_ } }

If it lists tasks, whenever they run DPAPI will stop working until you reauthenticate. This will break everything using CryptProtectData().
The bug is the RPC UBPM (Unified Background Process Manager) uses to create the S4U (Services For User) Token for task scheduler will sometimes clobber your saved credentials in LSASS. That is used to derive your DPAPI User Encryption Key, so it changes and no longer works!
Read 5 tweets
Tavis Ormandy Profile picture
Nov 2, 2019
Is there a secret to making vbtables look good in Hex-Rays? This is the best I can come up with, and an example decompiled call. I can just about read it (call second vftable entry on SubClass1, __thiscall with one param), but is there a cleaner way? ImageImage
Just to clarify, I'm talking about vbtables (virtual base tables) not vftables (virtual function tables). vbtables are how the compiler implements virtual inheritance, here is an excellent summary from @IgorSkochinsky (pp. 6-8) hexblog.com/wp-content/upl…
@IgorSkochinsky It was pointed out to me privately that you can mark the offset as a offset into the vftable ('t' in Hex-Rays), then you can get this->base.data[this->base.__vbtable->SubClass1_idx] + offsetof(SubClass1_vtbl, MethodName))(...). It's a *little* easier to read. 😐
Read 4 tweets
Tavis Ormandy Profile picture
Oct 14, 2019
I got nerd sniped this weekend. I was playing the game Borderlands 3, this game has a huge variety of weapons, so part of the fun is finding new weird ones. Anyway, in one of the main areas there's this cool looking chest you can't open. 1/n
It turns out you need "golden keys" to open it, and to get them - I'm not making this up - you need to follow the CEO of the game publisher on twitter, and occasionally he tweets out codes you type in (??). 2/n
If you asked me to build this system, the codes would be randomly generated and inserted into a database with their attributes (reward, expiry date, etc). However, I noticed the codes are clearly not random, some are visually quite similar. Here are two examples. 3/n
Read 7 tweets
Tavis Ormandy Profile picture
Feb 15, 2019
I made a modest bet that would recover after the @BW trash story, and it recovered most of those losses this morning after strong results and zero supporting evidence ever appearing from Bloomberg.
I made a tidy profit, and would like to donate some of it to an organization that promotes higher standards in journalism, suggestions? I'm keeping some for putting up with things like "Does it even matter if it happened?" 😂
A few people suggested @propublica, so here we are, @BW's low standards have now helped support @propublica's high standards 😂 Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(