This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n This is actually a screenshot of !analyze -v output, I think the author conflated "stack trace" and "minidump". Regardless, he only looks at the decoded exception record and concludes "it was a NULL pointer"...? 🤔 2/n

The libarchive e8 vulnerability is actually really cool, but the ZDI advisory doesn't explain why it's so wild lol. For some reason, I know about RAR filters, so let me provide the background. 🧵 1/n E8 preprocessing is an old trick to improve compression of executables. All relative calls to the same function will be encoded differently, but... if you temporarily replace them with absolute calls, they'll be identical. More duplication = better compression! 2/n

@gamozolabs Hear me out, this is what makes me think it's a bit! He spent hours questioning the "mobile" credentials of respected researchers, then posted this blog post where he stumbles around trying to identify an APK. That's funny. But... there are more layers...
@gamozolabs He spots a java type signature in the strings, and thinks it has something to do with smali, a dalvik assembler. How is it possible to know what a bytecode assembler is but not a type signature? That doesn't add up. 2/4

I've been experiencing a really bad Windows 10 bug since the 2004 update. I got so annoyed I spent my weekend debugging it. A specific type of scheduled task can break CryptUnprotectData(). If you've seen apps losing state, eventid 8198, or NTE_BAD_KEY_STATE, could be this. Here is how to check, run this powershell as Admin:

Get-ScheduledTask | foreach { If ($_.Principal.LogonType -eq 'S4U') { $_ } }

If it lists tasks, whenever they run DPAPI will stop working until you reauthenticate. This will break everything using CryptProtectData().

Is there a secret to making vbtables look good in Hex-Rays? This is the best I can come up with, and an example decompiled call. I can just about read it (call second vftable entry on SubClass1, __thiscall with one param), but is there a cleaner way? Just to clarify, I'm talking about vbtables (virtual base tables) not vftables (virtual function tables). vbtables are how the compiler implements virtual inheritance, here is an excellent summary from @IgorSkochinsky (pp. 6-8) hexblog.com/wp-content/upl…

I got nerd sniped this weekend. I was playing the game Borderlands 3, this game has a huge variety of weapons, so part of the fun is finding new weird ones. Anyway, in one of the main areas there's this cool looking chest you can't open. 1/n It turns out you need "golden keys" to open it, and to get them - I'm not making this up - you need to follow the CEO of the game publisher on twitter, and occasionally he tweets out codes you type in (??). 2/n

https://twitter.com/DuvalMagic/status/1183133038630391813

I made a modest bet that would recover after the @BW trash story, and it recovered most of those losses this morning after strong results and zero supporting evidence ever appearing from Bloomberg.

https://twitter.com/taviso/status/1048637201355960321

I made a tidy profit, and would like to donate some of it to an organization that promotes higher standards in journalism, suggestions? I'm keeping some for putting up with things like "Does it even matter if it happened?" 😂