Rairii Wack0

## peb.c
// Gets a pointer to the PEB for x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, and PowerPC.

// This relies on MS-compiler intrinsics.
// It has only been tested on x86/x64/ARMv7.

inline PEB* NtCurrentPeb() {
#ifdef _M_X64
	return (PEB*)(__readgsqword(0x60));
#elif _M_IX86
	return (PEB*)(__readfsdword(0x30));

## hashes.txt
0021B5B11CEB03402D618134800A36C54E1C4328AD389D50B40EACC1E881DCB5
003F6B0E35ADFFFCD277EBF1595136914789685A777CF93A937F3A0EBD4A463B
005BE4327DED378C051FE408F594124E3893171BC7D7809F0CFB9DC1F334DCD5
00A3848FC09150E51284553E74A6DFA18B4D07A86F69EF5104F78B7A8DA9C778
010168A3BCCA42B3706DAC7A8D07C192692053FB588D4CE7205B3B28987BC9ED
014104339BFA49DE78A4BAF25C9816B4247EA15F6713BF96B112727D50D6634C
0146A05EC4942A291EA2DB8E320D44445977676AD5C6D459FCAB50CD19970406
016510D1AB0628126F605168F59465C54787371F94DFC5EED2A3AC06D5CCF2C4
01701DF013DB380EB264424BFD7EB6D5AD37E221F5449E983637FF86BB652EEF
017FA1F83DCC61F1874EA9585DBB7CBF9E57843C687DE596DE3DE5E7592C297E

## getduid.cs
using System;
using System.Runtime.InteropServices;

enum RETRIEVAL_METHOD {
  ODUID_DEFAULT = 0,
  ODUID_TPM_EK,
  ODUID_UEFI_VARIABLE_TPM,
  ODUID_UEFI_VARIABLE_RANDOMSEED,
  ODUID_UEFI_DEV_LOCK_UNLOCK, // there is no code for this in clipsvc.dll, given the enum name, this could be Windows Phone only?
  ODUID_XBOX_CONSOLE_ID, // this should never be seen, with xbox one a different function is called to get the console ID

## upwned247.php
<?php
/*
	Updated version, 2016-12-02: fixed shellcode so it *actually* works on QEMU
	usermode emulation (seems I pushed an old version), and removed debug output.

	-------------------------

	NB: THIS PoC ONLY WORKS IN QEMU USERMODE EMULATION!
	If anyone wants to fix this, go ahead (no pun intended).
	However, I don't have a vulnerable product and am unwilling to acquire one.

## blacklotus.cer
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIQVwtdIrcjtKRCzG7uvCWA6DANBgkqhkiG9w0BAQUFADAb
MRkwFwYDVQQDDBBXaGVuIFRoZXkgQ3J5IENBMB4XDTIyMDgxMzE3NDg0NFoXDTMy
MDgxMzE3NTg0NFowGzEZMBcGA1UEAwwQV2hlbiBUaGV5IENyeSBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMe7LulZX7nuQkZlyUXG5x2kqVvWEhGo
lSspXMBSxinOYuGXeG0EeVilKexQWvgW69w39CSYoI7hzbFILMzpQonvfESKl+NV
mlgqvKrLDsonByedtJ4+f4UtLHIMFrYRrm+b5YHA13jCPIexiNc7k0zfFeue3pfS
E4AlWGnXc8XGYnRU2qONfSMP2i9MyVtUSWPkhcxOcdoyGkRpGn31Iu9aPtbtF3RN
7m+eo1ZjZZE+101wMjJRo/kDDm5IUV2ZYNUCTNiA3snazvm1XPU2dOmWmiGaZ8SR
zKWLSXEP18R36zABRjcZ6gQYR3GAc+uJn9afsDgr67v4eCWQr3QUVd0CAwEAAaNj

## gist:bda47c2bfadfb68d73ea
Database: heroku_1ed5a148e6d9415
Table: black_cards
[16 entries]
+----+--------------------------------------------------------------------------------------------------------------+
| id | content                                                                                                      |
+----+--------------------------------------------------------------------------------------------------------------+
| 1  | _____ means never having to say you're sorry.                                                                |
| 2  | The pen tester found _____ in the trash while dumpster diving.                                               |
| 3  | Our CIO has a framed a picture of _____.                                                                     |
| 4  | 9 out of 10 experts agree, _____ will increase your security effectiveness.                                  |

## SbpParse.cs
using System;
using System.IO;
using LipingShare.LCLib.Asn1Processor;
using System.Runtime.InteropServices;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography;

namespace SbpParse {

## 1-torrents-time-certs-keys.md

      
              4 files
            
          
              0 forks
            
          
              10 comments
            
          
              7 stars
            
          
                Wack0
                / 1-torrents-time-certs-keys.md
            
            
              Last active
              June 10, 2022 12:39
            
              
                Torrents Time bundles certificates and private keys.
              
          
    Torrents Time bundles certificates and private keys

So, with all the news about how Torrents Time is insecure.. I figured I might as well reverse it.
It seems to have three components, one (on windows) is a native service (TTService.exe) that runs as SYSTEM, another (TTPlayer.exe) runs under a lower privileged user. There's also a nodejs application, server.js.
The native service seems to set up a localhost HTTPd, on either port 12400, 11400, 10400 or 9400, using whichever is open.
So, I browsed to it, and was astonished to discover it was running with TLS, and gave the browser a valid certificate, signed by Thawte! (the cert was issued to localhost.ttconfig.xyz, obviously to work around new CA rules. For the record, it currently resolves to 127.0.0.1 as you'd probably expect.)

  
## cex_crypto.cs
/*

	Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
	another rrrring of lightningggg production by slipstream/RoL!

	Yesterday I received in the post some Compaq recovery media I ordered from Yahoo! Auctions Japan to dump.
	Having done that, I took a closer look at the disc images.

	The recovery media came in two CDs: a boot CD ("COMPAQ Restore CD"), and an OS CD ("Compaq CD for Microsoft Windows
	NT Workstation 4.0 Operating System").

## gist:17c56b77a90073be81d3
Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.

Superfish isn't the only product to use that sdk. there's others too.

Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
key pair. Seems a lot of people think they all use the superfish cert. That is
NOT the case.

First thing I checked was komodia's own parental control software,
Keep My Family Secure. (mentioned on komodia's own website).
	// Gets a pointer to the PEB for x86, x64, ARM, ARM64, IA64, Alpha AXP, MIPS, and PowerPC.

	// This relies on MS-compiler intrinsics.
	// It has only been tested on x86/x64/ARMv7.

	inline PEB* NtCurrentPeb() {
	#ifdef _M_X64
	return (PEB*)(__readgsqword(0x60));
	#elif _M_IX86
	return (PEB*)(__readfsdword(0x30));
	0021B5B11CEB03402D618134800A36C54E1C4328AD389D50B40EACC1E881DCB5
	003F6B0E35ADFFFCD277EBF1595136914789685A777CF93A937F3A0EBD4A463B
	005BE4327DED378C051FE408F594124E3893171BC7D7809F0CFB9DC1F334DCD5
	00A3848FC09150E51284553E74A6DFA18B4D07A86F69EF5104F78B7A8DA9C778
	010168A3BCCA42B3706DAC7A8D07C192692053FB588D4CE7205B3B28987BC9ED
	014104339BFA49DE78A4BAF25C9816B4247EA15F6713BF96B112727D50D6634C
	0146A05EC4942A291EA2DB8E320D44445977676AD5C6D459FCAB50CD19970406
	016510D1AB0628126F605168F59465C54787371F94DFC5EED2A3AC06D5CCF2C4
	01701DF013DB380EB264424BFD7EB6D5AD37E221F5449E983637FF86BB652EEF
	017FA1F83DCC61F1874EA9585DBB7CBF9E57843C687DE596DE3DE5E7592C297E
	using System;
	using System.Runtime.InteropServices;

	enum RETRIEVAL_METHOD {
	ODUID_DEFAULT = 0,
	ODUID_TPM_EK,
	ODUID_UEFI_VARIABLE_TPM,
	ODUID_UEFI_VARIABLE_RANDOMSEED,
	ODUID_UEFI_DEV_LOCK_UNLOCK, // there is no code for this in clipsvc.dll, given the enum name, this could be Windows Phone only?
	ODUID_XBOX_CONSOLE_ID, // this should never be seen, with xbox one a different function is called to get the console ID
	<?php
	/*
	Updated version, 2016-12-02: fixed shellcode so it actually works on QEMU
	usermode emulation (seems I pushed an old version), and removed debug output.

	-------------------------

	NB: THIS PoC ONLY WORKS IN QEMU USERMODE EMULATION!
	If anyone wants to fix this, go ahead (no pun intended).
	However, I don't have a vulnerable product and am unwilling to acquire one.
	-----BEGIN CERTIFICATE-----
	MIIDIzCCAgugAwIBAgIQVwtdIrcjtKRCzG7uvCWA6DANBgkqhkiG9w0BAQUFADAb
	MRkwFwYDVQQDDBBXaGVuIFRoZXkgQ3J5IENBMB4XDTIyMDgxMzE3NDg0NFoXDTMy
	MDgxMzE3NTg0NFowGzEZMBcGA1UEAwwQV2hlbiBUaGV5IENyeSBDQTCCASIwDQYJ
	KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMe7LulZX7nuQkZlyUXG5x2kqVvWEhGo
	lSspXMBSxinOYuGXeG0EeVilKexQWvgW69w39CSYoI7hzbFILMzpQonvfESKl+NV
	mlgqvKrLDsonByedtJ4+f4UtLHIMFrYRrm+b5YHA13jCPIexiNc7k0zfFeue3pfS
	E4AlWGnXc8XGYnRU2qONfSMP2i9MyVtUSWPkhcxOcdoyGkRpGn31Iu9aPtbtF3RN
	7m+eo1ZjZZE+101wMjJRo/kDDm5IUV2ZYNUCTNiA3snazvm1XPU2dOmWmiGaZ8SR
	zKWLSXEP18R36zABRjcZ6gQYR3GAc+uJn9afsDgr67v4eCWQr3QUVd0CAwEAAaNj
	Database: heroku_1ed5a148e6d9415
	Table: black_cards
	[16 entries]
	+----+--------------------------------------------------------------------------------------------------------------+
	\| id \| content \|
	+----+--------------------------------------------------------------------------------------------------------------+
	\| 1 \| _____ means never having to say you're sorry. \|
	\| 2 \| The pen tester found _____ in the trash while dumpster diving. \|
	\| 3 \| Our CIO has a framed a picture of _____. \|
	\| 4 \| 9 out of 10 experts agree, _____ will increase your security effectiveness. \|
	using System;
	using System.IO;
	using LipingShare.LCLib.Asn1Processor;
	using System.Runtime.InteropServices;
	using System.Collections.Generic;
	using System.Text;
	using System.Security.Cryptography;

	namespace SbpParse {
	/*

	Compaq/HP Recovery Media (c. late 1990s-early 2000s) .CEX File Decryptor
	another rrrring of lightningggg production by slipstream/RoL!

	Yesterday I received in the post some Compaq recovery media I ordered from Yahoo! Auctions Japan to dump.
	Having done that, I took a closer look at the disc images.

	The recovery media came in two CDs: a boot CD ("COMPAQ Restore CD"), and an OS CD ("Compaq CD for Microsoft Windows
	NT Workstation 4.0 Operating System").
	Superfish uses an SDK from Komodia to do SSL MITM. That's probably known by now.

	Superfish isn't the only product to use that sdk. there's others too.

	Each product that uses the Komodia SDK to MITM, has its OWN CA cert and private
	key pair. Seems a lot of people think they all use the superfish cert. That is
	NOT the case.

	First thing I checked was komodia's own parental control software,
	Keep My Family Secure. (mentioned on komodia's own website).