Matt Thompson wtfuzz

## petya_notes.txt
The keyboard input is processed in function 0x82a2

Only hex characters [0-9a-f] are accepted, case sensitive. Any other character is skipped.a

Exactly 32 bytes of ascii hex characters are stored on the stack at 0x76ee

There seems to be a key deriviation function at 0x99fc that's called 128 times on the 32 byte input,
and produces a 32 byte output at 0x76ce

Entering a key of 32 'a' characters, here is a single round of the KDF function:

## petya_mbr.txt
Petya(ish) MBR disassembly

This is from an infected Windows 10 guest (manually executed circulating sample with rundll32 "<dllname>,#1")
After a reboot, the system will start to appear to be performing a chkdsk. I let it run through that process and eventually it displays the red text screen with BTC, email address and my "installation key".

The original MBR from sector 0 is replaced with a small loader.

I dumped the MBR with:

# dd if=<block device> bs=512 count=1 of=mbr.bin

## gist:1ce2ba141139158ce52f
var topPlayerScores = stream
    .from().measurement('scores')
    // Get the most recent score for each player per game.
    // Not likely that a player is playing two games but just in case.
    .groupBy('game', 'player')
    .window()
        // keep a buffer of the last 11s of scores
        // just in case a player score hasn't updated in a while
        .period(11s)
        // Emit the current score per player every second.

## test_keepalive.rb
require 'em-http-request'

count = 10000
error_count = 0

EventMachine.run do
    conn = EventMachine::HttpRequest.new("http://127.0.0.1:8000", :connect_timeout => 5, :inactivity_timeout => 0)

    cb = lambda { |req|
        count -= 1
	The keyboard input is processed in function 0x82a2

	Only hex characters [0-9a-f] are accepted, case sensitive. Any other character is skipped.a

	Exactly 32 bytes of ascii hex characters are stored on the stack at 0x76ee

	There seems to be a key deriviation function at 0x99fc that's called 128 times on the 32 byte input,
	and produces a 32 byte output at 0x76ce

	Entering a key of 32 'a' characters, here is a single round of the KDF function:
	Petya(ish) MBR disassembly

	This is from an infected Windows 10 guest (manually executed circulating sample with rundll32 "<dllname>,#1")
	After a reboot, the system will start to appear to be performing a chkdsk. I let it run through that process and eventually it displays the red text screen with BTC, email address and my "installation key".

	The original MBR from sector 0 is replaced with a small loader.

	I dumped the MBR with:

	# dd if=<block device> bs=512 count=1 of=mbr.bin
	var topPlayerScores = stream
	.from().measurement('scores')
	// Get the most recent score for each player per game.
	// Not likely that a player is playing two games but just in case.
	.groupBy('game', 'player')
	.window()
	// keep a buffer of the last 11s of scores
	// just in case a player score hasn't updated in a while
	.period(11s)
	// Emit the current score per player every second.
	require 'em-http-request'

	count = 10000
	error_count = 0

	EventMachine.run do
	conn = EventMachine::HttpRequest.new("http://127.0.0.1:8000", :connect_timeout => 5, :inactivity_timeout => 0)

	cb = lambda { \|req\|
	count -= 1