Josh Terrill

@ArieWindmill Looking for changes, exploits, etc. in -1 versions from latest version.

@joshterrill all that would do is tell you how something was changed or added. are you just specifically looking for vulns in news features?

My Windows reverse engineering and exploit research workflow has been: 1. Pick a binary to research like tcpip.sys 2. Use github.com/joshterrill/po… to automate seeing existing binary versions, download, and generate diffs from them 3. Load the resulting .binexport's and .bindiff into an LLM and ask it to analyze 4. Look up the build number of previous Windows version that old binary existed in from uupdump.net such as 26100.8328 and create a VM from it 5. Write code and test, working backwards from LLM analysis

@drbinaryai It's the only reason I use an LLM at all, I don't like dealing with the compiler noise in the diffs. I just want to get to the actual changes and start coding as fast as possible. I'll check out drbinary, thanks.

@joshterrill Solid workflow. One add: normalize symbols + function hashes so diffs survive minor compiler noise, and track semantic changes new calls, bounds checks not just bytes. drbinary.ai is handy to automate triage+diff + keep an audit trail. What LLM prompts work bestd

@ArieWindmill The IDA file is ~1.2gb. I think what you're seeing is remaining disk space on my machine?

@joshterrill that's a gigantic size. did you RE a dumped nand drive?

I broke Kindle's DRM protection tonight through a mix of static and dynamic analysis. AES key is derived from accountSecrets, kindle device ID, and voucher path. Book is decrypted in parts using OpenSSL from Ion blobs and then decompressed with LZMA.

@dr_yakub_xiao @The_Memeries I broke DRM. You misunderstood my comment. I was replying to the commenter about turning this into a Calibre plugin. I can't do that until I can find a better way to get accountSecrets without hooking Kindle app at runtime. Right now the only way I can do it is through lldb.

@joshterrill @The_Memeries So it sounds like you didn’t break the DRM…

Video of Kindle DRM being broken. Simple lldb script attaches to Kindle app, puts breakpoint on EVP_DecryptInit_ex and when you start paging through a book, AES and IV keys are dumped. It takes ~1 minute for the process attach + continue to take place, all the action is at the beginning and end of the video. Full blog post + code will be coming within the next week.

@tjcapaldi It's definitely a bit hacky right now, but always reproducible. Open kindle app, open a book, attach lldb, import a script that sets some breakpoints, start flicking through pages of the book, break point is hit, registers are read, aes key is dumped.

@tjcapaldi I don't have a great way to make a script that doesn't rely on specific offsets in the binary, which could change version to version. But I'll be writing up a blog post on it within the next week. Definitely enough for other reverse engineers to replicate, though.

@The_Memeries When I can figure out how to extract accountSecrets without hooking Kindle app at runtime!

@joshterrill So the next question is when does this get automated in Caliber?

@MaceMoneta I haven't figured out a way to grab the accountSecrets without getting them from Kindle runtime yet... but that would be the goal.

@joshterrill Add a patch to Calibre.

@0x1334 Correct. Putting it all together after I got the chunks decrypted was also quite annoying.

@joshterrill Symmetric encryption AES-128 CBC, but the interesting part is the key derivation that done in initWithAccountsSecrets , so the books are decrypted in chunks not all at once per acc+device as a DRM style.. insanely clean RE work. Respect

@ctatedev Can’t wait to see what my agent says about this one.

Dear GitHub, AI is changing the contribution graph. Issues are often the real contribution now. They define the problem, shape the solution and guide the PR. If a GitHub Issue leads to a merged PR, the issue author should get contributor credit. Signed, ctate

When the phishing emails look better than the legit @CrowdStrike emails.

@johnloeber I've been having the exact same frustrations: x.com/joshterrill/st… @ChatGPTapp / @OpenAI need to fix this short-term memory loss issue ASAP. Switching to @GeminiApp and @claudeai for now.

I'm using ChatGPT as a research assistant It says: "Here is the clean, exact citation, with no hand-waving." I read it. Neat! Then I'm skeptical -- I buy the book and look for the passage: can't find it. I ask: are you sure this exists? It says: "You’re right to be skeptical — there is no exact passage where (...)" I'm going to strangle it. Trying to do any kind of rigorous academic work with the assistance of the Confirmation Bias Machine is just exasperating.

@BusinessWire Your RSS feeds have URL's that point to http instead of https, when navigating to the http version, it breaks

@BLUECOW009 Also curious where you're pulling entropy from for the key generation. Is any of that process done in parallel?

@BLUECOW009 Cool! About the key length output, if its 268,435,456 bits, how do you get the 8.0 MB output that we see in the console? Shouldn't it be 32 MB or so? The 42 lines out of the 1,000 lines - is it a numerical representation of a binary key, or is that how key generator stores it?

apparently I made an encryption key that is orders of magnitudes larger than RSA, generates faster than RSA and due to sheer massive size, is practically virtually uncrackable. 1: Key Size Comparison • RSA 2048: 2048 bits • RSA 4096: 4096 bits • “Fractal Key”: 268,435,456 bits 2: Key Generation Time Comparison • RSA 2048: Varies but typically much longer than “Fractal Key” • RSA 4096: Varies but typically longer than “Fractal Key” • “Fractal Key”: 0.0044 seconds 4. Graph 3: Security Benchmark • RSA 2048: Crackable in ~300 billion years with current technology • RSA 4096: Crackable in ~15 quadrillion years with current technology • “Fractal Key”: Estimated to be practically uncrackable within the lifetime of the universe due to sheer key size and complexity.

@WellKnitTech @vxunderground @Cipher_Cloz I built a whole webapp around using archive.is and way back machine to bypass paywalls: reader.hacked.codes ! I'm glad someone else knows about that trick. Here's the link to my app for this article: reader.hacked.codes/read?source=bl…

@vxunderground @Cipher_Cloz archive.is/g2wIJ Article without paywall.

Today the United States, the Russian Federation, and Germany did a prisoner swap. Most notably: Roman Seleznev a/k/a Track2, is being returned to the Russian Federation. Seleznev was a prominent member of carder-dot-su. Seleznev developed automated systems for systemic identity theft and credit card fraud. He is estimated to have stolen over $50,000,000 Vladislav Klyushin, is being returned to the Russian Federation. Klyushin was a notorious hack-to-trade fraudster. He and his group compromised organizations to get perform pseudo-insider-trading which resulted in profits over $93,000,000. Videos released today via the Kremlin shows President Vladimir Putin greeting prisoners as they set foot on Russian soil once again. Here is the clip of Roman Seleznev shaking hands with Vladimir Putin.