Emma (IPG) - inactive nerd alt

@[email protected]
260 Followers
126 Following
157 Posts

a human attacker holding a soldering iron trying to rotate herself along with the mesh using a very fast swivel chair

i mostly post on my main account at @ipg these days

Pronounsit/its she/her
GitHubhttps://github.com/InvoxiPlayGames
Websitehttps://invoxiplaygames.uk
Mehttps://wetdry.world/@ipg
Twitterhttps://twitter.com/iownfivewiis
Emma (IPG) - inactive nerd altFeb 7, 2025
Show threadEmma (IPG)Feb 7, 2025

i needed to get the address of a global variable, "g_pSteamEngine", so i jumped to the first usage of it that ghidra spotted which was this function named CAppInfoCache::WriteToDisk

the first call has 2 hardcoded constants as its arguments, which makes unique assembly not found anywhere else in the binary. perfect for searching for it!

because the return value of the ISteamEngine::GetConnectedUniverse function is a 32-bit integer, right after it is an "rldicl" instruction - effectively just masking off the lower 32-bits of it. which is "unique" in that function and serves as a good anchor point to finding when GetConnectedUniverse is called

at that point i just need to look up back from that anchor point until i find the two instructions that set the value of the r3 register to g_pSteamEngine before calling GetConnectedUniverse, and i've found it

very simple method but i find it so cool :D

Show threadEmma (IPG) - inactive nerd altNov 24, 2024
of course if you are developing a live service game and know the writing is on the wall for the live service, it serves a lot of purpose and you should convince everyone on the team that it's a good idea to skip certificate validation :3
Emma (IPG) - inactive nerd altNov 24, 2024
note for game developers: I know security is not particularly your strong suit, but HTTPS for online services serves little purpose if you just stub certificate validation! Hope this helps :)
Emma (IPG) - inactive nerd altSep 25, 2024
RebaneSep 19, 2024

new blogpost time!!

this one's a fun writeup on a vulnerability chain i found across multiple google services that earned me a $4133.70 bounty

lots of fun css as usual! i had to recreate a bunch of drive/docs/gmail/youtube UIs c:

have fun!

https://lyra.horse/blog/2024/09/using-youtube-to-steal-your-files/

Using YouTube to steal your files

A writeup of my $4133.70 Google Drive vulnerability chain.

lyra's epic blog
Emma (IPG) - inactive nerd altSep 24, 2024
Show threadEmma (IPG)Sep 24, 2024

and. if by *any miracle*, you work at Microsoft and have the ability to pull this off or convince someone to, you can make the responsible developerservices.windowsphone.com endpoints (RegisterDevice and DeviceStatus) return the XML data i mentioned in this repo. this will not happen but i can dream

it's impossible to have sensitive data sent to those endpoints, and you don't have to parse anything... just let us have this...

Emma (IPG) - inactive nerd altSep 24, 2024
Emma (IPG)Sep 24, 2024
if anyone's interested in learning how developer mode is provisioned on Windows Phone (or, please, if you're a good hacker and want to bypass the limitations, help me out lmao) https://github.com/InvoxiPlayGames/WPDevModeResearch
GitHub - InvoxiPlayGames/WPDevModeResearch: my notes on Windows Phone 7/8 "developer mode" activation

my notes on Windows Phone 7/8 "developer mode" activation - InvoxiPlayGames/WPDevModeResearch

GitHub
Emma (IPG) - inactive nerd altSep 17, 2024
Show threadEmma (IPG)Sep 17, 2024
i trust Apple's bootloader security these days, especially with the hardware-backed security they have in place and the iBoot hardening they did a few years back. so i'm not *super* concerned, especially because iBoot can be updated (and that's assuming it does live in iBoot and isn't in some recovery stripped down iOS)
Emma (IPG) - inactive nerd altSep 17, 2024
Emma (IPG)Sep 17, 2024
Apple are adding NFC/whatever restoring from recovery mode on the iPhone 16? that's really fucking cool. but i'm also concerned(?) about that possibly adding a lot more attack surface to iBoot
Emma (IPG) - inactive nerd altSep 17, 2024
Emma (IPG)Sep 17, 2024
We writing guides on how to mod game engines that nobody except me will ever need
Emma (IPG) - inactive nerd altSep 11, 2024
Emma (IPG)Sep 11, 2024
eligibility overrides i set on iOS 17 persisted through to the upgrade to iOS 18, so i can install third party apps with no bullshit and i don't even need to be jailbroken (although palera1n does work on iOS 18)