Conway's 1K Binary Polyglot

Now you can play (or rather, watch) Conway’s Game of Life in a browser and on the C64 - using the same 1K file!

As an HTML5 file, the game will run in any modern browser on Windows, Linux, OS X, Android or iOS. However, just rename the file extension to .PRG and it’s ready to (natively) run on a C64!

For more info on binary polyglots: google “corkami”.

<A download href=>Download</A>

 Size: 1024 bytes
 Hash: c649f20d3cb59e474d1f578143242c64 (MD5)

<img src=>


 c64 code: ruk 
 js  code: Daniel Bali 
 polyglot assembly: FS1 

<A href=>Follow</A> @hexatomium

MZuck32 - A PE/HTML Hybrid File

In the binary oddity department, here’s a funny little corkami-style beast: MZuck32 is a tiny (3634-byte) file that can be opened both as a valid Windows executable and a viewable web page (with an image embedded) just by switching its extension between EXE and HTM(L). :-)

<img src=>


  • Valid Win x86 PE
  • Valid HTML+SVG page
  • A polyglot tribute to Facebook (what?) :)
  • For extra geekiness, MD5 hash is digits-only

<A href=>Download</A>

 Size (bytes, unzipped): 3634
 MD5: 11154659197220219689725940689118
 (Tested on Windows 8.1 - should work on other versions too)

Coming up next: A Windows/C64 hybrid ;)

<A href=>Follow</A> @hexatomium

View my <A HREF=>LinkedIn</A> page (Firas Salem)

A critical Windows component expires in 25 hours

Is this for real? While working on the new version of CTLInfo (screenshot below), I ran across an unexpected and rather scary finding: A key security component of Windows, the so-called ‘Disallowed’ CTL, has a validity of 15 months and is going to expire in 25 hours.

<img src=>

This is very worrying, because the ‘Disallowed’ CTL is a small but critical component in today’s Web PKI infrastructure and is used by Windows systems to keep track of any high-profile certificates that have been compromised. It includes thumbprints for compromised certificates such as Dutch Certificate Authority Diginotar, Microsoft’s, and many more.

I can’t accurately foresee what is going to happen in 25 hours (more accurately, starting from 2015-09-23 20:36:26 GMT), but the implications could be disastrous yet mostly invisible: all Windows systems, unable to verify the validity of their CTLs, could be at increased risk of MITM attacks worldwide. I’m especially concerned about newly installed systems which ship with an empty Disallowed CTL and will be unable to successfully autoupdate their CTLs until Microsoft pushes out new ones.

I contacted Microsoft as soon as I found out about this, but haven’t heard back so far. I do still have a (very) slim hope that Windows magically autoupdates before doomsday hits.

At this time, I don’t have information on how to mitigate this possible risk effectively.

I did not have enough time to analyze the issue in greater depth, so I really hope I’m wrong on this. It would be good if someone could confirm these observations.

Note: on a Windows 2012R2 server, it is also possible to view the issue using the following command:

 certutil -verifyCTL disallowed

#Update 1#

Good news! Microsoft has just released a new Disallowed CTL, and most importantly, signed with a new certificate. That was really close! Windows systems with direct connectivity to should automatically get the update within 24 hours.

<img src=>

SHA1 thumbprint of the new signing certificate:

 3e 42 ad 26 cc 2f 6e f1 52 99 15 0f ca be df 85 b9 af 75 d3

Expiration date: 2016-08-14

Note: The updated CTL has the exact same entries as the old one. The rogue Google certificates recently issued by Symantec are not included.

<A href=>Follow</A> @hexatomium

View my <A HREF=>LinkedIn</A> page (Firas Salem)

Why is Windows so misleading about what root certificates it trusts?

Did you know? The Windows Certificate Trust List (aka CTL) is the master source that determines all the root certs your system ultimately trusts by default. In contrast, good old certmgr.msc only shows a much smaller subset of that list, which it proudly claims to be your system’s “Trusted Root Certification Authorities”. The real deal, though, is stored behind the scenes, in an obscure format, and Windows provides no GUI to view any information about it.

Starting with Windows Vista, a new AutoUpdate mechanism was added, allowing these trusted root certificates to be seamlessly downloaded on first use.

Why does this matter? Because the incomplete information shown by Windows leads many people (including some security professionals) to believe that Windows trusts only a dozen or two root certificates out of the box, rather than hundreds.

Here’s a simple test:

  1. Open certmgr.msc, navigate to “Trusted Root Certification Authorities”,
    and notice the lack of a root called “OpenTrust Root CA G3”

  2. Open IE or Chrome and navigate to

    Good, your browser could establish a trusted SSL connection!

  3. If you examine the SSL cert of that server, what do you notice? It’s signed by root authority “OpenTrust Root CA G3”, which WAS not in your store…

  4. Open certmgr.msc again: now “OpenTrust Root CA G3” IS there and was added without any prompts. Why? Because your system already trusted it via its CTL.

  5. Bottom line? Certmgr.msc is not showing the whole picture. In fact, there’s no GUI view anywhere in the OS that shows any detail on the CTL.

<A href=>CTLInfo</A> is the result of a couple sleepless nights spent researching and reversing some of the CTL obscure format. (If someone knows where to find detailed specs on that format, I’d love to hear from you!) It is a very small tool showing some key information about your system’s CTL. I made this as I just could find no other straightforward way to get this sort of information, which can be useful to system or network administrators.

<img style=”max-width: auto;” src=>

<A href=>Follow</A> @hexatomium

View my <A HREF=>LinkedIn</A> page (Firas Salem)

Microsoft quietly pushes 17 new trusted root certificates

Earlier this month, Microsoft has quietly started pushing a bunch of new root certificates to all supported Windows systems. What is concerning is that they did not announce this change in any KB article or advisory, and the security community doesn't seem to have noticed this so far. Even the official Microsoft Certificate Program member list makes no mention of these changes whatsoever. Are they really hoping to pull this off, or is it just incompetence? As some of these new certificates relate to rather ‘brutal’ regimes, or completely unknown authorities (RXC-R2? Now what the hell is that for a “friendly” name? Both the name and thumbprint are completely unknown on the Web at the time of this writing), color me very suspicious.

Using my good old <A HREF=>RCC</A> scanner (a root certificate auditing tool), I quickly identified the following certificates as new:

0f36385b811a25c39b314e83cae9346670cc74b4   GDCA TrustAUTH R5 ROOT         CN
1b3d1114ea7a0f9558544195bf6b2582ab40ce9a   S-Trust Universal Root CA      DE
1f3f1486b531882802e87b624d420295a0fc721a   Notarius Root CA               CA
22fdd0b7fda24e0dac492ca0aca67b6a1fe3f766   Certplus Root CA G1            FR
2c8affce966430ba04c04f81dd4b49c71b5b81a0   RXC-R2                         US
32f442093b36d7031b75ca4daddcb327faa02b9c   Swedish Government Root CA v2  SE
3bc6dce00307bd676041ebd85970c62f8fda5109   CCA India 2015                 IN
46af7a31b599460d469d6041145b13651df9170a   MULTICERT Root CA 01           PT
4f658e1fe906d82802e9544741c954255d69cc1a   Certplus Root CA G2            FR
6e2664f356bf3455bfd1933f7c01ded813da8aa6   OpenTrust Root CA G3           FR
795f8860c5ab7c3d92e6cbf48de145cd11ef600b   OpenTrust Root CA G2           FR
7991e834f7e2eedd08950152e9552d14e958d57e   OpenTrust Root CA G1           FR
8094640eb5a7a1ca119c1fddd59f810263a7fbd1   GlobalSign Root CA - R6        US
9638633c9056ae8814a065d23bdc60a0ee702fa7   Tunisian Root CA - TunRootCA2  TN
a2b86b5a68d92819d9ce5dd6d7969a4968e11991   CCA India 2014                 IN
d27ad2beed94c0a13cc72521ea5d71be8119f32b   WoSign ECC                     CN
fbeddc9065b7272037bc550c9c56debbf27894e1   WoSign G2                      CN

Update 30-Jul-2015: Microsoft confirms the changes on this new <a href=>TechNet page</a>.

<A href=>Follow</A> @hexatomium

View my <A HREF=>LinkedIn</A> page (Firas Salem)