Decrypting View State Messages

(zeroed.tech)

5 points | by speckx 2 hours ago ago

5 comments

  • random3 an hour ago

    All I'm seeing when opening this is a big red warning

    > Deceptive Website Warning > This website may try to trick you into doing something dangerous, like installing software or disclosing personal or financial information, like passwords, phone numbers, or credit

  • alwa an hour ago

    I'm not inclined to click through the Google Safe Browsing warning, but should one trust an archive to strip active content:

    https://archive.ph/gQcRU

    Appears to be a forensic walkthrough, working backward to calculate a decryption key to read application logs, working from a disk image of a Windows/IIS machine suspected to be malware-affected.

    It includes the output of a run of a utility the author built to help. Which, I mean... I can see why Safe Browsing might get grumpy from the content alone; I'm also in no position to assess whether there's actual sneaky stuff going on too.

    Excerpt:

    Published: 23/01/2026

    I recently had someone reach out to me with an interesting problem. They had found a 1316 event in their Windows application logs that contained a likely malicious view state. There was just one catch, it was encrypted. [...] They were able to dump the autogen keys from the Windows registry, however they didn’t know how to use these to decrypt their view state.

    [...]

    In this post, I’ll be covering:

    * How the autogen keys are generated

    * How the master machine keys are derived from the autogen keys

    * How the final machine keys are derived from the master machine keys

    * How the final keys can be used to decrypt view state messages

  • an hour ago
    [deleted]
  • Alifatisk 41 minutes ago

    This site seems safe, I don't know why there is a warning.