Decrypting View State Messages

4 points | by speckx an hour ago

3 comments

  • alwa a minute ago

    I'm not inclined to click through the Google Safe Browsing warning, but should one trust an archive to strip active content:

    https://archive.ph/gQcRU

    Appears to be a forensic walkthrough, working backward to calculate a decryption key from a disk image of a Windows machine with suspected malware.

    Excerpt:

    Published: 23/01/2026 I recently had someone reach out to me with an interesting problem. They had found a 1316 event in their Windows application logs that contained a likely malicious view state. There was just one catch, it was encrypted. [...] They were able to dump the autogen keys from the Windows registry, however they didn’t know how to use these to decrypt their view state.

    [...]

    In this post, I’ll be covering: * How the autogen keys are generated * How the master machine keys are derived from the autogen keys * How the final machine keys are derived from the master machine keys * How the final keys can be used to decrypt view state messages

  • random3 25 minutes ago

    All I'm seeing when opening this is a big red warning

    > Deceptive Website Warning > This website may try to trick you into doing something dangerous, like installing software or disclosing personal or financial information, like passwords, phone numbers, or credit

      ryanisnan 11 minutes ago

      Same, Firefox. Curious.