This is not necessary just to control my LED functions | Razer Insider

This is not necessary just to control my LED functions

  • 13 December 2022
  • 11 replies
  • 348 views

This seems a bit Wrong that i paid for this razer naga mouse but am left with your unfair ultimatum for full control over a simple things like the L.E.D. Function . Which even though was unspoken by Razer is clearly implied.

"You can have control over this function, But only if we can dump this large amount of Bloat-ware on you computer that far exceeds the the space required for that function and take up a large chunk of you system recourses without a choice of where its installed... so what do you say we got a DEAL ".

when put like that would any one agree to it? probably not. but this is what razer is doing.
I mean 11 Processes and that's just what's running under razers name I'm sure there's more.
a bit over kill for LED control don't you think especially when I know for a fact the mouse has enough memory to hold the selected LED information. because that's how Logitech stores the LED date and they offer two programs a big over blown resource hungry monster like Synapse and a small stand alone EXE that doesn't require installation that not only lets you edit the LED patterns but the Key bindings as well. once done the mouse stays the way you wanted it and there no Logitech anywhere to be found in the task manager. where razers small program? oh they don't have one.
So what's all that stuff running in the background anyway? that is useless to the user. Well considering they used unfair underhanded method used to force it on the users PC's. its obvious its telemetry and analytical data collecting software.
That's the only type of software I know of that will make a tech company change from your best friend to a raving lunatic just to get it on you machine.

So now i have it brake out the Arduino and play hack the mouse. well until next time!!!!

11 Replies

Userlevel 3
LittleJay85
The problem with hybrid-analysis.com is that it flags a lot of false positives.
In that Razer Central analysis for example,

Found a cryptographic related string
details
"FromBase64String" (Indicator: "frombase64string"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
"AesCryptoServiceProvider" (Indicator: "aescryptoserviceprovider"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
source
String
relevance
10/10
ATT&CK ID
T1486 (Show technique in the MITRE ATT&CK™️ matrix)
FromBase64String and AesCryptoServiceProvider are used throughout a lot of legitimate software, including Microsoft Windows (eg. Bitlocker uses Aes encryption). But hybrid-analysis.com gives it an ATT&CK ID T1486 and a relevance 10/10 which adds to its Threat Score.

Under Unusual Characteristics it lists Input file contains API references not part of its Import Address Table (IAT)
But for a .Net application this is normal.

I'm just trying to make people aware that you cant always trust the report generated, especially when legitimate software is run through it.


Ok , what do you have to say about this hooks?
"[email]GetAsyncKeyState@USER32.DLL[/email]" in "RazerCentral.exe"
"[email]GetForegroundWindow@USER32.DLL[/email]" in "RazerCentral.exe"
"[email]CreateCompatibleBitmap@GDI32.DLL[/email]" in "RazerCentral.exe"
"[email]ExitWindowsEx@USER32.DLL[/email]" in "RazerCentral.exe"
"[email]Wow64Transition@NTDLL.DLL[/email]" in "RazerCentral.exe"
"[email]GetKeyState@USER32.DLL[/email]" in "RazerCentral.exe"
Do any of them run away from the synapse software proposal?
The problem with hybrid-analysis.com is that it flags a lot of false positives.
In that Razer Central analysis for example,

Found a cryptographic related string
details
"FromBase64String" (Indicator: "frombase64string"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
"AesCryptoServiceProvider" (Indicator: "aescryptoserviceprovider"; File: "66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e.bin")
source
String
relevance
10/10
ATT&CK ID
T1486 (Show technique in the MITRE ATT&CK™️ matrix)
FromBase64String and AesCryptoServiceProvider are used throughout a lot of legitimate software, including Microsoft Windows (eg. Bitlocker uses Aes encryption). But hybrid-analysis.com gives it an ATT&CK ID T1486 and a relevance 10/10 which adds to its Threat Score.

Under Unusual Characteristics it lists Input file contains API references not part of its Import Address Table (IAT)
But for a .Net application this is normal.

I'm just trying to make people aware that you cant always trust the report generated, especially when legitimate software is run through it.
Userlevel 3
LittleJay85
To start with that's Razer Central not Synapse.

But I'm presuming you understand how to read and interpret those reports and have programming, Win32 API, PE format and Reverse Engineering knowledge?

Those "Suspicious Indicators" aren't out of the ordinary for a .NET application.

I just know that synapse 3 doesn't work without Raze Central, and synapse 3 is an extended package of executables.
and yes I appreciate the art of Reverse Engineering.
AndreAzevedo


To start with that's Razer Central not Synapse.

But I'm presuming you understand how to read and interpret those reports and have programming, Win32 API, PE format and Reverse Engineering knowledge?

Those "Suspicious Indicators" aren't out of the ordinary for a .NET application.
Userlevel 3
LittleJay85
Nada nesse "relatório" de malware se destaca como malicioso.
O exe se parece com um típico arquivo zip auto-extraível contendo um instalador .net que baixa e executa qualquer instalador que você selecionou para instalar.

Quanto ao aplicativo Razer Synapse real, a única vez que ele envia telemetria (arquivos de log etc.) .[/citar]
https://www.hybrid-analysis.com/sample/66274410175edd2c877d3774e7bbbe46403d09e0a72fb8af36e8d699acc7ca9e
Nothing in that malware "report" stands out as malicious.
The exe looks like a typical self-extracting zip file containing a .net installer which then downloads and runs whatever installers you selected to install.

As for the actual Razer Synapse app the only time it sends telemetry (log files etc.) is if you send feedback (click on the user account button in the top right corner, click 'Feedback', fill in the form and click Send).

If you don't believe me, open 'Razer Synapse 3.exe' with DnSpyEx and look for yourself.
So That is there trade offer they get to run all of that and that's just the installation process just weakening your system a bit getting it ready for synapse. so when it's actually installed you only see part of what's going on. and we get a few little macros functions and some blinking lights, that sounds fair right I mean compromise system Integrity alone would be worth that.

this is the worst I've actually ever seen any company not only are they hitting you with the most Telemetry software I've seen in a single program they don't mention it at all maybe somewhere in the fine print but it's basically free product testing data that use to cost tech companies Millions. now since the whole internet Privacy Act thing in 2017 they're allowed to spy on people to gather well I know Microsoft likes to call it (diagnostic data) just take it directly from pretty much any modern device you own connected to the internet and don't have to pay you a dime. most tech manufacturers that do it heavily at least try to make it worth it by at least giving you decent software and features the only features I see in synapse here the macroeing and the lights other than that it's just one big ad Fest. What I see is the tech company equivalent of slapping you in the face giving you the finger and taking the data from you and then forcing you to watch 12 solid hours of ads.

But yeah razor you make the best mice and keyboards but we had to pay for those you didn't give them to us I feel like I paid you to spy on me and that's not cool.
Get a load of the rap sheet

Preliminary analysis of Razor synapse installer
RISK ASSESSMENT
Spyware
Found a string that may be used as part of an injection method
Persistence
Writes data to a remote process
Fingerprint
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the display settings of system associated file extensions
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation language
Evasive
Possibly tries to evade analysis by sleeping many times
Network Behavior
Contacts 6 domains and 4 hosts

MALICIOUS INDICATORS

SUSPICIOUS INDICATOR
Ok i was just playing around with openRGB not as many effects and they have logo and scroll zones backswords. but when I closed the program I was surprised to see the Naga Classic was still doing the patterns set by OpenRGB. So I figured it must still be running in the background. But come to find its not running anywhere. Which means the mouse DOSE store the patterns to memory. this also means when you close Synapse and the pattern returns to default its not a hardware limitation. It Razer doing this because well... Telemetry data is like tech company heroin and they don't like being cut-off.

Well I know how to deal with this, think of it this way These are the videogames I play. I know way more programing languages than one person should and have to much time on my hands. I tear programs apart for fun.
So "Hack the mouse" CANCELED (it didn't sound fun any).
its time for a new game...
My current Game for a while has been the windows 11 OS and I've completely bent it to my will. I've beaten Microsoft into a dark corner in there own operating system... All UN-installable Bloatware Gone, No telemetry (in all areas), less than 20 services left running, a nearly empty task scheduler and trusted installer level system access.
I've beaten that game. But now another Telemetry Junkie has caught my attention by treating there user like a product, Its time to take take them to rehab.
New target... I mean game =Synapse= and considering How the last game I played with Microsoft Went. Razer doesn't stand a chance.
There a big difference between a "Developer" that dose it because its a job and need to make a living. And the Un-labeled that do it because they find it fun and never want to stop. Who do you think has the better tricks? the 9to5 or the 24/7.
that's the route ill take if I cant get the date to store on the mouse itself. I'm going to attempt to structure the firmware in a similar fashion as the Logitech I have. hardware hacking its fun.
Userlevel 7
Badge +1
Omg, my eyes hurt. How can you read with this font? :P
You can try using 3rd party app like OpenRGB software, so it'll control Chroma without having Synapse running.

Reply