Hacking CPU-Z – Can You Trust the Results


Super Moderator
Staff member
Yes, CPU-Z’s validation website accepts fake data. See for yourself before the link is pulled: http://valid.canardpc.com/show_oc.php?id=2788357
The CPU-Z cvf file to generate the page you see above could be posted here for download for your own testing. However, this would create many problems for the CPU-Z folks so it won’t be posted.

CPU-Z is an excellent tool for displaying detailed hardware information. The main interface consists of many tabs: CPU, Caches, Mainboard, Memory, SPD, Graphics, and About. CPU, the main screen, provides real-time displays of Core Speed, Multiplier, Bus Speed, Core Voltage and more. It’s both a diagnostic and an enthusiast tool that is commonly used by overclockers, system administrators, and regular tech guys.

Unlike other system information tools, CPU-Z has an extra feature that lets users validate clock speeds and system components. By clicking the Validate or Validation buttons, the user can export clock speeds and the system’s configuration.

There are a couple ways to export system information. Exported files can be posted directly to CPU-Z’s validation site (CPU-Z Validator 3.00) or the user can save the file locally. The Save Report buttons let the user export to either a .txt or .html file. By default, the Save Validation File button exports a file called cpuz.cvf.

Above, you can see what the inside of the cpuz.cvf file looks like. You can immediately see that the data looks to be encrypted. This makes sense because the whole validation service wouldn’t matter a whole lot if users could easily change their hardware stats. Speaking of hardware stats, the CPU-Z validator site has an overclocking records (OC Records) section with ranks: CPU-Z Highest Records ! (V1.01).

When saving a cvf file or uploading stats directly to the validator site, you may notice the validator checks whether the cvf file is corrupt or invalid. If you manage to trick CPU-Z into producing results that literally do not add up, you will likely see a similar message…

Take a look at the red text in the above picture. If you do the math, 100.32 * 16 is 1605.12. That’s way off. The value of 9069.18 MHz is hacked into the application. CPU-Z’s validator does a great job in detecting these phony results. Notice how “Rejected” appears at the top along with “Not Validated” in the forum banner / signature graphic. During some spoofing tests, the validator did not generate a page to display results. Instead, a plaintext error is generated. The validator is very good at checking for abnormalities.

Despite the validator’s ability to check for the validity of overclocking speeds, the site does not seem to care about the integrity of the other data. As you saw early in the post, it was possible to put an HTML link back to this website directly on the CPU-Z page. In the wrong hands, it is theoretically possible to inject malicious code. As long as client-side data is imported to the server without any checks, dangers exist. How was this possible? When the user clicks validate in CPU-Z, a buffer area 8192 bytes in size is created. Each hardware specification is written into the buffer in Unicode format. The entire buffer is then transformed into ASCII format, encrypted, and finally converted to a string to become the cvf format.

Continue Reading for fixes and updates ;-)
Hacking CPU-Z – Can You Trust the Results? | Hacking Tricks
Top Bottom