Code Monkey home page Code Monkey logo

wiz-packet-map's Introduction

wiz-packet-map preface

2/28/2021 Update: Kingsisle decided to patch this by detecting if AuthenticatedSymmetricCipherBase functions were hooked in the function with the sig of 55 8D AC 24 ? ? ? ? 81 EC ? ? ? ? 6A FE. As of 2/28/2021 this tool is fully funtional and working.

Wizard101 tool that dynamically dumps packet data and decrypts packets to and from the server that use aes-gcm encryption. IV and nonce are both 16 bytes, and are generated on each zone load (when MSG_ATTACH is sent)

Wizard101 has very recently (11/18/2020) started encrypting important packets using a symmetric-key cryptographic block cipher operation mode called Galois/Counter Mode (GCM) using an implementation from an open source crypto library written in C++ (https://github.com/weidai11/cryptopp/blob/master/gcm.h)

How it's done & what broke?

This project hooks a function in Crypto++ called AuthenticatedSymmetricCipherBase::ProcessData to retrieve the inString and outString. These uint8_t buffers can be used to retrieve the packet buffer before encryption, or after decryption.

At some unknown time, KingsIsle pushed a patch to break this tool, which checks the validity of Crypto++ class member functions. In V1 of the tool, it was using a classic trampoline hook which changed the first few bytes of AuthenticatedSymmetricCipherBase::ProcessData to jump to the hook handling function, then call the original function. This was problematic, as KI now checks the first two bytes of those functions to ensure they were not hooked.

The bypass

The bypass is trivially simple, overwrite the bytes pointing to the original function with new bytes pointing to our function.

This is the function table of the AuthenticatedSymmetricCipherBase class. Bytes of original function

By setting base + 0x2259240 to &ogProcessData_hook, we overwrite the function that they want to call, with ours, allowing us to intercept all calls to AuthenticatedSymmetricCipherBase::ProcessData

Then, by calling the original, we have maintained the functionality of the original function, while being able to intercept arguments passed to it.

wiz-packet-map's People

Contributors

xgladius avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.