GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → xgladius → wiz-packet-map

xgladius / wiz-packet-map

Licence: GPL-3.0 license
Wizard101 tool that dynamically dumps packet data and decrypts packets to and from the server that use aes-gcm encryption

Programming Languages

c
50402 projects - #5 most used programming language
C++
36643 projects - #6 most used programming language

Labels

encryptiongcmdecryptionwizard101kingsisleaes-gcm-encryptionwiz-packet-mapdecrypts-packets

Projects that are alternatives of or similar to wiz-packet-map

crypthash-net
CryptHash.NET is a .NET multi-target library to encrypt/decrypt/hash/encode/decode strings and files, with an optional .NET Core multiplatform console utility.
Stars: ✭ 33 (+83.33%)
Mutual labels:  gcm, decryption
Android-PGP
Simple PGP encryption/decryption on android.
Stars: ✭ 46 (+155.56%)
Mutual labels:  decryption
dlink-decrypt
D-Link firmware decryption PoC
Stars: ✭ 107 (+494.44%)
Mutual labels:  decryption
lazysodium-java
A Java implementation of the Libsodium crypto library. For the lazy dev.
Stars: ✭ 110 (+511.11%)
Mutual labels:  decryption
STIA
No description or website provided.
Stars: ✭ 18 (+0%)
Mutual labels:  decryption
client-encryption-java
Library for Mastercard API compliant payload encryption/decryption.
Stars: ✭ 55 (+205.56%)
Mutual labels:  decryption
MiMA
Model of an idealized Moist Atmosphere: Intermediate-complexity General Circulation Model with full radiation
Stars: ✭ 28 (+55.56%)
Mutual labels:  gcm
abrute
Multi-threaded AES Brute Force File Decryption
Stars: ✭ 22 (+22.22%)
Mutual labels:  decryption
passthief
A Python script to steal all the passwords via the use of plugins 😈
Stars: ✭ 27 (+50%)
Mutual labels:  decryption
cryptorious
CLI Password Manager
Stars: ✭ 15 (-16.67%)
Mutual labels:  decryption
Cryptor
Encrypt and decrypt string using a key
Stars: ✭ 14 (-22.22%)
Mutual labels:  decryption
cryptocli
The ultimate tool for data transfer, manipulation and proxy.
Stars: ✭ 16 (-11.11%)
Mutual labels:  decryption
pushex
Push notifications for Elixir
Stars: ✭ 96 (+433.33%)
Mutual labels:  gcm
Hemmelig.app
Keep your sensitive information out of chat logs, emails, and more with encrypted secrets.
Stars: ✭ 183 (+916.67%)
Mutual labels:  decryption
apple-pay
This library is used to decode tokens for Apple Pay.
Stars: ✭ 38 (+111.11%)
Mutual labels:  decryption
Keep-It-Secure-File-Encryption
Keep It Secure Private Data Encryption & Decryption Tool
Stars: ✭ 38 (+111.11%)
Mutual labels:  decryption
simple-ransomware
Simple ransomware to troll your friends. Encrypt and Decrypt a Windows computer using a simple xor encryption which is pretty basic!
Stars: ✭ 29 (+61.11%)
Mutual labels:  decryption
cloak
Serialized AES-GCM 256 encryption, decryption and key management in the browser & Node.js
Stars: ✭ 25 (+38.89%)
Mutual labels:  decryption
osx-callhistory-decryptor
macOS (incl big sur) call history decryptor/converter to CSV format.
Stars: ✭ 19 (+5.56%)
Mutual labels:  decryption
MultiGCM
Node.JS module to send GCM Push Notifications for both iOS & Android
Stars: ✭ 16 (-11.11%)
Mutual labels:  gcm
View All Similar Projects ➔

wiz-packet-map preface

2/28/2021 Update: Kingsisle decided to patch this by detecting if AuthenticatedSymmetricCipherBase functions were hooked in the function with the sig of 55 8D AC 24 ? ? ? ? 81 EC ? ? ? ? 6A FE. As of 2/28/2021 this tool is fully funtional and working.

Wizard101 tool that dynamically dumps packet data and decrypts packets to and from the server that use aes-gcm encryption. IV and nonce are both 16 bytes, and are generated on each zone load (when MSG_ATTACH is sent)

Wizard101 has very recently (11/18/2020) started encrypting important packets using a symmetric-key cryptographic block cipher operation mode called Galois/Counter Mode (GCM) using an implementation from an open source crypto library written in C++ (https://github.com/weidai11/cryptopp/blob/master/gcm.h)

How it's done & what broke?

This project hooks a function in Crypto++ called AuthenticatedSymmetricCipherBase::ProcessData to retrieve the inString and outString. These uint8_t buffers can be used to retrieve the packet buffer before encryption, or after decryption.

At some unknown time, KingsIsle pushed a patch to break this tool, which checks the validity of Crypto++ class member functions. In V1 of the tool, it was using a classic trampoline hook which changed the first few bytes of AuthenticatedSymmetricCipherBase::ProcessData to jump to the hook handling function, then call the original function. This was problematic, as KI now checks the first two bytes of those functions to ensure they were not hooked.

The bypass

The bypass is trivially simple, overwrite the bytes pointing to the original function with new bytes pointing to our function.

This is the function table of the AuthenticatedSymmetricCipherBase class. Bytes of original function

By setting base + 0x2259240 to &ogProcessData_hook, we overwrite the function that they want to call, with ours, allowing us to intercept all calls to AuthenticatedSymmetricCipherBase::ProcessData

Then, by calling the original, we have maintained the functionality of the original function, while being able to intercept arguments passed to it.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].