well, all of this started because of a simple reason, beef, this was the main reason I tried so hard to crack wyvern, and I actually did it (in a strange way). NOTE: this is already patched, it doesn’t work in the latest version and won’t work in old ones.
the exploit lets the user gain access to all the paid menus and share their access with only 1 valid key.
those are included in the list:
- Genesis
- Untitled
- Astra
- Violet
- Control
- Gorillaware
- Elysor (Chqser)
- Boe
- Symex
and much others!
I. Experimentation
so the first step was to experiment with the loader to test out the working features, and how it worked, I started extracting the strings, which I found some urls and error messages that will later be important.
after some testing and injecting some free menus into gorilla tag I proxied the requests it did through my proxy, and I noticed something very weird! I looked at the Colossus video about “wyvern loader is a rat” and I noticed he was emulating the api without any type of ssl pinning protections, so I wondered: “what if I use api emulation for bypassing version checks?”, so I made a python backend, and here comes the next part.
II. Emulating…
I wrote a simple python backend that could emulate the version following the colossus example, and it turned out to be like this (I didn’t include certificates or packages importing here):
class CustomHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path == "/auth/files/loaderversion.txt":
self.send_response(200)
self.send_header("Content-Type", "text/plain")
self.end_headers()
self.wfile.write(b"v3.4.2")
elif self.path == "/auth/files/loader/_version_loader_gui.txt":
self.send_response(200)
self.send_header("Content-Type", "text/plain")
self.end_headers()
self.wfile.write(b"v3.4.2")I used HTTPServer to create a server in port 8080, once I did that I made a signed backend.wyvern.sh certification so I could forward all https requests from the loader to my server, once that was done I opened the loader and tested it, and it actually worked! the version displayed v3.4.2 and I was able to access older versions of the loader which didn’t contain ssl pinning! this was a massive breakthrough in the protections so here comes the next part.
III. Replication
once I emulated the loader’s version I realized I could just emulate the loader’s api calling completely, so I started working on it, I did about 3 versions, each one with its purpose.
the first version was literally making a request to wyvern’s backend and telling them: “hey give me the dll to inject! here is my VALID key: <key is provided to the server>”. and the server replied with the encrypted dll, which I couldn’t decrypt directly, so I had to pass it to the server, and my first thought was save it locally to share it, but pluto had already thought of that so he made anti-tamper protections to the dll so it couldn’t be saved and re-used. so I had another idea, what if instead of saving it, we just spit out the response from the original response that the original backend gave us, so I did that, I passed the chunks of the original response dll to the loader, and it actually worked, the dll injected inside gorilla tag’s process, here is the code for the exploit:
def do_POST(self):
if self.path == "/loader/genesis":
length = int(self.headers.get("Content-Length", 0))
body = self.rfile.read(length) if length else b""
# send the request to wyvern's backend with a valid key!
self.send_response(r.status_code)
skip_headers = ["Content-Encoding", "Transfer-Encoding", "Connection", "Keep-Alive"]
for k, v in r.headers.items():
if k not in skip_headers:
self.send_header(k, v)
self.end_headers()
content = r.content
chunk_size = 1024 * 1024
for i in range(0, len(content), chunk_size):
self.wfile.write(content[i:i+chunk_size])
self.wfile.flush()
time.sleep(0.05) # here i made some timeout for the chunks to process and replicate an original response time
else:
self.send_error(404)
IV. Replication V2
once I did this I realized one thing, why should I call it locally? I leaked my key while sharing it and it would get revoked instantly by the developers of the loader, so I decided to make a wrapper for it!
I made a Vercel app and started with the hello world template from Flask, once that was done I set it up like this:
@app.route("/loader/genesis", methods=["POST"])
def loader_genesis():
return proxy_exact(
"genesis",
"https://backend.wyvern.sh/loader/genesis",
{
"Content-Type": "text/plain",
"Connection": "close",
"User-Agent": "989327de-89c7/a689-4b5439ffac6d/1.0"
},
"key with hwid"
)I deployed the app and applied the changes to my server, now my key wasn’t leaked and everyone could use it, but there was another problem, so I solved it in the next part.
V. Replication V3
when I finished coding the server for the wrapper I realized that if my key got taken down, the crack was gone, so I made a caching system, everytime there was a new deployment in the vercel the cache was cleared, so when a request was made to retrieve the dll content it didn’t store / cache, BUT I made a system that whenever a request was made to retrieve the contents it actually proxied it through my caching system, if the variable that stored the response was empty, the response from the backend got stored there, if it was stored already it returned the variable contents, and it actually worked!
once this was done, I told Pluto, he’s the main owner of Wyvern Services and Astra Mod Menu. he told me that the issue was known and he thought he patched it from the start, but turns out he didn’t so he made a patch for it. NOTE: it was late night so he went to sleep and the issue was fixed next-day, only a temporary patch was made which I bypassed in the next part!
VI. The Bypass
pluto made a temporary patch that checked the time and integrity of the files in the backend, so I replicated ALL of that, here is the bypass
try:
for chunk in r.iter_content(1024 * 1024):
if not chunk:
break
self.wfile.write(chunk)
except (BrokenPipeError, ssl.SSLEOFError):
passI replicated the exact files and broke the dll into chunks, after that I made the file and passed it through the server, which worked and injected into gorilla tag process successfully!
VII. The End
the next day, when pluto added SSL pinning into the loader I tried everything to make it work but it just didn’t work, so I told him that it was fully patched and that api emulation wasn’t possible now, so yeah, issue fixed!
special credits to my boy colossus:
