Here is what you need so you don’t waste your time reading this
• Https Debugger
• The Program With The Key System
• Valid Key For That Program (Ex: 1 Hour Key, 1 Day Key, Etc.)
• Small Amount Of Braincells
Full Tutorial Step by Step Below - Works Best For Game Cheats and Loaders That Use Shitty CMD Based Keyauth or Other Key Systems
Step 1: Open The Program and Https Debugger. (Make Sure You Click Decrypt SSL When Launching The Program For The First Time)
Step 2: Type in / paste your key for the software. (Quick Tip: Do Not Have Any Other Programs Beside The One You Are Trying To Crack Open)
Step 3: Look for a https call / signal that was created when your entered key was VALID.
Step 4: Select the signal in https debugger.
Step 5: Right click the signal and select save content > response type.
Step 6: Save it to your desktop and name it whatever you’d like. (Just Do Not Change The File Type)
Step 7: After saving right click the signal again and select auto-reply.
Step 8: Click with file and select the one on your desktop.
Step 9: Click save on the side box that pops up
Step 10: Now go ahead and try the program again with any key you want.
As long as you keep the file you saved to your desktop and you have https debugger open when running the program, then it will automatically load that fake key.
KeyAuth is in fact not susceptible to this attack, it never has been. All Keyauth examples meant for use on the client-side, so C#, C++, not Node.js, use either encryption or a HMAC signature to ensure that an attacker couldn’t force a successful response unless they knew the value of the secret and sessionid strings, which are not transmitted in any HTTP request and if obfuscated by the program developer; would never be known to the attacker.
Perhaps this works on very, very ancient authentication services but certainly not anything recently. Even services like trinityseal and authgg which haven’t been updated in two years aren’t that simple to circumvent. These services have a unique encryption key and IV time, only problem is they send this data plain-text in the same HTTP request that those encryption parameters are being used on. You can check out my Proof of Concept here https://cracked.io/Thread-Cracked-Auth-GG-C-Loader-Cracked-Auth-GG-bypass. While the response is dynamic each time and you can’t just use a response saved from a prior HTTP request, their implementation of the cryptography is poorly done given a lack of interest and knowledge. While perhaps this may fool someone with next to no experience, the cryptography in their cases is redundant and serves 0 legitimate purpose. They may as well send all the data plain-text since they send the parameters to decrypt the data plain-text along with the encrypted data. It’s so poorly done…
In conclusion, KeyAuth can’t be bypassed with a HTTP debugger alone, the same cannot be said for trinityseal, authgg, and many others. The only way people have been able to bypass programs using KeyAuth is when the developer failed to protect the strings and the attacker extracted them, or the developer failed to protect again memory modifications and the attacker just did a JMP in assembly and skipped over the entire login part of the program. Neither of these are KeyAuth’s fault and I hope more people come to this realization. Entierprise-level authentication systems such as Google Firebase and Amazon Cognito don’t provide string encryption and memory integrity checks, why would an authentication service that costs a maximum of $19.99 a year provide those either?
If anyone is planning to make an authentication system for their program that is susceptible to the attack laid out in the OP, I recommend you use the KeyAuth source code rather.
3 Likes
×
🔔 !
To be safe, if our site ever goes offline, please remember our new domain:
ONEHack.se
We'll continue our "Together We Learn" journey there! 🌟