crtado

I am experiencing this same issue. I don't see new commits related to this (correct me if I'm wrong), but I can spend some time looking into this if the...

Also correct me if I'm wrong, but are the following lines the affected structures that have become outdated after the patch? Just clarifying the potential issue for my own understanding....

I've started looking into this & have so far been able to capture & decrypt the api traffic successfully using other tools. For example, I can see a (possibly) new...

> Fantastic! Can you share which tools you're using? I used [proxifier](https://www.proxifier.com/) to proxy all (Or just GGST) traffic through to [polarproxy](https://www.netresec.com/?page=PolarProxy) which decrypts & writes to a `.pcap` file...

I don't have any prior experience with messagepack, but using your first example & doing a quick test with [cyberchef](https://cyberchef.org/#recipe=To_Hex('None',0)From_MessagePack()&input=Vy1TVjRMNjFtdGtGek5KOTBJOXkzX3luMDYyLVlRazlGZW8wMUNlMzRseWZhYlJyeU9kSlJTZTVBNGtRYmN5M3J6NVVqb1c4cjAtN1lRUVl0eU1nbTFsUlp6d0hiZ1gyM0E). I can't seem to decode the data as messagepack either....

Damn, you beat me to the punch! Good idea on hooking EVP_EncryptInit.

Yes, it seems to work similarly for responses. Here is one decrypted response from my traffic last night from the endpoint `/api/catalog/get_replay`: ```json [ [ "63a3eedaa0aac", 0, "2022/12/22 05:44:58", "0.1.7",...

The above can be reproduced with a slight tweak to @Theoretical's snippet: ```python from binascii import unhexlify from Crypto.Cipher import AES # pycryptodome import json import msgpack # key obtained...

> Looks like there's another 16 bytes appended to a request though :( I believe that's just GCM authentication tag that gets appended to the ciphertext

It appears to be working! Here's the code for building/sending a request. The important part is the `get_replays_request` function. ```python from base64 import urlsafe_b64decode, urlsafe_b64encode from binascii import unhexlify, hexlify...