This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| const username = "USER_NAME_HERE"; | |
| /** | |
| * Initialized like this so we can still run it from browsers, but also use typescript on a code editor for intellisense. | |
| */ | |
| let followers = [{ username: "", full_name: "" }]; | |
| let followings = [{ username: "", full_name: "" }]; | |
| let dontFollowMeBack = [{ username: "", full_name: "" }]; | |
| let iDontFollowBack = [{ username: "", full_name: "" }]; |
This gist intends on clearing up some of the misinformation surrounding signed chat/the reporting feature Mojang has added to Minecraft 1.19.1. Here you can find both technical information as well as a general explanation of how these work.
After joining a server, clients now send a profile key used for verifying a message's authenticity. This key and thus the whole signing process is optional, but by default, servers enforce secure profiles for clients to send chat messages. Whenever the player sends a chat message and has a key associated, the message will be signed using their own private key, which the server then verifies using the public key sent after join. Assuming signature, timestamp, and message contents line up, the message goes through.
On the other end, clients can also require all broadcasted player messages to be signed, disregarding the ones without sender verified signatures.
Generated from PocketMine-MP 4.0.0-BETA6+dev
| Name | Description | Implied permissions |
|---|---|---|
pocketmine.broadcast.admin |
Allows the user to receive administrative broadcasts | N/A |
pocketmine.broadcast.user |
Allows the user to receive user broadcasts | N/A |
pocketmine.command.ban.ip |
Allows the user to ban IP addresses | N/A |
pocketmine.command.ban.list |
Allows the user to list banned players | N/A |
pocketmine.command.ban.player |
Allows the user to ban players | N/A |
| """ | |
| Sign in to Xbox Live with OAUTH2 | |
| 1. Go to https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade | |
| 2. Register new app ("+ New registration") | |
| 2.1. Enter a name for your app | |
| 2.2. Set "Supported account types" to "Personal Microsoft accounts only" | |
| 2.3. Click register | |
| 2.4. Choose "Redirect URIs" -> "Add a Redirect URI" | |
| 2.5. Click "Add a platform" -> "Mobile and desktop applications" |
This script operates on a packet dump between a vanilla client and server.
A dump like this can be obtained in various ways - a proxy, my frida tracer, etc.
However you get it, the file provided should have one packet per line, starting with read: or write: and ending with a base64-encoded packet (including the packet ID).
A quick example grabbed from one of my old log files:
read:kAHwoMpB4PUgQQAAAD8g17NAAAAAPwAAAAAAAAAA4PUgQQABAg==
write:CQ==
write:CQIBG8KnZSVtdWx0aXBsYXllci5wbGF5ZXIubGVmdAELbWN0ZXN0RHlsYW4AAA==
| This bug was also called moonshine in the beginning | |
| Basically the following bug is present in all bootroms I have looked at: | |
| 1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output | |
| 2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code | |
| 3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer | |
| 4. it then returns wLength which is the length it wants to recieve into the buffer | |
| 5. the usb main code then updates a global var with the length and gets ready to recieve the data packages | |
| 6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already | |
| 7. if all the data was recieved th |
Install depot_tools and make sure the tools are available in your PATH variable. You might need to add them to your path manually.
Requirements:
You want to override the tell command, that has also the w and msg aliases by default.
The class that will override these commands is MyTellCommand (extends PluginCommand).
To do this, you've to set the original command in a state that allows it to be overriden. Also, aliases will be registered directly, but since all the work was done for the first registration, it's pretty simple.
//We are in the context of a plugin