You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 5, 2026. It is now read-only.
Follow-up from #51. The obfuscated2 frame parser was not included in the initial fuzz testing work because it is deeply coupled to AES crypto and connection state.
What needs fuzzing
In net/net-tcp-rpc-ext-server.c, the obfuscated2 handshake path:
64-byte random header parsing
AES-CTR key/IV derivation from the header
Tag detection at offset 56 after decryption (0xdddddddd, 0xeeeeeeee, 0xefefefef)
Target DC extraction at offset 60
Compact/medium frame length parsing (1-byte and 4-byte variants)
Approach
Requires refactoring to decouple from:
connection_info structs and rwm_* message buffers
AES encryption context setup (net-crypto-aes.c)
Global state (ext_secret, connection type tables)
One approach: extract the post-decryption parsing (tag detection, DC extraction, frame length validation) into a standalone function that takes a flat 64-byte buffer.
Priority
Medium — this code handles untrusted input but only after the initial TLS/obfuscated2 layer is negotiated.
Context
Follow-up from #51. The obfuscated2 frame parser was not included in the initial fuzz testing work because it is deeply coupled to AES crypto and connection state.
What needs fuzzing
In
net/net-tcp-rpc-ext-server.c, the obfuscated2 handshake path:0xdddddddd,0xeeeeeeee,0xefefefef)Approach
Requires refactoring to decouple from:
connection_infostructs andrwm_*message buffersnet-crypto-aes.c)ext_secret, connection type tables)One approach: extract the post-decryption parsing (tag detection, DC extraction, frame length validation) into a standalone function that takes a flat 64-byte buffer.
Priority
Medium — this code handles untrusted input but only after the initial TLS/obfuscated2 layer is negotiated.