Wave Concerns: Fake Drawing Lib, Plaintext Passwords, etc..

ello' again, even more concerns regarding Wave.. may that be improper drawing libraries or storing passwords in plaintext, there are many things about Wave that are just.. sketchy.

 

also if Rexi see's this: i don't hate you man, i just don't like how this exploit has been going so far, even from the start. management, vulnerabilities, lack of care regarding user security, etc.

 

original thread: https://new.reddit.com/r/robloxhackers/comments/1drn5z4/wave_concerns/

---

Some of you may have seen my previous thread about vulnerabilities in the debug library in Wave, and I decided to look further into Wave, to find out what else I would uncover. What I discovered means that multiple of Wave's marketing claims are outright lies, potentially causing people to buy premium who otherwise would not have if they knew the truth.

 

1.  UNC percentage for premium vs free

 

I won't go into too much detail on this, as others have already discussed it, however Wave was originally claiming 100% UNC for both free and paid (visible in the screenshot from just 2 days ago), before backtracking and dropping the free version to 80% UNC. In addition, many users have been reporting that some functions are either broken or fake, and nobody (that I've seen), has been able to validate the 100% UNC claim at this time.

 

Image of 1

 

2. Wave's console library

 

This is not an area tested by the UNC script, as it cannot confirm anything that happens with them. It does confirm that aliases for the functions exist, but that does not count towards the UNC percentage. However, Wave has registered these functions, however if you decompile the DLL, you will uncover that the functions are simply defined as return 0;, meaning they are not implemented at all, and are practically just placeholders designed to stop the missing aliases warnings from showing up when the UNC script is ran. (screenshot is of one of the console functions, when I look at Wave DLL in IDA, they are all the same)

 

Image of 2

 

3. Wave's drawing library

 

Wave has not implemented a proper drawing library, and is instead using a lua drawing library that creates a roblox GUI from drawing library commands. This is was likely done to get around Hyperion's protections around DirectX, however this method will have worse performance than native DirectX rendering, and many Wave users have been asking for a "real drawing lib" in the discord server. (screenshot is a portion of Wave's drawing lib, the whole version has been posted on V3rm already)

 

Image of 3

 

4. Luarmor support

 

On release, Wave lacked support for luarmor, due to an issue in their readfile function. This has since been fixed, however had Wave developers bothered to test a luarmor script prior to release, this oversight would have been avoided.

 

Image of 4

 

5. Wave's hookfunction

 

Wave has an incomplete hookfunction implementation, so while it is complete enough to pass the UNC test, it will fail in some circumstances. When argument 1 is an lclosure, and argument 2 is a cclosure, hookfunction will error with the message "Hooking Lua Closures with C Closures is not yet supported". (screenshot is from hookfunction in Wave DLL in IDA)

Image of 5

 

6. Wave's debug library vulnerabilities

 

Read my previous thread for more details on this, but Wave contains vulnerabilities in it's debug library that can lead to arbitrary code execution. Since releasing my thread, Rexi has replied, practically waving it off as not an issue, and Wave has since updated, with none of the vulnerabilities fixed, and no public acknowledgement about their existence in the Discord server to warn users. 

(https://new.reddit.com/r/robloxhackers/comments/1dqjnvj/vulnerabilities_in_wave/) or (https://forum.wearedevs.net/t/36147)

 

7. Wave registration issues

 

Many users have been encountering issues installing Wave and or registering for a Wave account. The common fixes listed in the discord server has not worked for many people (381 people said it worked, whereas 1433 people said they never worked). While some issues are going to be expected with a just released exploit, the registration issues at minimum could of been avoided by getting a small group of people to test prior to release.

 

Image of 7

 

8. Passwords sent in plaintext

 

Wave UI sends your password in plaintext to Wave's API, meaning that Wave developers could see your password in plaintext if they wish to. The obvious solution to this (which should have already been implemented), would be to hash passwords prior to sending. We also do not know how Wave is storing logins, and what hashing algorithm they are using for this (if any), meaning there is a chance that if somebody managed to compromise Wave's servers and access the database, they could see everybody's Wave logins, including passwords if they are stored in plaintext (or an easily crackable hash), which could let them access other accounts if you reused the same password as another website/service. While Wave's API does use HTTPS, so the password is encrypted during transit, the passwords should be securely hashed before they are sent to Wave's servers. There is no reason for them to be able to have the plaintext password, as they can compare the hashes to ensure someone has the right password to login. This is even more concerning due to Rexi's links with Arceus X, an exploit known for stealing user data back in 2021.

 

Image of 8

 

9. Weird registry keys location

 

Wave stores it's registry keys under HKEY_CURRENT_USER\Software\KasperskyLab. This obviously matches the registry key location for Kaspersky Antivirus, and will increase the rate of false positives that Wave gets. It is unclear why they made the decision to do this, however it could of been done to try to prevent Roblox checking for Wave registry keys (even if Roblox could just look for obviously not Kaspersky related subkeys in that registry key). It would of been easy for wave developers to check if Roblox started checking the registry using a tool like Process Monitor after an update anyway, if they were checking for anticheat changes like they should be. This is even more concerning due to Rexi's links with Arceus X, an exploit known for stealing user data back in 2021.

 

Image of 9

 

While I wish Wave the best as it would be great for this community to return to it's former glory, in it's current state full of security concerns, bugs, and outright lies when it comes to marketing, it should not be available to the public, until such issues are resolved.