GSI Destroyer

Experimentation in API Fuzzing


This was a project I had originally created before I even knew what an API was, much less how to fuzz one. I was a script kiddie and I wanted to hack my favorite online game, Gaia Online. It started out as an AutoIT Script and slowly improved from there, until I re-discovered it in January, 2016 and decided to give it a makeover.

Gaia Online's GSI is a serialization interface that utilizes JSON input and output to give access to useful information about your account as well as various website and game features. For example, GSI method #700 prints out everything in your account's inventory in JSON format. Method #604 prints out everything in your account's house in JSON format. Things like that.

Gaia utilizes two ways into the GSI server:

http://www.gaiaonline.com/chat/gsi/index.php?v=json&m=[[#]]
This one - commonly called index.php - is the human-readable version of GSI. It actually prints out spaces and formats the JSON nicely.

http://www.gaiaonline.com/chat/gsi/gateway.php?v=json&m=[[#]]
The other way in is through gateway.php - This output will be encoded and impossible for most humans to read.

Funnily enough, they seem to use index.php in GSI calls from their games, so I guess gateway.php isn't commonly used even by developers.

To use the two URLs above, replace the # symbol with your method number.

This code is no longer under active development, as my interest in the game has waned over time. If you think you can make use of the code, feel free to steal it! I don't even want credit.



Many of these projects were done for fun and out of a love for programming. They may not be polished or even complete. If you'd like more information about a given project or the process used in creating it, you can always contact me.