Some extra ways of active probing #2539
Description
There are a couple of possible ways of active probing, even with #2523 patched. Most of them are probabilistic and not easy to exploit, and I am only posting two obvious attack vectors here. V2Ray's VMess implementation seems to be pretty broken by now.
-----BEGIN PGP MESSAGE-----
hQIMA/yg09s4zMcsARAAwcrAYlEIYbZlP/m/V73NZ4ODcLQOhCTJ7HAwgVlOAGhi
Cd9YGl6Z9DaW5qUtomvmZsxagGrgIHIIa3jXb6Z1d9ycIAbdque4qwmhA1MjvvaI
KQt7H4CTByr6NF2YZVYIJp8oICQeEUWrZxhS5JPN4kORBpJQfYJ8FfPrzRvtXOBa
RiOudQO3+iesMDPR09cHRfrC3aH/TD578Un4zjdBguJBVb6yO8yQ18P7ZvyeFb2r
/tPK6coP7J6gos+fg59gvL2XjDmCoPxpyN8d2BjBxJfR9XjVhNWCQ5xVkVWUXrv5
IHGFJBn3nebS3yWBp3QILviIw0ZreJpB9l+kBgjKBSlhFwOd7h0aHShHdP+pmi9Y
HHMzUzRpDHhoP9sw9WqSVxiRoflqh782yYo+BfVyWn1iGOpoHh6EO2Ozu3FIJBcQ
OZGZ3ZiLC18DXOB76gWuItkLZG9RW7+FXI4vIifCeqGoTyRkDrWjR7F6nKx3vZOL
uZwWwgjeEmZDQ6XAX/3pKB+AQBMS475xiQjJCIK9+ehDKhz/R9GHw1e6ebLLK+M1
EHZT50H4Unuyg3F8v8lmtc+pkvzWc0TIz5cesUN9IUb8CVtKZrWCK0Ydpm4uG9J/
xHfZt1V9k//jUOet65qZGRQvHeg+dklXIV7fIZpezeerG4zs9TIgVxxGjFX6bEDS
6QGI7k6PKUyT+l278KoZ5voco2qsyQ9jAQ+K/u6OKBMuhPbjuZYVa4mMf3IedEDu
eJM+xjdGev7iMQY1jybGKJo9Op5huKSI0fVXtMuvIJZNtVqJEQxt8lrcNNcvCdS1
J2QsBgyHtnFiP4IlurkW1ZlphxgAQpLkTdQsf/rRTo/V8bFpHLzg52PzXAaWuTM8
e2t+aNsP3IBII0x+NBuwpY8xRwrzLbkEEQqb0M5CBF/YK42IoXmtRXyKJze8EF/H
zk3bAtpRBvdVQNoN7eZ3rIfudTFn+4H4VJ3GZkpiZMgl59mhDAffxsPQmhiXfYGY
1QSwvn8K1ga8pIM4iQG4Qfx5+SaeSJV9LbirtAeEkc8kAyO0/CYOOqWdBj76xBEX
aaJlweZUxyeFjwChnSjw6BjEt48HkAFlYhpHhTgfhtH2Uw39KtJO+ah8Ju82P4NE
AGiE5hjx+xK7jc0wJRzBj5ZlJxFnKzTqrgN4f54QYHtKJql/j82gEaVgg+q+z9Tt
dHPkA5C+kLajFYvHJEiH+zk7i1QjBpfT9N58LjpwDzmN0zgBgLBLGBh4xutyHR95
nicpPh0WaTgFCBa96nER6fJ1GEAtKhis7INlP8hJm+rfkgsnRgz4Jd8YkmqTQVr6
9RdagO/wEWLpV/BsrAQx+EAH5UGRP+fDU2L0PhwdUjFgTPYfelLNOXIui/469uyT
A6CLzWrScKl3CUeK6cOMkpDd30Cwn0NwPrPz6nZokuNrV9r7ddKhtxIBcqnFF8Qi
UCZC4HBpJKMuSZ3MkKg=
=PC3U
-----END PGP MESSAGE-----