Wednesday, January 12, 2011

Zombie Rampage and other crazymonkey games hack --- step by step tutorial

First of all, sorry for the lame self advertisement, but hey, its good for all of us. I get reputation, you learn something. If you dunno what I'm talking about then never mind (you will find out soon).

So let's get into it. This is one of the simplest attacks that you can do out there, so even the total beginners should be able to do it. We wont hack the game itself (maybe one day I'll show you how to do that), we will only hack the web request the game is sending to the server and manipulate it for our own need. This type of attack is so simple it doesn't even have a name, at least I don't know any, maybe its URL SQL Injection, but this wont inject any code, and it's not done in the URL either, so lets name it request forgery instead.

What you will need:
  • Firefox: in IE should be almost the same but in this tutorial we'll be using Firefox. Maybe other web browsers are good too, but it complicates it a bit, and I won't get into it.
  • Fiddler Web Debugger: it's a free web debugging tool, I think the best out there. Installation should be easy so I wont get into that either
How you can do it:
  1. After installing Fiddler restart Firefox, so the Fiddler add-on can start up itself. Do not disable the add-on, we will be using it
  2. Visit the game, play and die (hope you won't find any problem doing that). When the game over screen comes up do not touch anything.
  3. Start Fiddler if you haven't already
  4. Force traffic to Fiddler. You can do that in Firefox, at the right bottom of the screen. Theres a "Fiddler: Disabled" text. Click it and select "Force traffic to Fiddler". As you can see in the image is a pretty decent score, so I'm not JUST a hacker. I played this game a lot and topped the score for a few days now (under the name of Dexx)
  5. Now every request is monitored by Fiddler. But we need more than monitoring. We want to manipulate it. For this we will block the request from going to the server. Go to Fiddler, and there go to Rules -> Automatic breakpoints -> Before request or simply press F11
  6. If there are any entries in the panel below the menus select them and press Del. This is not mandatory, but it will help keep it clean. Also close any other websites opened (like a mail or YouTube videos, Internet radios etc.), they'll just confuse you, because these websites also make requests in the background that will show up in the request browser.
  7. Submit your score. Go to the game and hit Submit score. You don't even need to fill the name or anything just submit it. If you done it right, wont happen anything, but Fiddler will start blinking
  8. Go to Fiddler. Notice the new entry, which has popped up. It's sent to the host scores.crazymonkeygames.com, there's also the URL, using HTTP protocol and so on. In the column labeled # (first one) you should see this same red logo, or you've done something wrong. Select this entry.
  9. A bunch of stuff will show up on the right. You can see that it's separated into 2 parts. The upper one is about the request, the lower one is about the response. We don't have a response yet, there's just a request for now. Because it's not sent, Fiddler will allow us to modify it. It's a POST request which means it has a body. These kind of data is generally in the body, so is in our case. Select the Inspectors and WebForms tabs. You can use other's too, but in our case the web form view is the most user friendly.
  10. As you can see, there's your name and score with some other parameters we don't care about. In other cases you might care but not here. I already said this hack is pretty easy, in other cases here is the part were it could get really hard. So all you need to do is modify some parameters then hit Run to Compilation marked with green. I will modify it to bit.ly link pointing here and make it maximum: 10000000. I will ask you not to use this same value (use 9999999) so you won't push my score down, thus others will also find this tutorial.
Don't forget to disable breakpoint in Fiddler and disable Fiddler in Firefox before closing. Otherwise you will get proxy not found messages or other funny stuff. Thx for reading and have fun learning. Also I do know that hacking is not nice, but it's cool and really fun.

Friday, October 1, 2010

Miniclip lumberjack games hack with Autoit

I haven't wrote for a long time, even tho I made some great progress in hacking, with attack types of XSRF and Email Injection, maybe I'll write about those later, maybe not, but now I need to publish my newest creation: hacking lame games, which only requires you to destroy your keyboard.

I'm talking about the games like the newest game at miniclip.com, the Lumberjack Games. I used my hack on that, so I'll make that the example, even tho it can be used on many other simple games.

The hack is written in AutoIt and does one simple task: it presses the "x" button, which in our case is the chopping trees in most cases.

The simplest way to do that is:
While 1
Send("x")
WEnd

But you don't want to use it in every game, which are switching pretty fast, and this script can hardly be closed (only from task manager), so I decided to make a GUI for it. A tiny simple one:



This GUI is described by the following code:
$mainwindow = GUICreate("X-Spammer", 170, 50)
$spam = GUICtrlCreateButton("Spam", 30, 15, 60)
$stop = GUICtrlCreateButton("Stop", 100, 15, 60)

GUISetState(@SW_SHOW)

But with this code we can't do much, it will simply start and finish, so we need to add some event handlers. First we tell that we would like to work in event mode:
Opt("GUIOnEventMode", 1)

Then we add some events with functions. The idea here is that we'll have a controller variable which has a value of 0 on startup, change it's value with the corresponding button pressed (set value of 1 when start and 0 when stop is pressed) and modify our loop, so that will spam the button "x" only when our controller, in this case $doit has a value of 1.

The complete code:
#include <guiconstantsex.au3>

$doit = 0;

Opt("GUIOnEventMode", 1)
$mainwindow = GUICreate("X-Spammer", 170, 50)
GUISetOnEvent($GUI_EVENT_CLOSE, "CLOSEClicked")
$spam = GUICtrlCreateButton("Spam", 30, 15, 60)
GUICtrlSetOnEvent($spam, "spam")
$stop = GUICtrlCreateButton("Stop", 100, 15, 60)
GUICtrlSetOnEvent($stop, "stop")

GUISetState(@SW_SHOW)

While 1
Sleep(10)
If $doit Then
Send("x")
EndIf
WEnd

Func CLOSEClicked()
Exit
EndFunc

Func spam()
$doit = 1;
EndFunc

Func stop()
$doit = 0;
EndFunc

It works really good. I played the game only twice. First without this hack, and scored around 12000, then with this little thing and...:



with a score of:


You can't use this tool in some levels but you can still win enough to become first. Hope you enjoyed and have fun learning.

Bye

Sunday, August 16, 2009

JALH (Just Another Lame Hack)

Not lame, the lamest. I won't describe this with every detail, it was just too lame. I was trying some other URL SQL Injections on Lamer (without any great success) when found something weird. 

When submitting a post on forum I was looking in Fiddler for the post data. And I found my username and user ID within. I thought it's a bad joke, a remnant from an old version... I mean my username was in the cookie with my coded password (long term cookies for "remember me" for a year or so logins), why require it on form... in hidden inputs. It wasn't hidden at all.

I copied the site to a local HTML file, replaced every relative path (./) to absolute ones (http://lamer_domain.top_level_domain/) with Notepad++, removed the type="hidden" attributes of the inputs, and opened it.

There was a form, where I couldn't just post a text, but I could specify the one posting it. Guess what, I picked the administrator (user ID 2). Well, I'm a l33t, at least I've done this on the test-page, so no real user was reading it.

I think that's all about Lamer. When I was first asked to hack Lamer, I was thinking that 5 successful attempts will be more than enough to be acknowledged as somebody important, so this is the point where I'll stop hunting, this was the fifth chance to do something a normal user shouldn't do. Lamer isn't lame any more, moreover, never really was. I still think it's the best site ever, and hope one day I'll be one of it's programmers. But don't worry, the world is full of hackable things, and this blog will be alive until the whole world won't become smarter than I am.

The more I hack the more ideas I get to hack. So please stand by, very soon you'll hear about me.