Late post.
Sorry for the lack of updates recently been busy with a few other things, but this blog isn’t about that!
The decodeBitmap() function i’m working on isn’t acting aswell as it should. I’m pretty certain that the only incorrect piece of code is this one:
pixels.position = position + channel;
That line alone is the cause of what I think is making the Sandbox give me the incorrect p&g keys. Currently the SandBox outputs:
P len is 53 G len is 51 P is 72057331058456166916582840012450119041673124206131971 G is 860860017052136081176025452969014307125978262247352
P should be almost double that length. However i’ve debugged through all the code and yeah, I’m pretty certain it’s just pixels.position that’s incorrect. The obfuscated version of it is unclear in every single habbo.swf that i’ve looked at.
Alongside that i’ve been working on injecting my own swf into the client. It’s been going pretty well I guess. The few first attempts churned out the following error from the flash client:
Warning: Ignoring 'secure' attribute in policy file from http://hotel-uk.habbo.com/crossdomain.xml. The 'secure' attribute is only permitted in HTTPS and socket policy files. See http://www.adobe.com/go/strict_policy_files for details. Warning: Not a known player download type, http://images.habbo.com/c_images/hotel_view_images_hq/hotelview_dec09.png --> attempting to inject malicious swf... TypeError: Error #1009: Cannot access a property or method of a null object reference. at com.sulake.core.assets::_-4z/_-WM() at com.sulake.core.runtime.events::EventDispatcher/_-nd() at flash.events::EventDispatcher/dispatchEventFunction() at flash.events::EventDispatcher/dispatchEvent() at com.sulake.core.runtime.events::EventDispatcher/dispatchEvent() at com.sulake.core.utils::LibraryLoader/loadEventHandler()
The source of the problem seemed to be related to the Habbo.swf not inheriting hh_hack.swf as it should. So I decided to try an alternative root. After a few attempts I got what seems to be a successfull injection!
--> Warning: Ignoring 'secure' attribute in policy file from http://hotel-uk.habbo.com/crossdomain.xml. The 'secure' attribute is only permitted in HTTPS and socket policy files. See http://www.adobe.com/go/strict_policy_files for details. Found Pet Pack: dog Found Pet Pack: cat Found Pet Pack: croco Found Pet Pack: terrier Found Pet Pack: bear Found Pet Pack: pig Found Pet Pack: terrier Found Pet Pack: bear Found Pet Pack: pig (x=0, y=0, w=66, h=22) (x=0, y=1, w=66, h=19) (x=0, y=0, w=66, h=22) (x=0, y=1, w=66, h=19) (x=0, y=0, w=55, h=22) (x=0, y=1, w=55, h=19) (x=0, y=0, w=55, h=22) (x=0, y=1, w=55, h=19) (x=0, y=0, w=88, h=22) (x=0, y=1, w=88, h=19) (x=0, y=0, w=88, h=22) (x=0, y=1, w=88, h=19) --> attempting to inject malicious swf... --> Injected Successfully................ TypeError: Error #1010: A term is undefined and has no properties. at com.sulake.core.assets::_-4z$/_-1ld() at com.sulake.core.assets::_-4z/_-WM() at com.sulake.core.runtime.events::EventDispatcher/_-nd() at flash.events::EventDispatcher/dispatchEventFunction() at flash.events::EventDispatcher/dispatchEvent() at com.sulake.core.runtime.events::EventDispatcher/dispatchEvent() at com.sulake.core.utils::LibraryLoader/loadEventHandler() Warning: Ignoring 'secure' attribute in policy file from http://www.habbo.co.uk/crossdomain.xml. The 'secure' attribute is only permitted in HTTPS and socket policy files. See http://www.adobe.com/go/strict_policy_files for details.
That particular error hasn’t managed to cause any actual client errors and Habbo itself still works as it should. I think I know what’s causing the error and needless to say it’s nothing to particularly worry about! Next step is to completely fix decodeBitmap(), and possibly try and call some functions through hh_hack.
Nice job good luck with this hopefully this all works out fine.
Getting there ;D
Looking good. =]
Fascinating. I wonder if perhaps chronicling your progress perhaps gives Sulake a head start to roadblocking you, or even stopping you in your tracks. I am very interested in where this is heading
Interesting read! Keep it up, Myrax!
It most certainly didn’t compromise the project last time the encryption efforts were broad-casted on here, if anything it sped the process up with community comments.
Best of luck Dom, hopefully you can get a working en/decryption class together. I’m surprised it’s taken this long for someone to seriously look into cracking it, 2.5 months now since Beta was dropped, mirite?
Yes mike was telling me about your progress on this the other night, very impressed so far, keep up the good work.
Nice Dom!
Offtopic:Totov.irc is dead?
This may just be stupid, but why not try gettinhh_hack to inserat a custom link into the client Before it calls upon that .xml file?
or is that impossible>
Keep up the good work
Thanks for your comments guys!
Legionnaire && Scott: Thanks for your interest guys, i’m working hard to get the actual decodeBitmap() function working! The initial idea of hh_hack is to get it to call the real decodeBitmap() and then for me to play spot the difference!
Tom: I think so, I however haven’t tried getting onto it in a while!
Rusty: The XML file you see there isn’t really of any importance, however it’s not possible to change it. Habbo.swf calls that before it bothers to call any of it’s child swfs!
Could you possibly get it to load a custom crossdomain.xml or do you mean that that loads before hh_hack?
You could get it load a custom domain, by placing
*.*.*.* hotel-uk.habbo.com
Into your host file. However I don’t see why you would have to, there’s nothing in there of any use really!
Yeah. Crossdomain.xml is basically just to try and deter Retro Owners from using their swf’s. (Not really an issue yet, as there hasn’t been much development in the way of private servers for the Flash Client.)
The Flash File itself seems to be locked down in a way to prevent injection, I doubt it would be too hard to work around though, it is Flash after all. :p
It’s not injecting the hh_hack.swf that’s the problem really, i’ve successfully managed that! I think it’ll actually be calling functions from the parent swf (Habbo.swf) that’ll be the problem!
Hey Dom great work! I just properly read through it (last night I skimmed) and you seem to have it all planned out.
If it’s calling functions from the parent SWF then the child SWF’s will only be receiving the output of the function rather than the actual function itself, so that means you won’t be able to access the REAL decodeBitmap()?
You’re right James. However that’s not really a problem. So long as I can see the output of the function i’ll be able to compare it to my output! That’s where spot the difference comes in!
Yeah. Crossdomain.xml is basically just to try and deter Retro Owners from using their swf’s. (Not really an issue yet, as there hasn’t been much development in the way of private servers for the Flash Client.)
The Flash File itself seems to be locked down in a way to prevent injection, I doubt it would be too hard to work around though, it is Flash after all. :p
But then again, they have them nicely budneld up…
its called /hh_assets.zip or something
i think i have the latest
I’ve tried injecting code too. Replaced the Volter.swf with my custom swf and got it to alert “test” and still load the client normally (well, without proper font), but I never managed to do anything to the client itself :s it looks like they’ve prevented that kind of stuff quite well. I’m not too good with flash though so I hope there’s still a way :p
LOL it’s actually adobes security, not sulakes.
Correct, William. Silly to pass on wrong information eh?
http://kb2.adobe.com/cps/142/tn_14213.html
Do you guys actually live up each others arses?
No. Although it does appear that you do enjoy it when other people are crammed up yours, though.
Erm, whoops. Quoting be fucked? Everything after the link was what I wanted to say. Lol.
id like to point this out: *
Ratings:3 of 3 people found this helpful
come on, only three people?
It’s still the correct information regardless of the user feedback… I mean who actually gives feedback?
All I can say is this,
Dominic your one hell of a mother fucker, but back onto note, what was hh_hack’s source code anyways? Just getting the basic packets? Or what?
Why don’t you inject DLL file and use detours.h ?
Because that would only hook Winsock at a low enough level to grab incomming/outgoing packets – But i’m pretty sure they’d still be encrypted.
http://www.haxecurity.org/ Biggest Database
@Tunny, a little useless without any registration, don’t you think?
@Scott: Sorry i have tested only the AwStats. Admins you can remove it if you want.
no only VIP Members have access to it
/paid/ VIP, mirite?