How to cheat in TeaGames
www.teagames.com
Some time ago, I was playing in teagames. manage to finish all the levels of Blueprint. And I wasn't able to be in the top-scores list. By boredom, or simply because I wanted, decompressed the SWF, really are 3 SWF, eachone that calls to another ones. Anyway thats the only protection that teagames has for their games, once you get where I was, you have everything you need to raise the game to your own Web, or do what you want.
Nevertheless there was a problem. When the game send the score it was encrypted, and I didnt find that function. my theory, is that the program that uses to decrypt it, wasnt decompressed.. So I decided to simply do cryptoanalisis to the code sent.
Then, I played by about 10 minutes, later simply I started dropping the balls. and I lost. I was using Mozilla Firefox with the extension “Live HTTP Headers”, and I saw the info that was sent to the server. there I saw that blueprint/backend.php was called to the file with a random value in the URL and with some data in method POST. one was “x” and had something that then I thought it was a MD5 hash , awasome it was 32 characters long. that coincidence cost some lots of lost hours. Another one specified of which stage of the game was the request, if it were the beginning or the end of the game. the lastone called onload, I dont know what it means..
This is the captured value:
POST /games/blueprint/backend.php? r=98558513
Host: www.teagames.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; it is-AR; rv: 1.8.0.4) Gecko/20060508 Firefox/1.5.0.4
Accept: text/xml, application/xml
Accept-Language: be-MX, is; q=0.8, in-U.S.; q=0.5, in; q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1, utf-8; q=0.7, *; q=0.7
Keep-Alive: 300
Cookie: PHPSESSID=9d361832a63867d8b79aab3264c7c7a5
Content-type: application/x-www-form-urlencoded
Content-length: 75
x=a7a771a0e1d0d3ccd6a1a5a20484&command=endgame&onLoad=%5Btype%20Function%5D
Well this is not the one I captured that time, this is one I generated for cheating.. At that time, the variable x had 32 chars, what made me believe it was a md5 checksum.
Well, then I started collecting data, with usernames of:
- a
- aa
- b
- c
- d
- e
- f
- sdc
with scores of:
5,10,820,1020, .. ,24130
this logs are available for download.
The amount of data I collected with username "a" helped me to discover where the punctuation was saved.
There were only 2 sections that changed with the punctuation, something like this:
a7 ?? ?? a4 c4 a1 ?? ?? ?? ??
the last 4 bits I was sure that where the punctuation, but the second and third bytes where unknown for me.
Any way, the last byte was repeated each 16 times, first I thought it was modulated with a prime number.. but then I realized it was simply a XOR.. my punctuation, for example here is of 5.
a7 a5 c3 a4 c4 a1 a5 a5 a5 a0
Then I just have to XOR 5 with a5a5a5a5
5^a5a5a5a0 = a5a5a5a5
then I XOR with a5 all the code.. and this is the result:
02 00 66 01 61 04 00 00 00 05
I know that..
the red parts change when I change my punctuation, and the blue parts when I change mi nickname.
02 00 66 01 61 04 00 00 00 05
The green part changed allways.. the white, never.
Well, I know what the red means.. its only my punctuation XORed with a5.
The green part is obviously a checksum, becaused it changes allways.. but here is something funny:
When I have of nickname "a" and of punctuation "5".. I have:
02 00 66 01 61 04 00 00 00 05
and with "b" with "5" of punctuation..
02 00 67 01 62 04 00 00 00 05
the "checksum" changed, by 1.. and "b-a" is 1.. why?
well.. ASCII(a) = 61; ASCII(b) = 62, so..
62-61=1
and that means that the checksum adds to something the sum of the nickname.. yes because here..
02 00 67 01 62 04 00 00 00 05
02 00 C7 02 61 61 04 00 00 00 05
C2 = 61 + 61.. and the nickname of the second code is "aa".. also ve see that
C7 = SUM(nick) + PUNCTUATION, because my punctuation in both is 5.
so.. we know that..
02 00 C7 02 61 61 04 00 00 00 05
The green is the result of..
SUM(nick) + PUNCTUATION.. but with some tests I found out that it really is..
SUM(nick) + PUNCTUATION %255
we know that the red part is the PUNCTUATION.
we know that the blue part is the NICKNAME
and that the orange part is the strlen(nick)
yes because if you see, this 2:
02 00 67 01 62 04 00 00 00 05 = "a" 5
02 00 C7 02 61 61 04 00 00 00 05 = "aa" 5
The pink section is the length of the nickname.. both with 5 of punctuation.
Know.. If you have paid attention.. this rule applies to the other 2 bytes we dont know..
02 00 C7 02 61 61 04 00 00 00 05
the pink and the white one..
the segment is of the length specified.. so the final key is:
([LC] [CHECKSUM] [LN] [NAME] [LS] [SCORE]) ^A5
And that's all.
With this information we can create our own code.
Its available for downloading an HTML program that creates the KEY.. and then with telnet or netcat you can emulate the headers and job done.. you are in first place in teagames.
Well... thats all.
Greetings!!
Att.
SirDarckCat