[Help] Sending packets in a Java game, related to in-game currency

02/14/2018 14:01 wDzZ#1

Hello!

So, for some reason, I've decided to see if there is any possible way to change the amount of currency in a F2P, java-based game.
I am a total noob when in comes to this, so obviously I know nothing about hacking. I took CE and WPE Pro, as I thought I may be able to work something out with those.

I've managed to change the value for the currency with CE (say from 3000 to 30000) but obviously, this was just for the client-side, and whenever I would open/close the game, the currency would set to the correct amount.

I figured that since I can edit this with CE, I must be able to send packets to the server somehow, so that I can actually give myself that amount of in-game currency.

The problem is, whenever I use WPE Pro to sniff the packets I get from the game, it's not so black and white.
There are no values in the packets I receive, most of them are requests sent to the server, under the form of /getapi, such as:

Code:

GET /getdataAPI.php?username=myusername&key=tokens HTTP/1.1
User-Agent: Java/1.8.0_161
Host: -
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

I don't know how can I work with this. I've read somewhere about setting up a Proxy server, where I could set up the values I want, then have them sent to the game server, but I have no idea on how to set up something like this.

If someone is kind enough to guide me through some basics, I'd appreciate it. I am not asking for someone to do this in my behalf, but more to tutor me about it!

Thanks!

02/14/2018 14:44 algernong#2

Quote:

I figured that since I can edit this with CE, I must be able to send packets to the server somehow, so that I can actually give myself that amount of in-game currency.

Why would you think that? The communication between client and server has nothing to do with what you can edit with CE.

What's the response to the http request?

02/14/2018 16:36 wDzZ#3

This is what I get:

Code:

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 14 Feb 2018 15:30:09 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1
Connection: keep-alive
Set-Cookie: PHPSESSID=0epbgpeffn44mrem7vg0fo5vb5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

0e/

What is to keep in mind is that these are the packets I receive whenever I buy something.
I was looking to see if I cannot "add" currency (like with modifying the value in CE), maybe I can somewhat trick the server into thinking that the item actually costs 1 or 0 currency, and thus get it for free. But the thing is that there is no actual value for me to edit , in order to send back and achieve this.
Is it even possible to do such a thing?

Thanks

09/18/2018 15:42 Benhero#4

In the "Code" you post is nothing that is relevant.
No Information about your current amount of money otherwise any information that is important. The communication happens about the tcp protocol. you have to snife this packets with a programm like WireSharkPro.

But in 99,9% of the Online Games you CAN'T! modify your currency with TCP packets. Because there's no packet to change your money in the Database or whatever. And if there is a packet (like for Gamemasters) there will be a security check on the server if you are an Gamemaster or not. If not -> Nothing happens :D

Greatings Ben

09/20/2018 20:46 elmarcia#5

U could try sql injection and see if that works, but in most cases won' work

GET /getdataAPI.php?username="sql injection here"
Supose they store users in a table name users
GET /getdataAPI.php?username=" ' '; delete users where username = 'your username';"
this will delete your user if the table name is correct and no sql prepared statements are used in the php code.