Stop using Toshinou ASAP

Page 1 of 2

09/10/2018 18:37 Freshek#1

Hey guys u.u

if you are advnaced...

Let's take a look at one of DarkOrbit sub SWFs. It has a class named PandorasBox. Cool, right? No, not cool (at least not for Toshinou users). So what is PandorasBox? It is a class which DarkOrbit uses for encrypting/decrypting packets. What you want to take a look at is the toString() method.

Code:

      override public function toString() : String
      {
         var _loc1_:String = new Error().getStackTrace();
         if(_loc1_)
         {
            if(this._caller && _loc1_.indexOf(":ExternalInterface$/_callIn()") != -1)
            {
               this._caller(_loc1_);
            }
            return null;
         }
         return null;
      }

Okay, okay. It's just a toString method. But this code

Code:

            if(this._caller && _loc1_.indexOf(":ExternalInterface$/_callIn()") != -1)
            {
               this._caller(_loc1_);
            }

doesn't look good, right? So what is _caller? _caller is a function which is passed to PandorasBox during handshake (one of the first packets). How does it look like? It's located in main.swf and it looks like this

Code:

function(param1:String):void
{
    sendRequest(new �_-53r�(param1));
}

It sends a request containing the dirty stacktrace from Toshinou! But hey, maybe toString is never called, right? Unfortunately, it's being called quite often. Let's come back to our PandorasBox.

Code:

      public function encode(param1:ByteArray) : ByteArray
      {
         param1.position = 2;
         var _loc2_:int = param1.readShort();
         if(_loc2_ == ID)
         {
            this.toString();
         }
      }

This is a fragment of the encode function which encodes packets. The suspicious fragment is obviously

Code:

         if(_loc2_ == ID)
         {
            this.toString();
         }

It simply checks if the command's ID (_loc2_) equals to some ID. But what ID is it? It's the Movement Command ID. Yes, you are right. It sends a request like "hi, darkorbit, I'm using toshinou ban me asap" every time you move.

However, if you aren't, an easier scheme:
you move -> packet is being encoded -> swf notices that you are using toshinou -> swf sends packet containing dirty toshinou stacktrace to the server

09/10/2018 18:52 PPOBackAlley#2

Nice find man, I wonder why this is in the code to start with..

09/10/2018 19:07 mchqeen12#3

Himmm :/

09/10/2018 19:18 pisi.pasz#4

What do you think it was in the code before the previous update? or its something new? and get patched into client sneaky so thats why tosh didn't said "unsupported main.swf" ?

Anyway thanks for the inform.

09/10/2018 19:25 Freshek#5

Quote:

Originally Posted by pisi.pasz

What do you think it was in the code before the previous update? or its something new?

Most likely it was implemented in the last week update.

Quote:

Originally Posted by pisi.pasz

and get patched into client sneaky so thats why tosh didn't said "unsupported main.swf" ?

AFAIK Toshinou doesn't have a feature which would block main.swf changes.

09/10/2018 19:44 Ghoti#6

Quote:

Originally Posted by Freshek

AFAIK Toshinou doesn't have a feature which would block main.swf changes.

^this

this is the SafetyCheck performed in the worker.js:
[Only registered and activated users can see links. Click Here To Register...]

and this is the called method:
[Only registered and activated users can see links. Click Here To Register...]

There are no swf checks, only js checks which have been there since the beginning
And it says so here:
[Only registered and activated users can see links. Click Here To Register...]

09/10/2018 19:48 tahiol#7

and if you make it like an Inc in a golem? -send the server between the players and the bigpoint and let it go? -the Golem does not have bans

09/10/2018 23:34 layyloww#8

if you still use toshinou youre retarded and probally deserve to get banned

09/10/2018 23:51 MisterBombastiic#9

I'm a noob and i would like to know: they deliberately do that to ban Toshinou users or no?

09/11/2018 00:09 skeith_sk8#10

Quote:

Originally Posted by MisterBombastiic

I'm a noob and i would like to know: they deliberately do that to ban Toshinou users or no?

Yes

09/11/2018 00:15 MisterBombastiic#11

Quote:

Originally Posted by skeith_sk8

Yes

well... i'm probably already in the ban list, just hope they won't ban me forever..

09/11/2018 01:34 Boyunduruk#12

So, you mean they're already in the banlist and they should try to have fun?

09/11/2018 12:34 Slaze-Maze#13

Quote:

Originally Posted by Boyunduruk

So, you mean they're already in the banlist and they should try to have fun?

Botters who are using toshinou have a very high chance that they are already flagged for next banwave. So the bad news is, the banwave will come for sure but when will it be.

09/13/2018 01:52 Moneypulation#14

Wait, so bigpoint put the detection code into a toString() method because people wouldn't be looking for detection methods there I guess? Also PandorasBox seems kind of like a random name for the class, maybe also to avoid people looking in there for detection funcionality !? If that is the case, why didn't they properly obfuscate the code in the class or toString() method? At least, they could have encrypted the string "ExternalInterface" and decrypted it in runtime. In this way, anybody can just StringSearch the classes for that

09/13/2018 06:19 Requi#15

Quote:

Originally Posted by Moneypulation

Wait, so bigpoint put the detection code into a toString() method because people wouldn't be looking for detection methods there I guess? Also PandorasBox seems kind of like a random name for the class, maybe also to avoid people looking in there for detection funcionality !? If that is the case, why didn't they properly obfuscate the code in the class or toString() method? At least, they could have encrypted the string "ExternalInterface" and decrypted it in runtime. In this way, anybody can just StringSearch the classes for that

[Only registered and activated users can see links. Click Here To Register...]

The class is not new.

Page 1 of 2