How to make a bot for Darkorbit?

03/05/2024 06:32 Ronaldo+#1
Hello, I have ideal knowledge about reverse engineering, game hacking, Assembly C# and C++ programming language. I know how to cheat in normal games, but flash games work on a very different system. I dumped Darkorbit's main.swf file with JPEXS and examined it and found many useful functions, but I do not know how to run these functions. While I am on the DO Client start screen, I can make changes to the main.swf codes from memory without running the main.swf file in the ActionScript Virtual Machine yet. But this is not enough to make a bot, maybe simple little tricks can be done.
Therefore, it is necessary to be able to run functions at run-time. How do I do this?
03/08/2024 22:05 Exenu#2
I believe the bots run a headless client; as in instead of running the main.swf, their bot just sends the packets to the game server to do x y z.
03/12/2024 19:15 jajaxdxd#3
This maybe can help to understand: [Only registered and activated users can see links. Click Here To Register...]

Its and old packet bot.
03/13/2024 18:23 vokovl#4
Quote:
Originally Posted by jajaxdxd View Post
This maybe can help to understand: [Only registered and activated users can see links. Click Here To Register...]

Its and old packet bot.
its no packet bot, it work with flash
03/14/2024 19:45 Ronaldo+#5
Darkorbit sends TCP messages with WSASend() at the operating system level. I hooked this function with the microsoft detours library C++ and found the packets it sent. Currently, I can perform operations with static packets, such as changing drone formations, changing lasers, using Insta, using ship abilities, etc. But non-static, like clicking on an NPC or collecting a box. Each NPC and box has unique id values, so I cannot perform these operations. All messages are written one by one in binary format. I don't know how to decrypt the messages, so I can only perform static operations, for example: When I send this packet to the darkorbit server, the ship's drone formation changes to drill:
[PACKET]: 00 00 1F DE 46 00 01 17 64 72 6F 6E 65 5F 66 6F 72 6D 61 74 69 6F 6E 5F 66 2D 33 64 2D 64 72 00 01
[ASCII]: ....F....drone_formation_f-3d-dr..
03/14/2024 22:09 Requi#6
I recommend reverse engineering the flash client (main.swf). You can use [Only registered and activated users can see links. Click Here To Register...] to dump it. You can use ffdec to decompile it.
Packets are serialized like this:
Code:
serializer.writeByte((length & 0xFF0000) >> 16);
serializer.writeShort(length & 0xFFFF);
serializer.writeShort(packet.Id);
packet.serialize(serializer); // depending on the packet the data can be very different. but DO still uses some legacy packets which are string-based and delimited by |
Packet IDs change every Wednesday if I'm not mistaken.
EDIT: I have been informed not every ID changes and that they haven't changed in 3 weeks. So I guess they be slacking.

There are a few approaches to writing a bot. One is simulating the client by rebuilding it and sending and parsing the packets yourself.
Another way is going memory-based and calling the functions you need to run yourself internally. The "problem" with that is that the actual flash client needs to run. So not that great if you want to run headless.
03/17/2024 17:54 Ronaldo+#7
Currently, I can easily decode all packets sent by the client. I take the ID value of the Sent packet and search text with JPEXS writeShort(id) in main.swf and see how it is encrypted with bitwise operators. Now I can check all the packets I sent, the only thing I get stuck on is the packets received. The received packets are quite long and complex, how will I find out how these packets are decoded in main.swf?

Actually, I found a class, but when decompiling this class with JPEXS, it gets a timeout error. class name: net.bigpoint.darkorbit.com.module.§_-P1M§
03/17/2024 23:23 Requi#8
Quote:
Originally Posted by Ronaldo+ View Post
Currently, I can easily decode all packets sent by the client. I take the ID value of the Sent packet and search text with JPEXS writeShort(id) in main.swf and see how it is encrypted with bitwise operators. Now I can check all the packets I sent, the only thing I get stuck on is the packets received. The received packets are quite long and complex, how will I find out how these packets are decoded in main.swf?

Actually, I found a class, but when decompiling this class with JPEXS, it gets a timeout error. class name: net.bigpoint.darkorbit.com.module.§_-P1M§
They're serialized the same way. You should be able to find them the same way.
Also, I'd recommend for your own sanity to enable the deobfuscation in the decompiler. Dealing with the obfuscated names makes things a lot harder.

You might have to increase the decompilation timeout in the settings.
03/18/2024 21:39 PNTX#9
Quote:
Originally Posted by vokovl View Post
its no packet bot, it work with flash
lmao, ofc polska was a packet bot.