[P.O.C.] Begin hacking on DarkOrbit client..

alien1980 · 11/01/2012, 23:13

hey add me on skype man lol boni021

Synaptic26 · 11/01/2012, 23:23

ciao w00d, potrei essere interessato a darti una mano, contattami via mail a

oppure su skype synaptic26

posso aiutarti.

stainersxm · 11/01/2012, 23:32

why do you have an image editior opened?

W00dL3cs · 11/01/2012, 23:38

Quote:

Originally Posted by stainersxm

why do you have an image editior opened?

Paint is an 'image editor'? Ahahaha
Anyway I had it opened because I was saving the screenshots of the screen :P

~~Dr.Toni-old~~ · 11/02/2012, 00:27

Release something or explain more about your work

Otherwise I won't trust you

Uhnanimus · 11/02/2012, 00:29

When you manage to reconstruct the client, you should edit the values of boxes and aliens and stuff. ex. give all the boxes 100k uri or something

that way we can all be UFE, and have competitive battles. And also, make the chance for gate parts 100% haha.

If you make it that far though, I would like to request that you keep the scripts that give someone an 'edge' out of your client, Like auto locks, or damage hacks etc etc. That way, it would be the darkorbit everyone wants; Cheap, fun, and full of fair competition

People would love you if you could do something like that, haha.

Ive got my fingers crossed

ßΙЍȺƦƴßȰȾ · 11/02/2012, 05:32

well , its really good tool , i never thought like it , i kept watching swf or sniffed packets to update my bot lol
i would like to learn ur way and take part in it , if u like

-Binarybot

»jD« · 11/02/2012, 06:03

Quote:

Originally Posted by imaboortsog

No
You think wrong he his doing little hack
Example speeding up Hellstorm Reload ):

First of all. bullshit. You can't. Its all handled server side. Nothing in this game can be hacked, speed hacks, damage hacks etc all DO NOT EXIST. I want to get that out of the way now.

Secondly, the thing that slows down the updates is NOT the darkorbit IDs, we have a ID handler all ready that updates the bot for our dev version without us doing anything. Its the dynamic encryption code WHICH CANNOT BE RUN IN C# that they send in the obfuscation request packet. I hate fucking noobs who come on here going. ITS SIMPLE!! NOT TOO HARD JUST DO THIS THIS AND THIS! IF IT WAS THAT SIMPLE WE WOULD HAVE IT DONE BY NOW!! Yet again DarkOrbit have updated their encryption. I have a ByteCode decompiler working... which allows us to extract actionscript bytecode and then I plan to write a convertor to allow us to convert AS3 to C# in app rather than it being precompiled. Once thats done... WE WILL UPDATE! Jesus Christ!

Update:

Quote:

Originally Posted by Uhnanimus

When you manage to reconstruct the client, you should edit the values of boxes and aliens and stuff. ex. give all the boxes 100k uri or something that way we can all be UFE, and have competitive battles. And also, make the chance for gate parts 100% haha.

If you make it that far though, I would like to request that you keep the scripts that give someone an 'edge' out of your client, Like auto locks, or damage hacks etc etc. That way, it would be the darkorbit everyone wants; Cheap, fun, and full of fair competition

People would love you if you could do something like that, haha.

Ive got my fingers crossed

THIS CAN'T BE DONE EITHER!!!

Quote:

Originally Posted by bossfong

mkay, so the names are actually in the client, I didn't know that. Did you write your own swf/abc parser?

First of all, before someone misleads ya mate. No the names are pre-obfuscated. THEY ARE NOT EXISTENT IN THE SWF AT ALL. If you really wrote your own ABC Parser/Decompiler check the constant pool string variable

Quote:

Originally Posted by maledict

That's what i was trying to explain...i was reacting to posts like this:

JIT - just in time compilation of opcodes in the actionscript VM.. It's easier to change the opcodes before they are JITed i think and preferable for me to do it on the fly, so one doesn't have to download/setup/whatever anything (only the patcher).

There is no such thing as JIT in flash! It is all compiled to Bytecode before the client even runs. Its like C++, it compiles to bytecode (which is basically machine code commands) which the AVM then reads and converts to ACTUAL machine code depending on your architecture that will run on your CPU.

Quote:

Originally Posted by bossfong

Does the AVM actually do any jitting?

No. There is no JITing in ActionScript.

Quote:

Originally Posted by maledict

Of course it does. Search for tamarin, it was open-sourced long time ago.

Tamarin is a JavaScript JITter which compiles JavaScript to native C++. But it has been replaced by node.js and the likes. It is used in ActionScript to provide interoperability between flash and javascript (for example, allowing Flash to call JavaScript functions, allowing communication between HTML and Flash... its used extensively in YouTube to allow control of the Flash player from HTML.)

Quote:

Originally Posted by W00dL3cs

I still can't understand... Why would you need to edit the opcodes?

You are mistaken. The OpCodes in the SWF aren't actually op codes, they are packet ids. OpCodes is a term used in ByteCode to represent HEX values of function calls, or machine commands. For example in AS3 an OpCode 0x10 would represent a jump, (or a goto statement if you want to put it in C++ or C# terms).

Now on a non-angry aggressive tone. Nice work W00dL3cs! Its nice to see someone who actually knows what they are doing still exists in public :P (Unlike iBot and kBot who would much rather just ignore all us "inferior" noobs and release a bot without actually saying anything :P). One thing... I ROFLed at the prompt text:

"insert name of SWF to hack (Do not include extension)" and then you went and typed: "main.swf" ahahah ^.^ Anyways, nice work.

Quote:

Originally Posted by W00dL3cs

Just about packets, I still can't understand why some of you still log them with hex strings, while their structure is so fuc*ing easy!

Just to let you know, we log them as hex because to us, its easier to read and understand why a packet threw an error. If you try and parse the packet, and then it throws an exception... you cannot log the parsed packet, so instead we log the hex of the array so we can determine what the issue is.

-jD

~~Prime.™~~ · 11/02/2012, 06:53

Quote:

Originally Posted by jduncanator

First of all. bullshit. You can't. Its all handled server side. Nothing in this game can be hacked, speed hacks, damage hacks etc all DO NOT EXIST. I want to get that out of the way now.

Secondly, the thing that slows down the updates is NOT the darkorbit IDs, we have a ID handler all ready that updates the bot for our dev version without us doing anything. Its the dynamic encryption code WHICH CANNOT BE RUN IN C# that they send in the obfuscation request packet. I hate fucking noobs who come on here going. ITS SIMPLE!! NOT TOO HARD JUST DO THIS THIS AND THIS! IF IT WAS THAT SIMPLE WE WOULD HAVE IT DONE BY NOW!! Yet again DarkOrbit have updated their encryption. I have a ByteCode decompiler working... which allows us to extract actionscript bytecode and then I plan to write a convertor to allow us to convert AS3 to C# in app rather than it being precompiled. Once thats done... WE WILL UPDATE! Jesus Christ!

Update:

THIS CAN'T BE DONE EITHER!!!

First of all, before someone misleads ya mate. No the names are pre-obfuscated. THEY ARE NOT EXISTENT IN THE SWF AT ALL. If you really wrote your own ABC Parser/Decompiler check the constant pool string variable

There is no such thing as JIT in flash! It is all compiled to Bytecode before the client even runs. Its like C++, it compiles to bytecode (which is basically machine code commands) which the AVM then reads and converts to ACTUAL machine code depending on your architecture that will run on your CPU.

No. There is no JITing in ActionScript.

Tamarin is a JavaScript JITter which compiles JavaScript to native C++. But it has been replaced by node.js and the likes. It is used in ActionScript to provide interoperability between flash and javascript (for example, allowing Flash to call JavaScript functions, allowing communication between HTML and Flash... its used extensively in YouTube to allow control of the Flash player from HTML.)

You are mistaken. The OpCodes in the SWF aren't actually op codes, they are packet ids. OpCodes is a term used in ByteCode to represent HEX values of function calls, or machine commands. For example in AS3 an OpCode 0x10 would represent a jump, (or a goto statement if you want to put it in C++ or C# terms).

Now on a non-angry aggressive tone. Nice work W00dL3cs! Its nice to see someone who actually knows what they are doing still exists in public :P (Unlike iBot and kBot who would much rather just ignore all us "inferior" noobs and release a bot without actually saying anything :P). One thing... I ROFLed at the prompt text:

"insert name of SWF to hack (Do not include extension)" and then you went and typed: "main.swf" ahahah ^.^ Anyways, nice work.

Just to let you know, we log them as hex because to us, its easier to read and understand why a packet threw an error. If you try and parse the packet, and then it throws an exception... you cannot log the parsed packet, so instead we log the hex of the array so we can determine what the issue is.

-jD

Are you really serouis with that
After someone Did (: you could be like this

»jD« · 11/02/2012, 07:24

I don't get what you mean?

-jD

W00dL3cs · 11/02/2012, 08:31

@jduncator: Thanks for the constructive criticism. Anyway, there are a few points I would like to respond to.

First of all, yes: names of the variables are still there.
Simply, you can't read them using any decompiler/disassembler in commerce.

Second, for what concerns the 'opcodes', I obviously know what they are and what they are used for. Anyway using the word 'opcode' is also a convention used in the 'emulation world', because as as a given opcodes points to a function, a variable or whatever else, the same way, in an emulator, it points to a class to invoke when the message is received :P

Finally, I also lol'd when I noticed that mistake with the swf file on the console output, but remember that I managed to write an automatic parser, which recognises whether if the extension is included or not. I just forgot to edit the string to print on the console

»jD« · 11/02/2012, 08:34

Aahha all cool bro

So did you write your own decompiler? lol I doubt it coz that takes alot of work :P

-jD

W00dL3cs · 11/02/2012, 08:37

Quote:

Originally Posted by jduncanator

Aahha all cool bro So did you write your own decompiler? lol I doubt it coz that takes alot of work :P

-jD

Would call it more a 'disassembler' :P

»jD« · 11/02/2012, 09:02

Well I've been writing mine for the last week and it still isn't enough to dump as3 yetand you've been working for a few days?! I'd like to see this "disassembler".

-jD

W00dL3cs · 11/02/2012, 09:06

Quote:

Originally Posted by jduncanator

Well I've been writing mine for the last week and it still isn't enough to dump as3 yetand you've been working for a few days?! I'd like to see this "disassembler".

-jD

Given that an swf is composed of pure byte code, once you have the right opcodes etc, you can obtain a full representation of its structure.
There is a sort of documentation by Adobe...
I should still have a copy on my computer :P