Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Hacking KeyQuest

  1. #1
    Banned
    Join Date
    Jun 2012
    Gender
    Location
    90 90
    Age
    31
    Posts
    1,714
    Thanks
    876
    Thanked 2,877 Times in 1,139 Posts


    Downloads
    44
    Uploads
    1
    Mentioned
    562 Post(s)
    Time Online
    118 d 6 h 45 m
    Avg. Time Online
    1 h 30 m
    Rep Power
    0
    Gamer IDs

    Gamertag: DarkByt3 PSN ID: raredaredevil

    Hacking KeyQuest

    When I come back recently I spoke to Joe about some apps I had always wanted to make but never got round too. One of them was a key quest auto player. Today I started to work on it and made this pastebin file for joe as I went so he could see the concept and understand what im talking about when im telling him my programming issues!

    This was never meant to be any longer than it already is , as it was just for joe and its all he would need to grasp the idea behind the project. But I might aswell update it now its public as I go. He asked me to post it here for others to learn from too:


    Keyquest Research - RareDareDevil
    ----------------------------------

    Target
    ------
    A key quest auto player that simulates packets within the game but never actually loads the game.

    Log
    ---
    First I need to get a list of room names , to do this I load a new game of key quest , attach a packet editor to firefox.exe
    and then filter scan all packets while pressing "5-key room"lobby.

    Relevant Packet info -

    1.POST /amfphp/gateway.php HTTP/1.1..Host: www.neopets.com..
    2.Referer: http://images.neopets.com/keyquest/g...Quest.swf?v=34..
    3.Content-type: application/x-amf
    4...Content-length: 89............KeyQuestGameService.logPageView../15...)........hellokitty10111.../keyquest/lobby


    1.Post information in 5. to www.neopets.com/amfphp/gateway.php
    2.The referring page should be set to this in our program
    3.x-amf request , (flash xml library) we will need to change our wrapper to reflect this
    4.The post data to sent , "...." are actually different bytes with different hex values. Representing the x-amf request fule structure.



    Now to simulate the above packet now I first used my httpwrapper unedited to send a http post request as such:
    1.Post raw information (no exact hex codes) from 5. to www.neopets.com/amfphp/gateway.php

    Relevant result packet info-
    1.POST /amfphp/gateway.php HTTP/1.1..Host: www.neopets.com..
    2.Content-Type: application/x-www-form-urlencoded..
    3.Content-Length: 93................KeyQuestGameService.logPageView. ./15...)........hellokitty10111.../keyquest/lobby


    notes:
    1.simulated fine.
    2. changed header in wrapper to application/x-amf
    3. length needs fixing probably added to many trailing ".." also "." need ot get ther hex value

    Reply from server at current state when deflated with gzip:
    HTTP/1.1 200 OK
    Date: Sun, 01 Jul 2012 18:52:55 GMT
    Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a PHP/5.1.6
    X-Powered-By: PHP/5.1.6
    Vary: Accept-Encoding,User-Agent
    Content-Encoding: gzip
    Content-Length: 386
    Connection: close
    Content-Type: text/html; charset=UTF-8


    Fatal error: Uncaught exception 'VerboseException' with message 'Malformed AMF message, connection may have dropped' in /home/neopets/public_html/amfphp/core/amf/io/AMFBaseDeserializer.php:210
    Stack trace:
    #0 [internal function]: amfErrorHandler(1024, 'Malformed AMF m...', '/home/neopets/p...', 210, Array)
    #1 /home/neopets/public_html/amfphp/core/amf/io/AMFBaseDeserializer.php(210): trigger_error('Malformed AMF m...')
    #2 /home/neopets/public_html/amfphp/core/amf/io/AMFBaseDeserializer.php(134): AMFBaseDeserializer->readHeader()
    #3 /home/neopets/public_html/amfphp/core/amf/app/Filters.php(38): AMFBaseDeserializer->deserialize(Object(AMFObject))
    #4 /home/neopets/public_html/amfphp/core/amf/app/Gateway.php(177): deserializationFilter(Object(AMFObject))
    #5 /home/neopets/public_html/amfphp/gateway.php(154): Gateway->service()
    #6 {main}
    thrown in /home/neopets/public_html/amfphp/core/amf/io/AMFBaseDeserializer.php on line 210



    The errors are because the packet bytes are invalid , so we will clone them now
    / 6 % c r a r e n e s s
    0D 0A 00 03 00 00 00 01 00 1F 4B 65 79 51 75 65 73 74 47 61 6D 65 53 6572 76 69 63 65 2E 6C 6F 67 50 61 67 65 56 69 65 77 00 02 2F 36 00 00 00 25 0A 00 00 00 02 02 00 08 72 61 72 65 6E 65 73 73 02 00 12 2F 6B 65 79 71 75 65 73 74 2F 67 61 6D 65 6C 69 73 74
    . . . . . . . . . . K e y Q u e s t G a m e S e r v i c e . l o g P a g e V i e w . . /6 . . . %. . . . . . . . r a r e n e s s . . . / k e y q u e s t / g a m e l i s t



    to do this we use chr codes , convert the hex values to decimal..


    This took some perfecting and along time comparing packets byte by byte to the original vs my program until it was cloned 100%...
    Dim thepacket As String = Chr(0) & Chr(3) & Chr(0) & Chr(0) & Chr(0) & Chr(1) & Chr(0) & Chr(31) & "KeyQuestGameService.logPageView" & Chr(0) & Chr(2) & "/6" & Chr(0) & Chr(0) & Chr(0) & Chr(37) & Chr(10) & Chr(0) & Chr(0) & Chr(0) & Chr(2) & Chr(2) & Chr(0) & Chr(8) & txtusername.Text & Chr(2) & Chr(0) & Chr(18) & "/keyquest/gamelist


    p.s I do not care that a username is included in this code , its a mule
    Last edited by DarkByte; 07-01-2012 at 07:13 PM.

  2. The Following 12 Users Say Thank You to DarkByte For This Useful Post:

    Cody. (07-28-2012),DarkAngel (07-03-2012),Emiley (07-04-2012),esperanto (07-03-2012),Infamous Joe (07-01-2012),Reese (07-04-2012),Shichibukai (07-03-2012),SmileYaDead (07-03-2012),Trinket (07-28-2012),wayne000 (07-02-2012),yellowbomb04 (07-19-2012),zxzero (07-17-2012)

  3. #2




    Join Date
    Dec 2011
    Gender
    Location
    rdisk(0)partition(1)
    Posts
    92
    Thanks
    161
    Thanked 172 Times in 63 Posts


    Downloads
    32
    Uploads
    3
    Mentioned
    87 Post(s)
    Time Online
    17 d 12 h 5 m
    Avg. Time Online
    13 m
    Rep Power
    6
    Judging from that, sending data and receiving data can obviously be done. But I think the biggest problem is making it auto-play for you. It will take hell of a research to understand how the communication works - something I would think twice before getting involved in this :p

  4. #3
    Banned
    Join Date
    Jun 2012
    Gender
    Location
    90 90
    Age
    31
    Posts
    1,714
    Thanks
    876
    Thanked 2,877 Times in 1,139 Posts


    Downloads
    44
    Uploads
    1
    Mentioned
    562 Post(s)
    Time Online
    118 d 6 h 45 m
    Avg. Time Online
    1 h 30 m
    Rep Power
    0
    Gamer IDs

    Gamertag: DarkByt3 PSN ID: raredaredevil
    It's nothing I have not done before for other games. A lot of work yes but not impossible as people had told me .

  5. The Following 3 Users Say Thank You to DarkByte For This Useful Post:

    Aeires (07-03-2012),Cody. (07-28-2012),Emiley (07-09-2012)

  6. #4

    Join Date
    Dec 2011
    Gender
    Location
    Canada
    Posts
    449
    Thanks
    146
    Thanked 72 Times in 51 Posts


    Downloads
    59
    Uploads
    0
    Mentioned
    46 Post(s)
    Time Online
    1 d 22 h 26 m
    Avg. Time Online
    1 m
    Rep Power
    6
    People have been asking for a KQ auto-player or simulator for SO long i'm sure they'll be pumped no matter how long it takes you.

  7. #5


    DarkAngel's Avatar
    Join Date
    Dec 2011
    Gender
    Posts
    4,114
    Thanks
    659
    Thanked 436 Times in 225 Posts


    Downloads
    32
    Uploads
    0
    Mentioned
    222 Post(s)
    Time Online
    57 d 11 h 31 m
    Avg. Time Online
    43 m
    Rep Power
    11
    If you can finish this, people will love you

    But as Damian said, the hard thing will make it autoplay for you, because its not about moving a piece around the board, its about playing those games and such :/

  8. #6
    Banned
    Join Date
    Jun 2012
    Gender
    Location
    90 90
    Age
    31
    Posts
    1,714
    Thanks
    876
    Thanked 2,877 Times in 1,139 Posts


    Downloads
    44
    Uploads
    1
    Mentioned
    562 Post(s)
    Time Online
    118 d 6 h 45 m
    Avg. Time Online
    1 h 30 m
    Rep Power
    0
    Gamer IDs

    Gamertag: DarkByt3 PSN ID: raredaredevil
    Im working on this , each packet is very similar also , their is a handshake packet before this packet that sets some important varibles in the html reply , it sends just after the game loads.

  9. #7
    neofreak's Avatar
    Join Date
    Jul 2012
    Gender
    Posts
    224
    Thanks
    207
    Thanked 142 Times in 57 Posts


    Downloads
    15
    Uploads
    0
    Mentioned
    12 Post(s)
    Time Online
    2 d 21 h 20 m
    Avg. Time Online
    2 m
    Rep Power
    6
    If you get this to work and by the looks of it, it seems you will, this program will be like a milestone in the black market community! So I wish you the best of luck in your endeavor! =)

  10. The Following User Says Thank You to neofreak For This Useful Post:

    DarkByte (07-17-2012)

  11. #8
    Banned
    Join Date
    Jun 2012
    Gender
    Location
    90 90
    Age
    31
    Posts
    1,714
    Thanks
    876
    Thanked 2,877 Times in 1,139 Posts


    Downloads
    44
    Uploads
    1
    Mentioned
    562 Post(s)
    Time Online
    118 d 6 h 45 m
    Avg. Time Online
    1 h 30 m
    Rep Power
    0
    Gamer IDs

    Gamertag: DarkByt3 PSN ID: raredaredevil
    Actually huge credits will go to @damian002 for his work on Decoding AMF binary data this has helped me immensely and anyone looking to do the same as me should look into this.

  12. #9

    Join Date
    Jul 2012
    Gender
    Location
    New Zealand
    Posts
    57
    Thanks
    13
    Thanked 7 Times in 6 Posts


    Downloads
    7
    Uploads
    0
    Mentioned
    2 Post(s)
    Time Online
    59 m
    Avg. Time Online
    N/A
    Rep Power
    6
    It would be pretty amazing if there were a hack or bot or AP for Keyquest. But then everything would go super cheap due to over-inflation... Meh. It's not as if things aren't cheaper than chips compared to when I first started playing lol. I can't wait to see where this is going

  13. #10
    paox3's Avatar
    Join Date
    Apr 2012
    Gender
    Location
    Singapore
    Posts
    159
    Thanks
    27
    Thanked 27 Times in 16 Posts


    Downloads
    51
    Uploads
    0
    Mentioned
    25 Post(s)
    Time Online
    3 d 3 h 27 m
    Avg. Time Online
    2 m
    Rep Power
    6
    I have no clue what that giant chunk of code says but sure, a keyquest autoplayer would be nice addition.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •