Hacking KeyQuest

[DarkByte]

When I come back recently I spoke to Joe about some apps I had always wanted to make but never got round too. One of them was a key quest auto player. Today I started to work on it and made this pastebin file for joe as I went so he could see the concept and understand what im talking about when im telling him my programming issues!

This was never meant to be any longer than it already is , as it was just for joe and its all he would need to grasp the idea behind the project. But I might aswell update it now its public as I go. He asked me to post it here for others to learn from too:


Keyquest Research - RareDareDevil
----------------------------------

Target
------
A key quest auto player that simulates packets within the game but never actually loads the game.

Log
---
First I need to get a list of room names , to do this I load a new game of key quest , attach a packet editor to firefox.exe
and then filter scan all packets while pressing "5-key room"lobby.

Relevant Packet info -

1.POST /amfphp/gateway.php HTTP/1.1..Host: (you need an account to see links)..
2.Referer: (you need an account to see links)..
3.Content-type: application/x-amf
4...Content-length: 89............KeyQuestGameService.logPageView../15...)........hellokitty10111.../keyquest/lobby


1.Post information in 5. to (you need an account to see links)
2.The referring page should be set to this in our program
3.x-amf request , (flash xml library) we will need to change our wrapper to reflect this
4.The post data to sent , "...." are actually different bytes with different hex values. Representing the x-amf request fule structure.



Now to simulate the above packet now I first used my httpwrapper unedited to send a http post request as such:
1.Post raw information (no exact hex codes) from 5. to (you need an account to see links)

Relevant result packet info-
1.POST /amfphp/gateway.php HTTP/1.1..Host: (you need an account to see links)..
2.Content-Type: application/x-www-form-urlencoded..
3.Content-Length: 93................KeyQuestGameService.logPageView. ./15...)........hellokitty10111.../keyquest/lobby


notes:
1.simulated fine.
2. changed header in wrapper to application/x-amf
3. length needs fixing probably added to many trailing ".." also "." need ot get ther hex value

Reply from server at current state when deflated with gzip:
HTTP/1.1 200 OK
Date: Sun, 01 Jul 2012 18:52:55 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a PHP/5.1.6
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 386
Connection: close
Content-Type: text/html; charset=UTF-8


Fatal error: Uncaught exception 'VerboseException' with message 'Malformed AMF message, connection may have dropped' in /home/neopets/public_html/amfphp/core/amf/io/AMFBaseDeserializer.php:210
Stack trace:
#0 [internal function]: amfErrorHandler(1024, 'Malformed AMF m...', '/home/neopets/p...', 210, Array)
#1 /home/neopets/public_html/amfphp/core/amf/io/AMFBaseDeserializer.php(210): trigger_error('Malformed AMF m...')
#2 /home/neopets/public_html/amfphp/core/amf/io/AMFBaseDeserializer.php(134): AMFBaseDeserializer->readHeader()
#3 /home/neopets/public_html/amfphp/core/amf/app/Filters.php(38): AMFBaseDeserializer->deserialize(Object(AMFObject))
#4 /home/neopets/public_html/amfphp/core/amf/app/Gateway.php(177): deserializationFilter(Object(AMFObject))
#5 /home/neopets/public_html/amfphp/gateway.php(154): Gateway->service()
#6 {main}
thrown in /home/neopets/public_html/amfphp/core/amf/io/AMFBaseDeserializer.php on line 210



The errors are because the packet bytes are invalid , so we will clone them now
/ 6 % c r a r e n e s s
0D 0A 00 03 00 00 00 01 00 1F 4B 65 79 51 75 65 73 74 47 61 6D 65 53 6572 76 69 63 65 2E 6C 6F 67 50 61 67 65 56 69 65 77 00 02 2F 36 00 00 00 25 0A 00 00 00 02 02 00 08 72 61 72 65 6E 65 73 73 02 00 12 2F 6B 65 79 71 75 65 73 74 2F 67 61 6D 65 6C 69 73 74
. . . . . . . . . . K e y Q u e s t G a m e S e r v i c e . l o g P a g e V i e w . . /6 . . . %. . . . . . . . r a r e n e s s . . . / k e y q u e s t / g a m e l i s t



to do this we use chr codes , convert the hex values to decimal..


This took some perfecting and along time comparing packets byte by byte to the original vs my program until it was cloned 100%...
Dim thepacket As String = Chr(0) & Chr(3) & Chr(0) & Chr(0) & Chr(0) & Chr(1) & Chr(0) & Chr(31) & "KeyQuestGameService.logPageView" & Chr(0) & Chr(2) & "/6" & Chr(0) & Chr(0) & Chr(0) & Chr(37) & Chr(10) & Chr(0) & Chr(0) & Chr(0) & Chr(2) & Chr(2) & Chr(0) & Chr(8) & txtusername.Text & Chr(2) & Chr(0) & Chr(18) & "/keyquest/gamelist


p.s I do not care that a username is included in this code , its a mule