Thread replies: 19
Thread images: 8
Thread images: 8
Anonymous
Help me hack an autism 2017-05-01 10:13:11 Post No. 60165798
[Report] Image search: [Google]
Help me hack an autism 2017-05-01 10:13:11 Post No. 60165798
[Report] Image search: [Google]
File: Wireshark_2017-05-01_22-31-12.png (63KB, 940x743px) Image search:
[Google]
63KB, 940x743px
http://pixelcanvas.io
I thought it would be fun to make a script to paint for me. Possibly as a neat learning exercise too. Welp...
>add local JS to hook into theirs and paint for me
It's all minified. I ain't going through 2.5k lines of obfuscated code unless I absolutely need to.
Hmm, I know, I'll just make a curl request with the necessary data!
>log network
They're using a TCP connection. FUG
Pic related is a screenshot of my network capture using wireshark. Here's a dump if you want to take a closer look but can't be bothered to capture it yourself: https ://puu dot sh/vCwj6/26dbdbfdd8.pcapng
Here's a quick rundown of stuff:
- Browser sends this request when you load the page: https ://puu dot sh/vCvIb/7883a7b0c0.png
- The HTTP connections in the capture are just to update the count of online users. Boring and can be ignored.
-2a02:...is my ipv6 (please don't hack me :^)),2400:...is the website
- The data sent from me is very similar in every request, but the last few bytes change every time. Same deal with the data sent from the server.
- I didn't touch the canvas while this was being captured, then before the last pair of requests (I think, the timing might have been slightly off) I placed a pixel.
Now my question is, where do I go from here? I'm a networking brainlet, so forgive me if there's some sort of standard or easy way to go around this that I've completely missed. What's the best way to figure out how this game works?
>>
Cute~
you don't have the slightest idea of what you're doing
>>
>>60165851
I know right
Could you help me learn?
>>
>>60165857
No, I don't either
>>
File: guess_Ill_die.jpg (31KB, 600x565px) Image search:
[Google]
31KB, 600x565px
>>60165875
Fugg
>>
File: tcp-header-56a1adc85f9b58b7d0c1a24f.png (32KB, 768x431px) Image search:
[Google]
32KB, 768x431px
>>60165857
https://fthmb.tqn.com/O8I6Dt9t5xVrw3UOVnbBUPdKjGs=/768x0/filters:no_upscale()/about/tcp-header-56a1adc85f9b58b7d0c1a24f.png
if you look at the 37th and 38th bytes, they are the source port number (0xfee1 = 0d65249).
40th and 41th the destination port number (0x0050 = 0d80).
The first 20 bytes (37 to 56) are TCP metadata. The rest would be probably a WebSocket packet. But the TCP metadata seems to be truncated, maybe?
>>
>>60166069
That makes some sense. Where do I have to look exactly to get the actual websocket data then? If you're referring to the hexdump shown on the screenshot, I don't see the port numbers in there anywhere, so I'm not sure what I'm actually supposed to be looking at.
Apologies for being dense, but like I said, I'm a network brainlet.
>>
>>60166180
Do you use Discord or something where we could chat?
>>
File: Hitler was right.png (191KB, 690x511px) Image search:
[Google]
191KB, 690x511px
Just download tamper data you fucking triple nigger.
>>
>>60165798
you're dumb
find the WebSocket definition and replace the .send function to log the sent packets for you:
ws.send = console.log;
>>
File: Screenshot_20170502-001154.png (105KB, 1080x1920px) Image search:
[Google]
105KB, 1080x1920px
See you in the future boiz
>>
File: Screenshot from 2017-05-01 18:19:51.png (162KB, 1812x997px) Image search:
[Google]
162KB, 1812x997px
>>60165798
If you are trying to make a bot for a website and you're looking at a hexdump you might have autism
Here is how to get started
>>
>>60166250
Sorry, but I ended up going to bed. I'll be back tomorrow around 7-8 GMT (is half past midnight as I'm writing this, for reference), if this thread is still alive and you're still willing to help I'll get something to chat on.
>>60166648
How? Teach me senpai
>>60166807
I'm trying to make a bot for a pixel placing retard fest website, of course I have autism.
I'll take a look at the js again but the problem with this approach is that 1. The "deobfuscate button" doesn't deobfuscate anything, it just adds whitespace while keeping all the unreadable variable names and minifier optimisations, and 2. If I want to script a standalone bot for this, if I know the exact network data to send there are 9000 tools I can use to stick into a bash script, whereas if I do it through JS I'll need to use node or something to run it outside a browser, which is gay.
The fact that they have these very clearly labelled switch statements is great though, thanks for the find - it can still help me figure out what they're doing even if I don't write my bot in js.
>>
File: Screenshot from 2017-05-01 18:44:43.png (42KB, 654x700px) Image search:
[Google]
42KB, 654x700px
>>60167011
> whereas if I do it through JS I'll need to use node or something to run it outside a browser, which is gay
You're gonna have a shit time not doing it in JS
You can just make a webExtensions add-on and run it inside of a browser.
>>
>>60167319
>You're gonna have a shit time not doing it in JS
Is there not an easy way to manipulate websocket connections from command line, in a similar vein to how curl lets you make http requests?
If not then you're right. But surely there must be something.
>>
>>60167681
I get that you want to feel 1337 and be able to type something into the terminal that turns your bot on
however that is virtually impossible since Javascript is heavily sandboxed
>>
File: 1489890555185.png (240KB, 428x456px) Image search:
[Google]
240KB, 428x456px
>tfw too dumb to know what anyone itt is talking about
>>
>>60168091
some sort of commands sent by the website, prolly
>>
>>60165798
>using the smiley with a carat nose
Thread posts: 19
Thread images: 8
Thread images: 8