Last month’s project is going to be a little late so I thought to make up for it I’d post some interesting info I got sent to me awhile back by a fellow CMP student (Tom Le Cornu) at UEA. He managed to hack the Mochi Score API in one of my games allowing him to post fake scores to the high score board.
Encryption: you’re doing it wrong!
Okay, so, here we go…
This is a game online: http://caffeinatednightmare.com/blog/evocannon/
From a fellow CMP student.
(click the “Evocannon” link mid-way down the page.)
The high score was 1 million or something. Too much time would be needed. So,
let us use them skills.
When you die, you can submit your score. Using Firebug you can see that a HTTP POST request gets sent to scores.mochimedia.com. Cash monies. So if you use tamper data or something similar, you could change the score! Win! But wait…
Here’s a sample capture:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
|
POST /com/4/eca163a6dc9c7da5.swf HTTP/1.1 Host: scores.mochimedia.com User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, li Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0. Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: http://www.mochiads.com/static/lib/services/services.swf Content-type: application/x-www-form-urlencoded Content-length: 550 md5=eca5bd35f0fe10a1867280505f284966&rc4=16c0679cdaab65acce49cf603b6b0 2f261542284f378164568d5c4995cfa7870050250a9c8005585445cfdf1f91fa71b964 0de2dbca55ea19c24fdf987f3d381bf505e55624f06217ec820b74aba9f535d4f04d42 f254a626c924194e2e7a5d1241c0e8618d90bf578de64e0aae3a46f991dbcf8da41258 9d6723a886d94ea424576&ver=1&cls=com%2Emochimedia%2Eservices%2EMochiCom |
It’s encrypted. So we have an MD5 hash and RC4 encrypted data.
Okay, so we need to get the key for the encrypted data, decrypt it, alter it, presumably hash it, then create a crafted POST request then send it.
So I decompile the game and after a bit of sifting, I see that the Mochi media company have their own API for doing stuff with the leader boards and whatnot.
The call to update the leader board uses this function call:
|
|
public static function submit (score:Number, name:String, callbackObj:Object, callbackMethod:Object):Void{} |
Which in turn calls this function:
|
|
MochiServices.send("scores_submit", {score: score, name: name}, callbackObj, callbackMethod); |
However, there was nothing of interest in this file. But then, by chance, I see this at the top of the MochieServices file:
|
|
private static var _servURL:String = "http://www.mochiads.com/static/lib/services/"; private static var _services:String = "services.swf"; private static var _mochiLC:String = "MochiLC.swf"; |
So, I go the “services.swf” file and I’m presented with a pink screen. Not very useful so I decompile it. To find what I’m looking for I search for “RC4″ in the text and this pops up:
|
|
var _local7 = new Object(); _local7.guid = getGUID(); _local7.cb = cb; _local7.args = args; _local7.now = getTimer(); _local7.lcr = ["", Math.floor(new Date().getTime()), random(999999)].join("_s"); var _local8 = new com.mochimedia.util.JSON(); var _local9 = _local8.stringify(_local7); var _local10 = com.meychi.ascrypt.RC4.encrypt(_local9, _key); var _local11 = com.meychi.ascrypt.MD5.calculate(_key + com.meychi.ascrypt.MD5.calculate(_local9)); |
The encrypted RC4 data is just some JSON stuff encrypted with the key and the MD5 is a hash of the data and the key. But where is the key?
Maybe they used SSL.
Maybe they used TLS.
Maybe the generated it randomly.
Or maybe, just maybe, it was in the source code. And thus, without further ado:
static var _key = “REDACTED”; (I’m not going to actually publish the key.)
I can decrypt data, create the correct the hash, but how to actually do the attack? Well, I
wrote a socks server a year or so back that comes in handy every now and then.
So I alter the code to change the name and score, encrypt it all, hash it properly, then send
it as if nothing happened.
And thus, two hours later, Unroc El Mot, with a score of 2,000,000 is at the top of the leader-board.
Disclaimer. This is absolutely nothing to do with the creator of the game, or an attack on his person. But to do with the software provided by Mochi media.
It’s all good and well using encryption, but sheesh, don’t put the key in the code!
- Thomas Le Cornu