Friends who may get into contact with online games will know that there is a tool that can modify the online game is called WPE. It is the purpose of deceiving the server by intercepting the package and the package, and falsifying data to send to the server. The principle is simple, but truly use I am afraid that it is not so easy, because the packet is encrypted, if you don't know the encryption algorithm, there is no way to fake legitimate packets. However, here I want to say is not the use of WPE's happlings, but can use WPE to accept packets and modify the contents of the packets to add some website web games for design vulnerabilities to achieve cheating.
Many community websites offer games that can be played on the page. You can make virtual currencies on the game, and most of this game is gambling, such as slot machines, 21 points, horses, etc. If you are lucky enough to see a community, the game control of this type of game is carried out in the client, congratulations, maybe there is a way to make you a big rich in the community.
For example, a community has a slot machine game to make a virtual currency, check out the source code, after analysis, found that the game control is on the client, use the JavaScript script to control the last cursor stop, there is such a paragraph :
K = 1
i = 0
J = 1
randomize
L = FIX (65 * RND 44) 'Uniform turnover How much 2 ~ 5 laps
Randomize
H = 22
H = FIX (22 * rND 0) 'slowing down how much 0 ~ 1 lap
Obviously, as long as the RND is trying to be a fixed value, then the last stop position is fixed.
The first thing I thought is to save the page in the local computer, then open, modify this code, you need to modify some of the key connections, and then open. I have tried a few times, I have failed. When I submitted, I used the anti-cheating system, which may be some information about the browser, which may not pass. Later I thought about it, if my data knows my data is passed from legitimate place, it should be no problem. I started to write a program with Delphi, use TWEBBRowser to browse the page, and modify the data by reading the data. This approach should be made, but it is not very easy to use during the trial. Finally, I thought that WPE could modify the package that sent out, it must be modified to accept the data! So I intercepted several requests and responses, found 65 * RND 44 data, create a filter, change 65 * RND 44 to 65 * 000 56, then build a modification of RND to 000 Filter, then start intercepting modifications, refreshing the page, seeing the code of the page is going to be
K = 1
i = 0
J = 1
Randomize
L = FIX (65 * 000 56) 'Uniform turnover How much 2 ~ 5 laps
Randomize
H = 22
H = FIX (22 * 000 0) 'slow down to 0 ~ 1 lap
Try to play now, Sure enough, each time is the same location, the revision is successful!
Let's play with it, you will earn more than 10 million!
Then I found three similar games in that community, they can cheat.
So I sent a virtual money. Unexpectedly, the administrator was found, the account was deleted, the game was also stopped ........
It can be seen that if this game played in the browser, if the game control is completely placed in the client, it must have a way to cheat, I think this kind of game should be a result of winning after the bet will be lost. As a result, it is only displayed at the client. Thus, how others will change the client's data.
