Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

HabBit - Habbo Hotel Client Modifier

Joined
Mar 7, 2007
Messages
526
Reaction score
181
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

@Arachis you though a really massive time to update this haha. But it's awesome to see new updates. Good work!


massive time? this community would be very grateful that's hes doing this, beside what about yuri? did you pushing the updates or is zak doing this.

Great work arachis, i would like to see more of this.
 
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

Is there a way you can add support for removing RC4?

Yea I could add it in, although I need to know the process of how you guys do it manually. HabBit used to have this option, but it was doing it in a weird way which probably wasn't what you guys were wanting.

P.S: If you're wondering where the RSA keys are being replaced, look in the KeyObfuscator class. It was much easier to place them there, since we can just push two instructions at the top.
D2KJV - HabBit - Habbo Hotel Client Modifier - RaGEZONE Forums
 

Attachments

You must be registered for see attachments list
Last edited:
Joined
Sep 2, 2011
Messages
2,171
Reaction score
916
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

Arachis did you reseted your github account? All your hundred of commits disappeared like my money when playing habbo haha
 
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

Arachis did you reseted your github account? All your hundred of commits disappeared like my money when playing habbo haha
Lmao, yea in a way. I thought I wasn't going to use it anymore/post commits, and some kids were just signing up on GitHub to ask questions on why some retro didn't work with Tanji, that got annoying so I just deleted it and zipped the projects. Then I remembered Tanji uses the github api to look for Tanji updates on that account name, meaning anyone could make the git account with that name and push updates, whoops. I ended up re-making it and also pushing the projects back on there, so that was a fail.
 
Joined
Aug 10, 2011
Messages
7,401
Reaction score
3,299
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

Yea I could add it in, although I need to know the process of how you guys do it manually. HabBit used to have this option, but it was doing it in a weird way which probably wasn't what you guys were wanting.

P.S: If you're wondering where the RSA keys are being replaced, look in the KeyObfuscator class. It was much easier to place them there, since we can just push two instructions at the top.
D2KJV - HabBit - Habbo Hotel Client Modifier - RaGEZONE Forums

It basically does not ask for any keys and just continues where normally the key exchange is finished.
 

Attachments

You must be registered for see attachments list
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

It basically does not ask for any keys and just continues where normally the key exchange is finished.
I think I did it, based on what you said I just copied the last three instructions where the client is verifying the server's public key, to where it sends the 4000 message. I also removed the instructions that 'asks' for the keys, so it looks like this:
Code:
private function §_-3Hx§(param1:Event = null) : void
{
 var _loc2_:§_-5EW§ = this.§_-5BD§.connection;
 if(_loc2_ != null)
 {
	this.§_-1h9§();
	this.§_-2gh§(§_-fJ§.§_-2v3§);
	this.§_-54p§ = true;
	this.§_-2gh§(§_-fJ§.§_-1FH§);
	_loc2_.§_-61B§(new §_-2Ke§()); //4000
	this.§_-54p§ = false;
	this.§_-2gh§(§_-fJ§.§_-6Hq§);
	this.§_-0qJ§(_loc2_);
 }
}

This is where I copied the last 3 instructions from:
Code:
private function §_-4Pp§(param1:§_-HK§) : void
{
 var _loc9_:§_-63s§ = null;
 var _loc2_:§_-5EW§ = param1.connection;
 var _loc3_:§_-3ul§ = param1 as §_-3ul§;
 var _loc4_:ByteArray = new ByteArray();
 var _loc5_:ByteArray = new ByteArray();
 _loc4_.writeBytes(CryptoTools.§_-5yt§(_loc3_.§_-6Um§));
 this.§_-5-f§.verify(_loc4_,_loc5_,_loc4_.length);
 this.§_-5-f§.dispose();
 this.§_-6MG§.§_-64v§(_loc5_.toString(),10);
 var _loc6_:String = this.§_-6MG§.§_-2Cn§(16).toUpperCase();
 if(!this.§_-6MG§.§_-lp§() || !this.§_-6MG§.§_-07d§())
 {
	return;
 }
 var _loc7_:ByteArray = CryptoTools.§_-5yt§(_loc6_);
 _loc7_.position = 0;
 var _loc8_:§_-63s§ = this.§_-5BD§.§_-2Z1§();
 _loc8_.init(_loc7_);
 if(_loc3_.§_-JX§)
 {
	_loc9_ = this.§_-5BD§.§_-2Z1§();
	_loc9_.init(_loc7_); 
 }
 _loc2_.§_-ew§(_loc8_,_loc9_); // Don't copy this? Is this where rc4 key is set?
 this.§_-54p§ = false; // Start copy from here
 this.§_-2gh§(§_-fJ§.§_-6Hq§);
 this.§_-0qJ§(_loc2_); // Send the sso.ticket and machine Id, I think
}

Do I need to change anything else, or is that it?
 
Last edited:
Joined
Aug 10, 2011
Messages
7,401
Reaction score
3,299
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

I'm not sure. Here is the SWF with all encryption removed / bypassed: -> SWF

Also, do you know if it is possible to remove the '-' from class / interface / function / variables names? Then it might be possible to recompile the Habbo.swf from AS3 sources.
 
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

I'm not sure. Here is the SWF with all encryption removed / bypassed: -> SWF

Also, do you know if it is possible to remove the '-' from class / interface / function / variables names? Then it might be possible to recompile the Habbo.swf from AS3 sources.

Thanks for the swf, seems I did it right. It is also possible to change those names yea, here is a swf with namespaces/multinames(methods/traits/classNames) fixed(no '-'):

P.S: [STRIKE]Symbol tags weren't modified, so some assets probably won't load/show up... sorry.[/STRIKE]
Edit: I've fixed symbol names as well, assets will now load properly:
 
Last edited:
Joined
Aug 10, 2011
Messages
7,401
Reaction score
3,299
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

Thanks for the swf, seems I did it right. It is also possible to change those names yea, here is a swf with namespaces/multinames(methods/traits/classNames) fixed(no '-'):

P.S: [STRIKE]Symbol tags weren't modified, so some assets probably won't load/show up... sorry.[/STRIKE]
Edit: I've fixed symbol names as well, assets will now load properly:

Several things:

- Local variables seem to have all been changed to 'var loc:*'. No data type or name.
- public static const seem to have changed to static const


Code:
\__01d\__3F7.as(511): col: 17 Error: Access of undefined property loc2.

        {
            var loc1:*=true;
            var loc2:*=false;
            if (loc2 && __3F7) 
            {
                if (loc2 && __3F7) 
                {
                };
            }
            else if (loc1) 
            {
                if (loc1 || loc1) 
                {
                    if (loc2 && __3F7) 
                    {
                    };
                }
            }
            else if (loc2 && __3F7) 
            {
            };
        }

I've send you a message on Skype :):
 
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

Several things:
- Local variables seem to have all been changed to 'var loc:*'. No data type or name.
- public static const seem to have changed to static const
Code:
\__01d\__3F7.as(511): col: 17 Error: Access of undefined property loc2.

        {
            var loc1:*=true;
            var loc2:*=false;
            if (loc2 && __3F7) 
            {
                if (loc2 && __3F7) 
                {
                };
            }
            else if (loc1) 
            {
                if (loc1 || loc1) 
                {
                    if (loc2 && __3F7) 
                    {
                    };
                }
            }
            else if (loc2 && __3F7) 
            {
            };
        }
I've send you a message on Skype :):

I just ended up replacing the '-' with "_OBJ", looks ugly but was just a quick experiment. Seems to decompile fine(AS3 Sorcerer 1.4), I've also managed to get the register name fixer working, but not on methods containing try/catch, or switch statements.

SWF & Scripts.txt:
K's are gone, rip
0lGjwUI - HabBit - Habbo Hotel Client Modifier - RaGEZONE Forums
 

Attachments

You must be registered for see attachments list
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker (.NET 2.0 | Source)

Arachis look at what I wrote down here: https://forum.ragezone.com/f353/dl-guide-habbo-swf-cracking-829414/
TLDR: There's code which never gets executed. Removing it makes it both easier to read/modify the bytecode, and also makes the swf file take up less space.

A month away from the one year anniversary, and I've finally managed to get some control flow deobfuscation working. This currently only works for branch instructions that pop off Boolean values from the stack(no int, types, constants from X class), basically only works for what you've described in your thread.

I'm sure some of you are familiar with the send method within the SocketConnection class.
Before Deobfuscation:
After Deobfuscation:

Jump Instructions Removed: 71
Total Instructions Removed: 247

Deobfuscation is not handled in HGame/HabBit, it's in the ASCode class of the FlashInspect library:
 
Last edited:
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

HabBit v2.0.575
  • Added argument "--dhand" for disabling the handshake process within the client. When this argument is present, the client is modified to never send the InitCrypto message to the server, and instead begins sending non-encrypted data as if the handshake process was completed.

  • Added argument "--fixiden" for fixing invalid AS3 object names(namespace/class/interface) to a more friendly name.
    • Type: Class, Name: "_-X00", Fixed Name: "class_1"
    • Type: Class, Name: "_-ABC", Fixed Name: "class_2"
    • Type: Interface, Name: "_-XYZ-", Fixed Name: "interface_1"
    • Type: Interface, Name: "get", Fixed Name: "interface_2"
    • Type: Namespace, Name: "for", Fixed Name: "ns_1"
    • Type: Namespace, Name: "_-X-", Fixed Name: "ns_2"
    Trait name fixing is currently not supported.

  • Added argument "--renreg" for renaming every register name to a more unique name for easier distinguishing between locals in decompilers that don't fix this.
    Code:
    private function _-2Jj(_arg1:class_2275):void
    {
        var local8:class_2715;
        var local1:class_2309 = _arg1.connection;
        var local2:class_2913 = (_arg1 as class_2913);
        var local3:ByteArray = new ByteArray();
        var local4:ByteArray = new ByteArray();
        local3.writeBytes(CryptoTools._-2T5(local2._-2vC));
        this._-4vH.verify(local3, local4, local3.length);
        this._-4vH.dispose();
        this._-2g5._-4y-(local4.toString(), 10);
        var local5:String = this._-2g5._-z5(16).toUpperCase();
        if (((!(this._-2g5._-4BT())) || (!(this._-2g5._-0Z5()))))
        {
            return;
        };
        var local6:ByteArray = CryptoTools._-2T5(local5);
        local6.position = 0;
        var local7:class_2715 = this._-61x._-6de();
        local7.init(local6);
        if (local2._-3Jw)
        {
            local8 = this._-61x._-6de();
            local8.init(local6);
        };
        local1._-2DF(local7, local8);
        this._-Zm = false;
        this._-2bE(class_2284._-4yM);
        this._-3fu(local1);
    }
    If a method body contains a try/catch block, or contains a switch statement, no register renaming takes place.

Download:


P.S: Sorry for double posting.
 
Skilled Illusionist
Joined
Jul 2, 2009
Messages
313
Reaction score
139
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

Amazing, looking for this for a while now. Much appreciated! +1 like.
 
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

You still make some awesome progress ? =)
Haven't really touched HabBit specifically, although I've been updating FlashInspect until recently so that I can work on HabBit more easily, good progress on that so far.

Maybe an update this week:
Deobfuscator(Control Flow/Dead Code)
Global Name Fixing(Methods/Fields/Constants, aside from already exisitng class/namespace fixing)
Method Logging(View what methods were entered in swf, why not) Outputs in browser's console

Theres more I want to add to this project overall, but this is what's realistically possible for the week with the stuff I currently have working in the flash lib. Thanks for being interested guys.
 
RaGEZONE VIP
[VIP] Member
Joined
Aug 13, 2014
Messages
121
Reaction score
239
Re: HabBit - Automatic Habbo Client Cracker(Source | .NET 2.0 | C# 6)

Lost some uncommited changes(Flash lib), fucked up hard, I'll work on this again soon once I regain my sanity(re-write some stuff). Luckily new files that I've added AFTER my last commit remained, which was the most tideous Ducking part(1 Class per instruction with unique "Execute" code). I still need to re-write the execute code for the instructions that did get reverted all the way to September, these are needed for the deobfuscator.

Lesson learned, I should commit more
 
Last edited:
Back
Top