- Joined
- Sep 2, 2011
- Messages
- 2,171
- Reaction score
- 916
@Arachis you though a really massive time to update this haha. But it's awesome to see new updates. Good work!
Is there a way you can add support for removing RC4?
Lmao, yea in a way. I thought I wasn't going to use it anymore/post commits, and some kids were just signing up on GitHub to ask questions on why some retro didn't work with Tanji, that got annoying so I just deleted it and zipped the projects. Then I remembered Tanji uses the github api to look for Tanji updates on that account name, meaning anyone could make the git account with that name and push updates, whoops. I ended up re-making it and also pushing the projects back on there, so that was a fail.Arachis did you reseted your github account? All your hundred of commits disappeared like my money when playing habbo haha
Yea I could add it in, although I need to know the process of how you guys do it manually. HabBit used to have this option, but it was doing it in a weird way which probably wasn't what you guys were wanting.
P.S: If you're wondering where the RSA keys are being replaced, look in the KeyObfuscator class. It was much easier to place them there, since we can just push two instructions at the top.
I think I did it, based on what you said I just copied the last three instructions where the client is verifying the server's public key, to where it sends the 4000 message. I also removed the instructions that 'asks' for the keys, so it looks like this:It basically does not ask for any keys and just continues where normally the key exchange is finished.
private function §_-3Hx§(param1:Event = null) : void
{
var _loc2_:§_-5EW§ = this.§_-5BD§.connection;
if(_loc2_ != null)
{
this.§_-1h9§();
this.§_-2gh§(§_-fJ§.§_-2v3§);
this.§_-54p§ = true;
this.§_-2gh§(§_-fJ§.§_-1FH§);
_loc2_.§_-61B§(new §_-2Ke§()); //4000
this.§_-54p§ = false;
this.§_-2gh§(§_-fJ§.§_-6Hq§);
this.§_-0qJ§(_loc2_);
}
}
private function §_-4Pp§(param1:§_-HK§) : void
{
var _loc9_:§_-63s§ = null;
var _loc2_:§_-5EW§ = param1.connection;
var _loc3_:§_-3ul§ = param1 as §_-3ul§;
var _loc4_:ByteArray = new ByteArray();
var _loc5_:ByteArray = new ByteArray();
_loc4_.writeBytes(CryptoTools.§_-5yt§(_loc3_.§_-6Um§));
this.§_-5-f§.verify(_loc4_,_loc5_,_loc4_.length);
this.§_-5-f§.dispose();
this.§_-6MG§.§_-64v§(_loc5_.toString(),10);
var _loc6_:String = this.§_-6MG§.§_-2Cn§(16).toUpperCase();
if(!this.§_-6MG§.§_-lp§() || !this.§_-6MG§.§_-07d§())
{
return;
}
var _loc7_:ByteArray = CryptoTools.§_-5yt§(_loc6_);
_loc7_.position = 0;
var _loc8_:§_-63s§ = this.§_-5BD§.§_-2Z1§();
_loc8_.init(_loc7_);
if(_loc3_.§_-JX§)
{
_loc9_ = this.§_-5BD§.§_-2Z1§();
_loc9_.init(_loc7_);
}
_loc2_.§_-ew§(_loc8_,_loc9_); // Don't copy this? Is this where rc4 key is set?
this.§_-54p§ = false; // Start copy from here
this.§_-2gh§(§_-fJ§.§_-6Hq§);
this.§_-0qJ§(_loc2_); // Send the sso.ticket and machine Id, I think
}
I'm not sure. Here is the SWF with all encryption removed / bypassed:You must be registered to see links-> SWF
Also, do you know if it is possible to remove the '-' from class / interface / function / variables names? Then it might be possible to recompile the Habbo.swf from AS3 sources.
Thanks for the swf, seems I did it right. It is also possible to change those names yea, here is a swf with namespaces/multinames(methods/traits/classNames) fixed(no '-'):You must be registered to see links
P.S: [STRIKE]Symbol tags weren't modified, so some assets probably won't load/show up... sorry.[/STRIKE]
Edit: I've fixed symbol names as well, assets will now load properly:You must be registered to see links
\__01d\__3F7.as(511): col: 17 Error: Access of undefined property loc2.
{
var loc1:*=true;
var loc2:*=false;
if (loc2 && __3F7)
{
if (loc2 && __3F7)
{
};
}
else if (loc1)
{
if (loc1 || loc1)
{
if (loc2 && __3F7)
{
};
}
}
else if (loc2 && __3F7)
{
};
}
Several things:
- Local variables seem to have all been changed to 'var loc:*'. No data type or name.
- public static const seem to have changed to static const
I've send you a message on SkypeCode:\__01d\__3F7.as(511): col: 17 Error: Access of undefined property loc2. { var loc1:*=true; var loc2:*=false; if (loc2 && __3F7) { if (loc2 && __3F7) { }; } else if (loc1) { if (loc1 || loc1) { if (loc2 && __3F7) { }; } } else if (loc2 && __3F7) { }; }
:
Arachis look at what I wrote down here: https://forum.ragezone.com/f353/dl-guide-habbo-swf-cracking-829414/
TLDR: There's code which never gets executed. Removing it makes it both easier to read/modify the bytecode, and also makes the swf file take up less space.
private function _-2Jj(_arg1:class_2275):void
{
var local8:class_2715;
var local1:class_2309 = _arg1.connection;
var local2:class_2913 = (_arg1 as class_2913);
var local3:ByteArray = new ByteArray();
var local4:ByteArray = new ByteArray();
local3.writeBytes(CryptoTools._-2T5(local2._-2vC));
this._-4vH.verify(local3, local4, local3.length);
this._-4vH.dispose();
this._-2g5._-4y-(local4.toString(), 10);
var local5:String = this._-2g5._-z5(16).toUpperCase();
if (((!(this._-2g5._-4BT())) || (!(this._-2g5._-0Z5()))))
{
return;
};
var local6:ByteArray = CryptoTools._-2T5(local5);
local6.position = 0;
var local7:class_2715 = this._-61x._-6de();
local7.init(local6);
if (local2._-3Jw)
{
local8 = this._-61x._-6de();
local8.init(local6);
};
local1._-2DF(local7, local8);
this._-Zm = false;
this._-2bE(class_2284._-4yM);
this._-3fu(local1);
}
Haven't really touched HabBit specifically, although I've been updating FlashInspect until recently so that I can work on HabBit more easily, good progress on that so far.You still make some awesome progress ? =)
Any new updates Arachis ?