Solved Webhack/debug php/javascript

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

oharra

Jr.Coder
Full Member
Nobleman
Mar 9, 2015
56
252
0
Ive been trying to hack/edit something on a site for a while now, and I think I know how the procedure works, but I'm still having trouble to get to the source of it to be able to modify the things I want...

It's a little flash application, that rewards the users with gifts, after you spin it... However the flash app itself only is being used to show the user what he won, and show your prices... The stuff you have won is being defined earlier in the process I found out...
First it triggers this link: /users/ajax/daily_spin_popup.php?action_token=ab75e41f11dbb00f612a403cfa58a2c0 (the token being a random value), I think the token also doesn't have to do with the prize you will earn... It's just to verify your session I guess.
Then it generates a page like this (I intercept them with my webdebug proxy, Charles...)

C++:
<code> <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
        <title>Tetris - Daily Spin</title>
                <link rel='stylesheet' href='https://tetrisow-a.akamaihd.net/data4_0_0_1/stylesheets/combined.min.css' type='text/css' media='screen' />        <script type='text/javascript' src='https://tetrisow-a.akamaihd.net/data4_0_0_1/javascripts/combined.min.js' charset='utf-8'></script>    </head>
    <body class='popup_body'>
        <div id='daily_spin_container'>
            <a id='daily_spin_close_btn' class='button button_small_grey button_small_grey_close user_stats_close_btn floatright' href='javascript:void(0)' onclick='closeDailySpinPopup()'></a>
            
                        <div id="daily_spin_content"></div>
        </div>
        
                
        <script type="text/javascript">
            var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "https://www.");    
            document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
        </script>
        
        <script type="text/javascript">
            var swf = "/data/images/OWDailySweepstakes.swf?prize1=token:15&prize2=token:15&dayOfWeek=6&numOfDays=1&inTFActionToken=cdec858480c6553124bbc2edde21f968";
            var vPage = "/daily_spin_popup";
            var spinCount = 2;
            var prizeTags = "token:15&token:15";
            
            $(document).ready(function() {
                swfobject.embedSWF(swf, "daily_spin_content", 640, 500, "9.0.0", {}, {}, {wmode: "transparent"}, {allowscriptaccess: "always"}, {id:"dailySpinSwf", name:"dailySpinSwf"});

                try {
                    pageTracker = _gat._getTracker("UA-886022-5");
                      pageTracker._trackPageview(vPage);
                } catch(err) {}
                
                toggleAd(false);
            });

            function toggleAd(showAd) {
                try {
                    if (showAd) {
                        $(window.top.document.getElementById("home_custom_ad_content")).css({ 'left': 0, 'position': 'relative' });
                        $(window.top.document.getElementById("home_advertisement")).css('left', 0);
                    } else {
                        $(window.top.document.getElementById("home_custom_ad_content")).css({ 'left': -9999, 'position': 'relative' });
                        $(window.top.document.getElementById("home_advertisement")).css('left', -9999);
                    }
                } catch(err) {}
            }
            
            function closeDailySpinPopup() {
                try {
                    pageTracker = _gat._getTracker("UA-886022-5");
                    pageTracker._trackPageview(vPage + '/close');
                } catch(err) {}

                setTimeout("window.top.Shadowbox.close()", 250);
                
                toggleAd(true);
            }
        </script>
        
            
    </body>
</html>
</code>
You can see where it shows and defines the price tags etc in this page... So it seemed easy to edit, however if I'm changing the prizes to what I want, which perfectly works, the flash spinner starts, gives me those prizes, but when I leave, it doesn't reward me those gifts... Instead it gives me the ones that were originally meant to be given to me...
So I suppose what you will earn with the daily spinner on that site, is defined before this page is created or the flash application starts...I would have to access that information to change the stuff I want :) But so the problem is I cannot find where that info is stored, like that you will receive 10 tokens and 10 armor with the daily spinner, for example... in my webdebugging proxy I'm not finding any config files, or links to, where it says what you will get there... I'm not an expert with javascript, maybe someone can see some more in these functions... There is a file "combined.js" which contains the function of the dailyspinner... and of the link it gets than to reward the gifts.... :

C++:
<code>function popUpDailySpin(a){popUpBoxByUrl("/users/ajax/daily_spin_popup.php?action_token="+a,640,510,"",function(){setTimeout("refreshMiniProfile()",0)})}function refreshMiniProfile(){addLoadingAnimation("#home_mini_profile_container");$("#home_mini_profile_container").load("/users/_inc/mini_profile.php",function(){removeLoadingAnimation("#home_mini_profile_container")})}
</code>
And

C++:
<code>function activateRewards(b){if(!activateSent){activateSent=true;try{if(typeof(spinCount)==undefined||typeof(spinCount)=="undefined"){spinCount=1}var e=prizeTags.split("&");pageTracker=_gat._getTracker("UA-886022-5");pageTracker._trackPageview("/daily_spin_popup/spin"+spinCount);for(var a=0;a<e.length;a++){var d=e[a].split(":");pageTracker._trackEvent("DailySpin",d[0],d[1])}}catch(c){}$.get("/users/ajax/activate_promo_item.php?rewardSpin=1",function(f){})}}function toggleTroubleElements(b){var a=["select","object","embed","canvas"];for(var d=0;d<a.length;d++){var e=document.getElementsByTagName(a[d]);for(var c=0;c<e.length;c++){if(b){$(e[c]).css("visibility","visible")}else{$(e[c]).css("visibility","hidden")}}}}</code>
Those are the javascript codes taht are being used on the site and I also see them in my proxy so these are being used to run the spinner... I've been looking into this a lot, so I would be really happy if someone could help me with this... So it basically gives you the rewards that were originally picked for you, when you finish the spin... even if you let the spinner give you something else... So I'd have to access the source where the original gifts are defined, or what links to it...

Thanks

Ow yes I forgot to say the site is www.tetrisfriends.com :)
 
Last edited by a moderator:

Obsta

Jr.Hacker
Meme Tier VIP
Jan 27, 2014
394
2,978
17
If it is as you said, predetermined before you see the result, it means that it's all generated server sided. You are essentially only given read-only permissions. Unless you find a function to write back to the server you can't change this data.(Which i don't think it even exists because its JS is generated client side and the server would reject anything you posted to it.)

However i don't understand javascript enough to give you a real answer, this is just my two-cents
I believe the javascript is just animating to give you the visual effect.
 

oharra

Jr.Coder
Full Member
Nobleman
Mar 9, 2015
56
252
0
If it is as you said, predetermined before you see the result, it means that it's all generated server sided. You are essentially only given read-only permissions. Unless you find a function to write back to the server you can't change this data.(Which i don't think it even exists because its JS is generated client side and the server would reject anything you posted to it.)

However i don't understand javascript enough to give you a real answer, this is just my two-cents
I believe the javascript is just animating to give you the visual effect.
Thanks, you might be right, however I still think there should be a link than to the source where it gets this data... The visual effect is done completely by the Flash app that shows it, but as I said before it's clearly not the app that determines the prizes you will get...
Also in the javascript there is no sign of the gifts you could receive, like token:10 or something as you can see in the prize results... It's weird.

I have the sourcecode of the website and I have found an xml that seems to stores these values and dailyspin gifts... An xml file, but usually these files appaer than in my charles webproxy, and I can set breakpoints on them to edit it... But for this one I cannot find anything like that.
 
Last edited:

oharra

Jr.Coder
Full Member
Nobleman
Mar 9, 2015
56
252
0
Both, either, neither.
If I could modify those gifts in the spinner, I can make it give "rubies" ;) which normally cost money or you'd have to to surveys etc, it would be really cool. I've been able to do some other cool hacks on that site already :p
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods