Ok… Let’s try something else. Let’s start the bot again and have a look at the task manager. We can actually create a dump of this process.
I have never done this before, I actually don’t know what it does but I assume it dumps the process memory, I just knew the menu item was there https://cemuwii.com/. Please wait while the process is written to the file. And now we have a .DMP file here. It’s over 300MB, so I assume it’s a full memory dump. My assumption is that, if it’s a basic packed binary, then once the bot is running all the strings are unpacked and in cleartext in memory. So I hope that we can now fairly easily extract the strings from the dump. Though I’m bit unsure about it, because I don’t know if that’s like a raw binary dump or if it’s some kind of compressed file format that requires tools. But anyway next I’m getting a hex editor to look at it, and I think HxD is pretty nice. After installation just when I thought about opening the dump, I also noticed another functionality of the hex editor. Under Extras you can select “Open RAM”, and then I can select the Auto trading bot. So we can apaprently direcly read the RAM which hopefully contains the unpacked strings. And now we can simply perform text searchs in there. For example we know the API endpoints had /scripts/ in the path, so we can search for that. And look we find instances of that. Here is even the http url with the check_version API call. So looks like in this general address area we have interesting strings. So I’m just copying that part into a new file to more easily work with it. I call it now simply memory.dump. And then I can write a bit of python code to extract those strings. So we read the raw bytes. Each character has 2bytes, and so it’s always a null byte and the character byte. And each string is separated by a null byte, which means between each string are three null bytes. Makes sense right, so we split the whole data up like that. And then we we write out all strings that are in ascii range. And the output file is now easier to explore and we can search for the API calls. And there they are. There are the official guild wars 2 APIs, and there are also the auto-trading-bot script api calls. And look, we haven’t seen those calls before. Set and get_online. So we can extract all new endpoints we have found and have a look at each of them. Get online users sounds really interesting, so let’s see what happens when we visit the link. But it’s nothing. But if you have a look at the API calls that we know, then we see that they were POST requests AND included an authentication parameter. So what we can do with fiddler is we can select one of our previous succsessful calls and select “Replay” and we want to edit the request. And then we change the API call to get_online_users.php And that worked! The response contains all online bots. And the crazy thing is. It returns them with their GW2 API KEY. This is ridiculous. The bot developers gave us an easy way to track each bot user, not only the amount of online users, but also gave us their official Guild Wars 2 API key, so we can look up their characters, how much gold they have, what kind of items they trade, their character names, the guilds they belong to, everything. So this was in november 2017. And I have written a script that checks every hour the logged in users, and then uses their API key to pull their currently traded items. Knowing the items they are ordering and selling, and how much gold they have, I can calculate a liquid net-worth of the account and track how effective this bot actually is. So we can see how rich these players are, and how long they were active. Now in february 2018. about three months later, the bot has actually shut down and is not being sold anymore. Which is kinda sad, I had hoped to collect data for much longer timer, but at least we got some data But the video is getting pretty long now and I would like to show you a bit more, so I create a part 2 bonus video talking about the findings.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |