Warning!

Warning. The following publications may induce intense reasoning.

Wednesday, January 21, 2015

Cracking Tinychat


Download this blogcast in MP3 Audio.

For about a year now, I have been enjoying the online service called Tinychat. It is a place where random people can create virtual rooms, and chat on camera, with a microphone, and by text.


Looks a bit different...


Their service is provided through a Flash client that handles all the technicalities. Naturally, people became curious, wanting to hack into the service, for fun. It becomes a sort of game, where one hacker would annoy another person's room, by figuring out which data packets do what, and replicating or changing them; spamming the other room with messages.

Other than spamming for fun and challenge, users figured out they could create bots. Bots are applications that mimic an actual user, but usually only to the extent that they obey another. So, if only moderators could play videos in the room, now a user with access to the bot can also play videos.

This sort of delegation lets rooms become more friendly and interactive, by reducing the workload of the moderators. The bot itself works by using RTMP and AMF libraries; the former to make the streaming connection, and the latter to encode & decode the data packets.

I have had the pleasure of working with existing PHP and Python bots, and editing them for increased functionality. I used Wireshark, filtered for the room's IP address, and sniffed out the command packets. It felt like the internet should be; a wild place, full of opportunities and troubles, inhabited by curious lively individuals.

I wanted to share all of this, in summary, with you. I have just had a good couple of weeks, coding and cracking code, enjoying the results with my friends there. I will leave you with a reference list, for those who are curious about the details. ;-)


https://www.wireshark.org/
Use the Find option, to locate commands or names. Here's a few examples of filters:
ip.addr == 209.212.144.103
ip.dst == 209.212.144.117
!(ip.dst == 209.212.144.105) && frame.cap_len < 200 && !(frame.cap_len == 54)

http://pastebin.com/Aht0r1V9
An older semi-functional bot in Python, that I found while googling around. It's quite a big hint.


Read 4 comments.

Add your comment:

Constructive, thought-out, and finely argued comments are encouraged.

All Time Popular Posts