_personalPrez

Prez Jordan - Blogger, House Enthusiast, Coder, and President.

http://twitter.com/ilictronix
http://ilictronix.com
http://facebook.com/jscales
~ Saturday, November 14 ~
Permalink

More Cheating

So yesterday I wrote about how python could be used to exploit this game. Alternatively, there are two more ways to exploit this game. Both in JavaScript.

If you’re no good with JS, that’s cool. But I highly recommend learning it here. JS is widely used for non-secure (if they don’t need to be) web forms and other prototyping. I used over 1400 lines of it this summer working for a local university.

First step, get rid of that damn frame. Right click anywhere in the “game” and select, This Frame -> Open Frame in a New Tab. Depending on your browser, you might just need to select Open Frame in New Tab, instead of the former two-step process.

Now let’s examine the code…

<input id=”eon” type=”button” value=”Start game!” onclick=”mclick()” style=”width:100%;height:150px;font-size:37px;”>

So we have a button (eon) that calls mclick() when pressed. Easy enough. Let’s keep going.

function mclick(){

vclick += 1;

document.getElementById(‘eclick’).innerHTML = vclick;

document.getElementById(‘eon’).value = vclick;

if(start == 1){interval = setInterval(‘sec()’,1000);start = 0;}

}

Alright so mclick() basically just adds 1 to vclick and continues counting down. So how can we hack this thing? Simple javascript injection. Enter the following into your address bar.

javascript:var i=0;for(i=0;i<1000;i++){document.getElementById(‘eon’).click();}

What does this do? Basically “clicks” the button for you. Careful of the number here, I recommend not putting anything above 100,000 - but feel free to experiment. Hm, maybe we can make this a bit more elegant.

javascript:var i=0;for(i=0;i<1000;i++){mclick();}

Now we’re not even bothering clicking, let’s just call mclick() directly. Makes sense. Maybe we can really “hack” this thing though.

javascript:vclick=1000000;end();

Now we’re just editing vclick direction, then calling the end function. This is getting fun. Maybe we can screw with our friends a little more though. If you look closely at the javascript code, you can see that end() just displays the dialog, with the variable vclick mashed somewhere in there, which basically tells the world how many times you clicked. We already editing vclick, but who says we can’t go the extra mile?

javascript:var vclick=”Hacking is great!!”;end();

We just changed the variable type of vclick, and now all of your friends are gonna flip that a number isn’t even there.

Muhahahah. Have fun, and experiment - maybe exploit some other apps.

/prez


2 notes
  1. prezjordan posted this