public bool FindMessageInstances()
{
if (OutgoingTypes.Count > 0 &&
IncomingTypes.Count > 0) return true;
ABCFile abc = ABCFiles[2];
ASClass habboMessages = abc.FindClassByName("HabboMessages");
if (habboMessages == null || habboMessages.Traits.Count < 2) return false;
ASTrait incomingMap = habboMessages.Traits[0];
ASTrait outgoingMap = habboMessages.Traits[1];
using (var mapReader = new FlashReader(
habboMessages.Constructor.Body.Bytecode.ToArray()))
{
while (mapReader.Position != mapReader.Length)
{
OPCode op = mapReader.ReadOP();
if (op != OPCode.GetLex) continue;
int mapTypeIndex = mapReader.Read7BitEncodedInt();
bool isOutgoing = (mapTypeIndex == outgoingMap.TypeIndex);
bool isIncoming = (mapTypeIndex == incomingMap.TypeIndex);
if (!isOutgoing && !isIncoming) continue;
op = mapReader.ReadOP();
if (op != OPCode.PushShort && op != OPCode.PushByte) continue;
ushort header = 0;
if (op == OPCode.PushByte)
{
header = mapReader.ReadByte();
}
else header = (ushort)mapReader.Read7BitEncodedInt();
op = mapReader.ReadOP();
if (op != OPCode.GetLex) continue;
int messageTypeIndex = mapReader.Read7BitEncodedInt();
ASMultiname messageType = abc.Constants.Multinames[messageTypeIndex];
ASClass messageInstance = abc.FindClassByName(messageType.ObjName);
if (isOutgoing) OutgoingTypes[header] = messageInstance;
else if (isIncoming) IncomingTypes[header] = messageInstance;
}
}
return (OutgoingTypes.Count > 0 &&
IncomingTypes.Count > 0);
}
public bool BypassRemoteHostCheck()
{
ABCFile abc = ABCFiles[2];
ASInstance commManager = abc.FindInstanceByName("HabboCommunicationManager");
if (commManager == null) return false;
// The "host" value is always the first slot, for now.
string hostValueSlotName = commManager.FindTraits<SlotConstantTrait>(TraitType.Slot)
.Where(t => t.Type.ObjName == "String").ToArray()[0].ObjName;
ASMethod initComponent = commManager.FindMethod("initComponent", "void").Method;
if (initComponent == null) return false;
using (var inCode = new FlashReader(initComponent.Body.Bytecode))
using (var outCode = new FlashWriter(inCode.Length))
{
int hostSlotIndex = abc.Constants.IndexOfMultiname(hostValueSlotName);
while (inCode.Position != inCode.Length)
{
OPCode op = inCode.ReadOP();
outCode.WriteOP(op);
if (op != OPCode.GetLocal_0) continue;
op = inCode.ReadOP();
outCode.WriteOP(op);
if (op != OPCode.CallPropVoid) continue;
int callPropVoidIndex = inCode.Read7BitEncodedInt();
outCode.Write7BitEncodedInt(callPropVoidIndex);
int callPropVoidArgCount = inCode.Read7BitEncodedInt();
outCode.Write7BitEncodedInt(callPropVoidArgCount);
if (callPropVoidArgCount != 0) continue;
int getPropertyNameIndex = abc.Constants
.IndexOfMultiname("getProperty");
outCode.WriteOP(OPCode.GetLocal_0);
outCode.WriteOP(OPCode.FindPropStrict);
outCode.Write7BitEncodedInt(getPropertyNameIndex);
outCode.WriteOP(OPCode.PushString);
outCode.Write7BitEncodedInt(abc.Constants.AddString("connection.info.host"));
outCode.WriteOP(OPCode.CallProperty);
outCode.Write7BitEncodedInt(getPropertyNameIndex);
outCode.Write7BitEncodedInt(1);
outCode.WriteOP(OPCode.InitProperty);
outCode.Write7BitEncodedInt(hostSlotIndex);
outCode.Write(inCode.ToArray(),
inCode.Position, inCode.Length - inCode.Position);
do op = inCode.ReadOP();
while (op != OPCode.CallPropVoid);
callPropVoidIndex = inCode.Read7BitEncodedInt();
ASMultiname callPropVoidName = abc.Constants.Multinames[callPropVoidIndex];
ASMethod connectMethod = commManager.FindMethod(callPropVoidName.ObjName, "void").Method;
RemoveHostSuffix(abc, connectMethod);
initComponent.Body.Bytecode = outCode.ToArray();
return true;
}
}
return false;
}
public ASClass GetIncomingParser(ASInstance incomingInstance)
{
if (_incomingParsersCache.ContainsKey(incomingInstance))
return _incomingParsersCache[incomingInstance];
ASClass parserClass = null;
ABCFile abc = incomingInstance.ABC;
try
{
using (var codeOut = new FlashReader(
incomingInstance.Constructor.Body.Bytecode))
{
while (codeOut.IsDataAvailable)
{
OPCode op = codeOut.ReadOP();
object[] values = codeOut.ReadValues(op);
if (op != OPCode.GetLex) continue;
var getLexIndex = (int)values[0];
ASMultiname getLexName = abc.Constants.Multinames[getLexIndex];
parserClass = abc.FindClassByName(getLexName.ObjName);
if (parserClass != null) return parserClass;
break;
}
}
ASInstance incomingSuperInstance = abc.FindInstanceByName(
incomingInstance.SuperType.ObjName);
ASMultiname parserReturnType = incomingSuperInstance
.FindGetter("parser").Method.ReturnType;
SlotConstantTrait parserSlot = incomingSuperInstance
.FindSlot("*", parserReturnType.ObjName);
foreach (ASTrait trait in incomingInstance.Traits)
{
if (trait.TraitType != TraitType.Method) continue;
var mgsTrait = (MethodGetterSetterTrait)trait.Data;
if (mgsTrait.Method.Parameters.Count != 0) continue;
using (var codeOut = new FlashReader(
mgsTrait.Method.Body.Bytecode))
{
while (codeOut.IsDataAvailable)
{
OPCode op = codeOut.ReadOP();
object[] values = codeOut.ReadValues(op);
if (op != OPCode.GetLex) continue;
var getLexIndex = (int)values[0];
ASMultiname getLexType = abc.Constants.Multinames[getLexIndex];
if (getLexType.ObjName != parserSlot.ObjName) continue;
parserClass = abc.FindClassByName(mgsTrait.Method.ReturnType.ObjName);
if (parserClass != null) return parserClass;
break;
}
}
}
return parserClass;
}
finally
{
if (parserClass != null)
_incomingParsersCache[incomingInstance] = parserClass;
}
}
protected ASMethod FindVerifyMethod(ASInstance instance, ABCFile abc, out int rsaStart)
{
List<MethodGetterSetterTrait> methodTraits =
instance.FindTraits<MethodGetterSetterTrait>(TraitType.Method);
rsaStart = -1;
foreach (MethodGetterSetterTrait mgsTrait in methodTraits)
{
ASMethod method = mgsTrait.Method;
if (method.ReturnType.ObjName != "void") continue;
if (method.Parameters.Count != 1) continue;
using (var code = new FlashReader(method.Body.Bytecode))
{
while (code.Position != code.Length)
{
OPCode op = code.ReadOP();
if (op != OPCode.GetLex) continue;
int typeIndex = code.Read7BitEncodedInt();
ASMultiname type = abc.Constants.Multinames[typeIndex];
if (type?.ObjName == "RSAKey")
{
rsaStart = code.Position;
return method;
}
}
}
}
return null;
}
protected void RemoveDeadFalseConditions(ASMethodBody body)
{
using (var inCode = new FlashReader(body.Bytecode))
using (var outCode = new FlashWriter(inCode.Length))
{
while (inCode.Position != inCode.Length)
{
OPCode op = inCode.ReadOP();
if (op != OPCode.PushFalse)
{
outCode.WriteOP(op);
continue;
}
op = inCode.ReadOP();
if (op != OPCode.PushFalse)
{
outCode.WriteOP(OPCode.PushFalse);
outCode.WriteOP(op);
continue;
}
op = inCode.ReadOP();
if (op != OPCode.IfNe)
{
outCode.WriteOP(OPCode.PushFalse);
outCode.WriteOP(OPCode.PushFalse);
outCode.WriteOP(op);
continue;
}
else inCode.ReadS24();
}
body.Bytecode = outCode.ToArray();
}
}
protected void ScanForMessageReference(Dictionary<string, ASClass> messageClasses, ASClass asClass, ASMethod method, int traitIndex, int messageRefCount = 0)
{
ABCFile abc = asClass.ABC;
ASClass messageClass = null;
using (var outCode = new FlashReader(method.Body.Bytecode))
{
while (outCode.IsDataAvailable)
{
OPCode op = outCode.ReadOP();
object[] values = outCode.ReadValues(op);
switch (op)
{
case OPCode.NewFunction:
{
var newFuncIndex = (int)values[0];
ASMethod newFuncMethod = abc.Methods[newFuncIndex];
ScanForMessageReference(messageClasses, asClass, newFuncMethod, traitIndex, messageRefCount);
break;
}
case OPCode.ConstructProp:
{
var constructPropIndex = (int)values[0];
if (messageClass != null)
{
ASMultiname constructPropType =
abc.Constants.Multinames[constructPropIndex];
if (constructPropType.ObjName == messageClass.Instance.Type.ObjName)
{
if (!_messageReferencesCache.ContainsKey(messageClass))
_messageReferencesCache[messageClass] = new List<Tuple<ASMethod, int>>();
_messageReferencesCache[messageClass].Add(
new Tuple<ASMethod, int>(method, (traitIndex + (++messageRefCount))));
}
messageClass = null;
}
break;
}
case OPCode.FindPropStrict:
{
var findPropStrictIndex = (int)values[0];
string findPropStrictObjName = abc.Constants
.Multinames[findPropStrictIndex].ObjName;
if (messageClasses.ContainsKey(findPropStrictObjName))
{
messageClass = messageClasses[findPropStrictObjName];
// Incoming messages currently not supported.
if (IncomingTypes.ContainsValue(messageClass))
messageClass = null;
}
break;
}
}
}
}
}
public bool ReplaceRSA(int exponent, string modulus)
{
ABCFile abc = ABCFiles[2];
int modulusIndex = abc.Constants.AddString(modulus);
int exponentIndex = abc.Constants
.AddString(exponent.ToString("x"));
int rsaStart = 0;
ASInstance commClass = abc.FindInstanceByName("HabboCommunicationDemo");
ASMethod verifier = FindVerifyMethod(commClass, abc, out rsaStart);
using (var inCode = new FlashReader(verifier.Body.Bytecode))
using (var outCode = new FlashWriter(inCode.Length))
{
bool searchingKeys = true;
inCode.Position = rsaStart;
outCode.Write(inCode.ToArray(), 0, rsaStart);
while (inCode.Position != inCode.Length)
{
byte codeByte = inCode.ReadByte();
outCode.Write(codeByte);
if (!searchingKeys)
{
outCode.Write(inCode.ToArray(),
inCode.Position, inCode.Length - inCode.Position);
break;
}
switch ((OPCode)codeByte)
{
case OPCode.GetLex:
{
outCode.Position--;
outCode.WriteOP(OPCode.PushString);
int typeIndex = inCode.Read7BitEncodedInt();
ASMultiname type = abc.Constants.Multinames[typeIndex];
inCode.ReadOP();
inCode.Read7BitEncodedInt();
inCode.Read7BitEncodedInt();
if (modulusIndex > 0)
{
outCode.Write7BitEncodedInt(modulusIndex);
modulusIndex = -1;
}
else if (searchingKeys)
{
outCode.Write7BitEncodedInt(exponentIndex);
searchingKeys = false;
}
break;
}
case OPCode.PushString:
{
int stringIndex = inCode.Read7BitEncodedInt();
string value = abc.Constants.Strings[stringIndex];
if (string.IsNullOrWhiteSpace(Modulus))
{
Modulus = value;
outCode.Write7BitEncodedInt(modulusIndex);
}
else if (string.IsNullOrWhiteSpace(Exponent))
{
Exponent = value;
outCode.Write7BitEncodedInt(exponentIndex);
searchingKeys = false;
}
break;
}
default: continue;
}
}
verifier.Body.Bytecode = outCode.ToArray();
if (!searchingKeys) return true;
}
return false;
}
public bool DisableExpirationDateCheck()
{
ABCFile abc = ABCFiles[2];
ASInstance windowContext = abc.FindInstanceByName("WindowContext");
if (windowContext == null) return false;
using (var inCode = new FlashReader(windowContext.Constructor.Body.Bytecode))
using (var outCode = new FlashWriter())
{
int setLocal11Itterations = 0;
while (inCode.Position != inCode.Length)
{
OPCode op = inCode.ReadOP();
outCode.WriteOP(op);
if (op != OPCode.SetLocal) continue;
int setLocalIndex = inCode.Read7BitEncodedInt();
outCode.Write7BitEncodedInt(setLocalIndex);
if (setLocalIndex != 11 || (++setLocal11Itterations != 2)) continue;
outCode.WriteOP(OPCode.ReturnVoid);
outCode.Write(inCode.ToArray(), inCode.Position,
inCode.Length - inCode.Position);
windowContext.Constructor.Body.Bytecode = outCode.ToArray();
return true;
}
}
return false;
}
protected void RemoveHostSuffix(ABCFile abc, ASMethod connectMethod)
{
using (var inCode = new FlashReader(connectMethod.Body.Bytecode))
using (var outCode = new FlashWriter(inCode.Length))
{
int ifNeCount = 0;
while (inCode.Position != inCode.Length)
{
OPCode op = inCode.ReadOP();
outCode.WriteOP(op);
if (op == OPCode.IfNe && ++ifNeCount == 2)
{
var iFNeJumpCount = (int)inCode.ReadS24();
outCode.WriteS24(iFNeJumpCount + 6);
continue;
}
else if (op != OPCode.PushInt) continue;
int pushIntIndex = inCode.Read7BitEncodedInt();
int integerValue = abc.Constants.Integers[pushIntIndex];
switch (integerValue)
{
case 65244:
case 65185:
case 65191:
case 65189:
case 65188:
case 65174:
case 65238:
case 65184:
case 65171:
case 65172:
{
pushIntIndex = abc.Constants.AddInteger(65290);
break;
}
}
outCode.Write7BitEncodedInt(pushIntIndex);
}
connectMethod.Body.Bytecode = outCode.ToArray();
}
RemoveDeadFalseConditions(connectMethod.Body);
}
protected virtual void WriteMethodHashData(BinaryWriter hashInput, ASMethod asMethod, bool writeInstructions)
{
WriteTraitsHashData(hashInput, asMethod.Body);
hashInput.Write(asMethod.Body.Exceptions.Count);
hashInput.Write(asMethod.Body.MaxStack);
hashInput.Write(asMethod.Body.LocalCount);
hashInput.Write(asMethod.Body.MaxScopeDepth);
hashInput.Write(asMethod.Body.InitialScopeDepth);
hashInput.Write(asMethod.Parameters.Count);
foreach (ASParameter parameter in asMethod.Parameters)
{
if (parameter.IsOptional)
{
hashInput.Write(parameter.IsOptional);
WriteValueSlotHashData(hashInput, parameter);
}
if (parameter.Type != null)
WriteMultinameHashData(hashInput, parameter.Type);
}
if (writeInstructions)
{
using (var codeOutput =
new FlashReader(asMethod.Body.Bytecode))
{
while (codeOutput.IsDataAvailable)
{
OPCode op = codeOutput.ReadOP();
object[] values = codeOutput.ReadValues(op);
hashInput.Write((byte)op);
}
}
}
}