Assaf Nativ's Blog

Map-Hack Tutorial

2011-11-15T13:33:00.001-08:00

Map-Hack is a cheat for strategy games such as Warcraft or Starcraft, Dice n’ Slice games like Diablo or 3d shooters games like modern warfare. The cheat as most cheats is done in order to give an unfair advantage to the player who uses it. In case of Warcraft a map that usually looks like the one in the top left corner:

under cheating condition, would look like this:

or even better, like this:

Zoomed in:

The idea behind it, is to give more information on the map than what is found in the regular game play. Information like which gold mines are wealthier, and which enemy creatures are deadlier.
To create this kind of cheat one would have to go through two phases:

Research, in which you need to figure out how and where the map data is stored in memory, and how to find where it is stored every time the game restarts.
Developing, in which you write a code or a script to change the map data in real time.

In this tutorial I would only display the research phase up to the point of proof of concept.
To perform this research I need an Interactive Python Interpreter. This would bring up the question of which version of Python should I use.

Games are for Windows. So I'm gonna use Python for Windows (Better use the one from Python.org than Active-State Python).
I'm about to research a 32bit process so it is better, although not a must, to use 32bit Python.
The tool-chain I wrote is not ported to Python 3.x just yet, because I'm lazy, so Python 2.7 or 2.6 would have to serve me this time.
As for the Interactive Interpreter, I prefer the Dreampie.

The tool-chain is an external module, which helps in the task of memory research. The module is called NativDebugging, and is freely available at the following SVN: http://dreampie.sourceforge.net/. But, as I mentioned before, I'm lazy so no installer, just use:

python setup.py install

My NativDebugging module can be used as is, but it has extra GUI features if the PyQT module is found, so download it from:
http://www.lfd.uci.edu/~gohlke/pythonlibs/#pyqt
and double click to install.

Now that I have got the entire environment set, let's get the party started. Let's start with something easy that everyone likes: Minesweeper (AKA: Winmine).

Important note: Use the old version of the minesweeper as many internal structures are different in the new Windows Vista version that looks like this:

I start by launching the game, and getting its' process id. There are many ways to get the process id, either to use the task manager or with the following command line:

tasklist /Fi "IMAGENAME eq winmine*"

Or from Python using the NativDebugging module.

>>> from NativDebugging.Win32.MemoryReader import *
>>> findProcessId('winmine')
[('winmine.exe', 376L)]
>>>

Next I want to tell the NativDebugging module what is the target.

>>> m = attach(376)
>>>

I need to get details about where in the 4GB virtual address space memory is allocated. The m.getMemoryMapByQuery method suits for the job.

>>> memMap = m.getMemoryMapByQuery ()

This operation might take some time, depending on how much memory is really used by the target process.
I start the search of the place in memory where the board of the game is set, using the technique called differential search. Differential search is a search in which one starts with a picture of all the memory, and slowly filters out things that are not what he is looking for, until he is left with a single result. In this example I'm looking for the top left square of the board. Setting up a new search is done as following:

>>> from NativDebugging.Win32.DifferentialSearch import *
>>> ds = DifferentialSearch(memMap, m)
>>>

Now I simply, change the value of the square by uncovering it

Next I filter out any memory address that has not been changed:

>>> ds.removeUnchangedMemory()

The first filter can take up to few minutes, again depends on how much memory is used by the target process. If I wait for a little while, some of the memory would change by itself, so I can remove any memory that changed:

>>> ds.removeChangedMemory()

I continue by causing more changes to the first square and invoking the removeUnchangedMemory method.
To check how many potential memory addresses are left the "len" method on the DifferentialSearch object can be used. Filtering process is repeated until only one or two places in memory are left.
If you are following the process to this point, and all was done correctly your Python Interpreter should now look something like this:

(Click on the picture to enlarge it)

Now I can get the address that was found simply by looking at the DifferentialSearch object or by retrieving its' data in index 0.

>>> ds
0: 0x01005360: 10404040
>>> ds[0]
16798560L

I save the address that was found in a new var to be used latter:

>>> board = ds[0]

The memory can be examined in various ways, here are few examples:

One can also try to write over the memory to see how the game behavior is changing.
The most useful way to look at memory dumps of maps is using the mapDisplay method, which hopefully, would show up in a new QT window as following:

All of the display parameters are accessible from both the GUI and the python object that was created with the creation of the display. I now play with the line size until the following result is reached:

Can you tell where all the mines are placed?

The interesting part in case of minesweeper is that, the map is always found in the same place in memory, so if I start a new game, and update the data (using w.updateData()), I might get something like:

In real games, the principle is quite the same, though it takes more time. The main difference is that the map is usually allocated dynamically so one would also have to find a global pointer to it, to be able to locate the map in memory quickly. I have an example of the same process done on the WarCraft II strategy game, but this blog post is long enough as it is. So maybe next time.

Future TODOs:

I believe that the search function could be much faster, I would love to have some help in optimizing the code.
The GUI has lots of room for improvements.
I need to write an installer, and to create a Python 3.x branch.

Cheers,
Assaf

Bejeweled autopilot

2011-09-17T05:59:00.000-07:00

The idea behind the Bejeweled game is as following:
An average game status looks like this:

The player is allowed to switch between any two neighboring gems in order to create a series of three or more gems of the same color. If the player does so, the gems are destroyed, points are given, gems are falling down to fill the empty spaces, and new gems are coming from the top to fill the vacuum. The problem is that the player has just about one minute to destroy as many gems as possible, and it’s hard to find series of gems that quick.
What I did to solve this problem was to write a small Python script to capture the screen, find the best next move and simulate mouse clicks to execute it. One of the problems I faced while writing the script was identifying the kinds of gems, while the bustards kept on moving, rotating n’ glowing in different kinds of effects that usually inform the player about special bonuses. I tried to scan a 4x4 pixels square in the middle of any square, to get a color value out of this small square, and to compare it against a table I made manually in order to decide which gem it is.
I found out, that in many cases bots scripts alter the game to change all the graphics to something more OCR friendly. But I didn’t want to do that, as I’m trying to perfect the technique of writing a bot, and not to mix the two game cheating vectors. Therefore, I didn’t want to put any patches on the game, just writing a bot.
The next problem I faced was Python itself, as I found out that it’s quite slow to scan an image or to compare two images with the Python Image Library (PIL). Though, it is possible that I’m miss-using the library. Please, I would like to hear any ideas on how this part could be done better from Python, without extending Python with a custom C library.
One lessen I learnt the hard way during writing of this very script, was that it’s very important to find the time to write a code for finding the location of the game on the screen, so in case I scroll the page down a little, or just open the bookmarks tools bar, it won’t be using the hard coded position of the game and miss figure where the gems are.
Even thought, I successfully set myself on the top score among all of my friends, but not world wide best just yet. I found out that many fine tunings on the scripts, such as what strategy to prefer, weather to aim for bonuses first, try to destroy a longest chain of gems at once, or save bonuses for later, have immense effects on scoring. Please, I would love to hear from the readers of this blog about any ideas on how to improve the script, or how you would write one in case you had to.

The script is aviable on my SVN at https://xp-dev.com/svn/Cheats

Cheers,
Assaf

Wonder Cheat 3

2011-09-02T03:47:00.000-07:00

Recently I had a major nostalgic emotional burst which took me all the way to the Sega Master System ™ I had in my childhood. One of the games I remember the most from this 22 years old console is the Wonder Boy III, the Dragon’s Curse. So I fired up the Meka emulator and downloaded the ROM, and sat down for few hours of unlimited fun.

During the search for the ROM I found out that there was another version of the game with slightly better graphics for the TurboGrafx-16 console (AKA PC-Engine) which is called the Dragon’s Curse.

For the readers who never heard of WB3 or the Sega Master System, I shall explain, in short, the game’s look n’ feel. The game is some kind of a combination of RPG with a platforming action game. You need to get different kinds of swords, shields and armors by either finding them in treasure chests throughout the game, or buying them in shops found in the city. Besides the gear, the player has to collect gold, potions, magics and power ups. The game has about 6 levels that the player has to finish, while at the end of each one there is a boss that has to be destroyed. When a boss is beaten, the character in the game transforms into some kind of a new animal-human creature that possesses a special ability that helps him get to the next level. The characters are Hu-man, Lizard-man (Can shoot fire), Mouse-man (Very short, and able to climb some walls), Piranha-man (Can swim), Lion-man (Can punch up), Hawk-man (Can fly).

Bosses:

The part that I find interesting about this game is the way save games were implemented in time before Flash memory. During the game there was a place in town where the player could get a 14 characters long code that if entered in the main menu, would take him back to the same status as he was in the time of getting the code.

Meaning these 14 characters encode the full status of the game, including amount of Gold, Lives, Potions, Gear and more. The characters are either numbers 0 to 9, or capital ABC, excluding few characters such as I, O & Q, for the reason that they look too much like 1 and O, which could be quite confusing. Besides that, not every combination of characters is valid, meaning there must be some kind of a checksum. I remember that many years ago, every time I got bored playing the game I was trying to brute-force codes, with very little success. I was always very curious about this mechanism, and I had a belief that somewhere, there is some kind of a very special code that would turn the game upside down.
During the last week I decided to finally cope with this old craving, and finally reverse engineer the secret behind this coding system. First I had to find out which CPU is used by the Sega Master System to know how to load the game in IDA. Wikipedia mentioned, rightfully, that the Z80 is the main CPU of the console, and loading the ROM file into address zero seemed to work just fine. Second, I had to find the relevant code, so I searched the Internet for some special codes that might lead me to the right place. I found out that there is one very special code that is WE5T 0NE 0000 000, which is the name of the company who made the game. This special code could not possible encode a game status, so it must get a special treatment in the code. Searching for the string (without the spaces) through the entire file took me to the following code:

Xrefs took me to:

From reversing I found that every character tributes exactly five bits to the data, that comes to be total of 70 bits (5 * 14) which turn into total of 9 bytes of data. Two bits of the 9 bytes are index to a xoring table that is then xored to the 9 bytes. After the xoring, all the bytes are added together to form a checksum that is compared to the first 7 bits (which are not used in the addition). If the first 7 bits match, the code is valid and is passed to another function that sets the game state.
I’ve written a full functional code decoder / encoder in Python, and is available for download from the following link:
http://xp-dev.com/svn/Cheats/

Links:
For more information about Wonder Boy III and The Draogon’s Curse follow the links below.
http://www.geocities.jp/monsterworld2/Wonderboy_Land.htm
http://hg101.kontek.net/wonderboy/wonderboy.htm
http://retro.ign.com/articles/930/930245p3.html
I would like to thank them for the pictures I took from these sites without asking for permission, hope it’s ok.

Cheers,
Assaf.

P.S.
The Dragon’s Curse has something different in the coding system, I would have to reverse it too. Does anyone know how to reverse the PC-Engine’s ROMs?

The way to hook

2011-06-22T07:06:00.000-07:00

The following post is a bit more technical then usual, so my apologies for my none-pirate friends. Hooking is the art of altering code in memory to introduce new functionality to an existing program. I won’t be discussing all the uses that might be found for hooking, but rather the different techniques for doing so. In general there are four common ways to implement a hook function under Windows platforms.

Windows standard hooking API.
Detours technique
AIT hooks, AKA Rechter’s hooks
Dll proxy

I’ll cover these briefly in this post. After that I’ll tell the reader about my small and insignificant addition to method number three. All of the methods are well covered in Ivo Ivanov’s codeproject page http://www.codeproject.com/KB/system/hooksys.aspx
The more general principle of what hooking really is, is covered in Wikipedia http://en.wikipedia.org/wiki/Hooking
So I won’t dive into details, as it would take much more than a single blog post to cover just the simplest of the four.

#1
The windows standard hooking is the somewhat official way to write hooks, and is part of the Win32 APIs. The main functions to look for in the MSDN is SetWindowsHookEx, and it’s all well covered in the following MSDN link:
(http://msdn.microsoft.com/en-us/library/ms644959%28v=vs.85%29.aspx).
If you are looking for a way to hook Windows Messages or Intercept those, this might be your way to go.

#2
Detours are the idea of injecting a small piece of code to the beginning of a function to jump to other place in memory and execute the code from there, before going back and executing the original function. The main problem with this method, is that in the injection process we have to overwrite a small part of the original function, and then we have to recover it in the “detour” function.
Microsoft provides us with a nice library to automate the detours injection, and recovering of the deleted code with their Detours library http://research.microsoft.com/en-us/projects/detours/
Other detours projects:
Easyhook:
A. http://easyhook.codeplex.com/
B. http://code.google.com/p/easyhook-continuing-detours/
This method is also good for performance testing and other debugging issues.
BTW: Microsoft like this method so much that they introduced a compiler flag that makes sure we would have a room for injecting our detour. If the flag is set, the compiler would add the “mov edi, edi” opcode to the beginning of every function, and some extra free space between every two functions. Detouring becomes very easy when working on a program that has been compiled with the flag.

#3
First introduced by the great Jeffrey Richter, and well documented with simple source code in his book “Windows via C/C++” http://www.wintellect.com/cs/blogs/jeffreyr/archive/2008/03/14/windows-via-c-c-table-of-contents.aspx. The principle behind this method is changing the Import Address Table (IAT) of a DLL / EXE, to prefer different functions from the ones it’s supposed to. The code samples from Jeffrey’s book are available at http://wintellect.com/Books.aspx. This technique is very strong for hooking at run-time. Best combined with DLL preload (AppInit_DLLs). A good usage example is presented in the following blog post: http://www.the-interweb.com/serendipity/index.php?/archives/2-Skinmine-Elaborating-on-Jeffrey-Richters-Trojan-DLL-method-for-API-hooking.html
Note: There is a very similar method on most *nix platforms called LD_PRELOAD.

#4
Create a DLL with the same name as the DLL containing the function we want to hook. The new DLL should contain stab functions for all the functions that we don’t want to hook, meaning a small function that just calls the original function from the original DLL, and a hook function for all the functions that we do want to hook. There are many good tutorials on this subject, and they can be easily found using Bing Google. I’ll have to recommend the ones from codeproject.com: http://www.codeproject.com/KB/DLL/CreateYourProxyDLLs.aspx
http://www.codeproject.com/KB/DLL/Creating_a_Proxy_DLL.aspx
If you are looking for a good way to create persistent hooks, that are not injected at run-time, this might be your choice.

Now for my small original contribution:
I've started working on a Python C++ code generator (That's a Python script to generate C++ code) for hooks of type 3. The idea is to make life easier for writing many hooks. I’ll be taking advantage of this new code generator on Thursday at the DC9723 Hacktahon (http://dc9723.org/Hackathon), for creating a module to alter OpenGL / DirectX behavior in real-time. The project is Open Source and anyone can browse it at: https://xp-dev.com/svn/DirectHook/trunk/ Or SVN to it at: http://xp-dev.com/svn/DirectHook/ Please contact me to commit changes, or to join me in developing. Hopefully, this module would allow a user to alter 3d games by changing camera Angles, changing the light conditions, modifying textures or just seeing throw walls. One of the targets is to get to something like this:

(Stolen from wikipeida http://en.wikipedia.org/wiki/Valve_Anti-Cheat)

Happy hooking,
Assaf.

--------------------------------------------------------------------------------
Update:
It was lots of fun working at the Hackton, thanks to all the Ninjas who helped with the coding. I found the problem that caused the demo to run very slow. It seems like opengl32.dll calls LoadLibrary about every time a OpenGL API is getting invoked. What makes the hooking method we used quite problematic, as it adds a small overhead to the LoadLibrary calls. The small overhead got very big, thanks to the extended use. I would refactor the code to use proxy dll next time I’ll have a few hours to spare.

Cheers,
Assaf.

Snaky Cube

2011-05-05T11:22:00.000-07:00

The following is a puzzle that I’ve encountered at the Kubiot (Cubes) restaurant in Tel-Aviv.

The target of the puzzle is to make a 4x4x4 cube out of this snake like shape. The small cubes are connected to each other with a cord so it’s only possible to rotate them, but not to change their position. This puzzle is a larger version of a similar puzzle that makes a 3x3x3 cube.

Where the target is to get to this:

The guy at the restaurant said that he would give a free meal to anyone who solves it on the spot. Don’t be fooled by the 3x3x3 version of the puzzle, this one is a hard task indeed, given the fact that for a guy who knew the solution beforehand, it took about 15 minuets to set it right. So I decided to go “pirate” on this one, and take the picture that you saw at the top.
My mile stones are:

Writing a script to solve it at home.
Memorizing the solution.
Collecting my ~10$ prize.

1. Brute-forcing to solution.
Python to the rescue.
I entered all the information about the puzzle has lengths of straight lines that could not be rotated.:

data = [3,1,2,1,1,3,1,2,1,2,1,2,1,1,1,1,1,1,1,1,2,2,1,1,1,1,1,2,3,1,1,1,3,1,2,1,1,1,1,1,1,1,1,1,3,1]

My approach is to build a 4x4x4 array of zeros and try to fill it with squares. I defined a Point3D class for the millionth time. And set-up the cube.
Two small questions that came up during the writing:
1. Does anyone know about a simple implementation of Point3D in Python, so I won’t have to write it again.
2. Does anyone know about a simpler way to define the 4x4x4 cube other then:

cube = []
for x in xrange(4):
    ll = []
    for y in xrange(4):
        l = []
        for z in xrange(4):
           l.append(0)
        ll.append(l)
    cube.append(ll)

Now I define all the valid moves in the puzzle, and include recursively the next valid moves, as it depends on the last move.

XDirectionP = (Point3D( 1,  0,  0), [])
XDirectionM = (Point3D(-1,  0,  0), [])
YDirectionP = (Point3D( 0,  1,  0), [])
.
.
.

XDirectionP[1].append(YDirectionP)
XDirectionP[1].append(YDirectionM)
XDirectionP[1].append(ZDirectionP)
XDirectionP[1].append(ZDirectionM)
YDirectionP[1].append(XDirectionP)
.
.
.

The main recursion is as following:

def nextMove(pos, dataLeft, currentDirections):
    global cube
    global highestLevel

    if 0 == len(dataLeft):
        return True

    length = dataLeft[0]
    for move in currentDirections:
       newPos = pos + (move[0] * length)
       if isValidLocation(newPos):
           if tryToSetCubes(pos, move[0], length, len(dataLeft)):
               if nextMove(newPos, dataLeft[1:], move[1]):
                   return True
               clearCubes(pos, move[0], length)
    return False

Apparently this solution, is good enough it took %d seconds to solve it, no extra improvements were required... That’s sad, I kinda’ hoped for something more advanced.

2.
I’ve translated the result into a string of first letters of the valid moves (Left, Right, Up, Down, In, Out), just to get the 46 letters string “RULODRIULOLILURORIRODLOLUIUODIROUIRDODILDROLUR”.
Next I called my good friend Werner, to manifest a sentence out of the string so it would be easier to memorize. The genius came up with the following:
“Recently, upon learning of dental recovery, Ian Underwood laughed out loud. In laughing, underwood remarked, optimal recovery is realized. ordinarily, during laughing out loud, universal imagery unfolds. Or does it? Regardless of universal imagery, rarely do old dying imbeciles laugh. Don't ruin our laughter, Underwood remarked.”

3.
Here I returned to the restaurant with two of my good friends who helped me with acting like I’m going trail n’ error to solution, and it’s doing very well, but have no clue of what am I doing. On setting the very last move to the solution, a crack sound has echoed the place, leaving me with a baffled look at what had happened.

Alas!!!, I shouted out loud, realizing that not only am I not going to get a free meal, but I will probably have to buy them a new puzzle. Fortunately, they told me not to worry, and that it happens all the time, they would replace the cord by next week, so I could try again then.

Now three weeks later and they still didn’t fix it! I started to look-up this puzzle to check where they bought it, and I found the following web site:
http://www.gaya-game.co.il/
Or more specifically:
http://www.gaya-game.co.il/?categoryId=31183&itemId=60119

CruiseControl Reporting, Attention & Posting (CRAP)

2011-03-31T07:33:00.000-07:00

Few posts ago, I told the readers of this very blog about a device I bought from Dealextreme (1, 2) for notifying about incoming E-Mails, and how I patched the program that came with it. To freshen your memory, the USB device is a envelop shaped box, that can glow in eight different colors. The device is identified by Windows as a regular HID device, which means that no drivers are required for most OSs. The colors are generated by an RGB LED, that probably supports many other color variations (Requires hardware modifications).

Since then I’ve made a small open source Python project for controlling this device and making it useful.
Someone told me he used this device as a good start for his project in computer control of many electricity gadgets at his house. As a public service, I attach here some images of the device from within.

It seems like, there is some room on this board to add more LEDs or something, please tell me if you manage to figure out more details about it. If you want to use this board to connect it to some external device, you can remove the LED (it's the white square at the middle), and weld something else instead. I couldn't figure out what kind of a chip the black one is, and whether it's possible to reprogram it. I would open another device next week, hopefully to answer few of these questions.

These days I’ve made a compiling / building notification system at my work place, so I would know whom to feed to the sharks, when the build fails. Here’s a picture of the system.

I’ve added the source for this system (Everything but the CuriseControl password ;) under the XP-Dev SVN project (CControlLED.py).
Please feel free to use it, and share your own projects.

Few updates:
I've got two other devices, and added support for them:

And I also found the type of the chip:

Which is most probably: http://www.sonix.com.tw/sonix/product.do?p=SN8P2212

Looking Into the Eye of the Bits

2011-03-04T23:55:00.000-08:00

During the past four years I've been developing tools for research and implementation of a new type of software analysis. I've discussed these tools on a various occasions such as RECon2010, Nullcon2011 and DC9723.
The purpose of these tools is to recover internal implementation details using only passive memory analysis, and without requiring any disassembly.
These tools are now available under GPL license on the following links:
http://code.google.com/p/pymint/
http://code.google.com/p/pycandy/

The latest version of the presentation + WP is available in the SVN of pymint:
http://code.google.com/p/pymint/source/browse/Docs/

For more details on the subject you are more than welcome to visit the websites of the kind conferences which gave me the place to mumble about my work:
http://nullcon.net/speakers/bakkar/
http://recon.cx/2010/speakers.html#memory
http://wiki.dc9723.org/wiki/Meetings

I'm currently looking for more places to spread my word, if you know of such, please contact me.

He must be very proud of himself...

2010-11-26T08:21:00.000-08:00

He must be very proud of himself, the engineer who designed the stereo system in my car.
Look at it.

Just look at it...

You see the round button in middle, well, don’t be fooled that's no ordinary button.
This witch crafted button, can be rotated both directions, can be pushed in, can be pushed up, down, left, right and all the corners as well. And it’s surrounded by smaller buttons all around it.
This small, yet special in it’s own way button, is the control for the entire system, and maybe the entire universe (but I couldn’t find the menu for that, just yet). At the beginning I thought that this marvelous system got no memory for radio stations, but I couldn't be more wrong. It’s got hand full of memory, only it’s very near by impossible to set it up. I think the guys from Pioneer saw the Onion http://www.youtube.com/watch?v=8AyVh1_vWYQ about Sony new piece of shit, and thought they must have one of their own, to show those bastards at Sony who can make a bigger piece of shit. One might say that I’m just an incapable user, and I’m not a good example, and one won’t be so far from the truth in most cases, but not on this one. To prove my point I called my good hearty, Mr. Werner, to try to program the channels on this thing, during an hour drive, Mr. Werner, which is a certified genius, has taken about 20 minutes to figure out how to perform the task, and then saying “No way, it’s that painfull”. I have him explain the process here:

“Do you mind leaving me alone, please. I don’t care about your dumb blog, OK?!”

I’ve done this test with other smart guys, one of them my brother who is an electronics engineer, and quite smart indeed, has taken about 20 minutes to figure it out, with just small help from me (that’s a good record, trust me), but refused to go through the pain of actually setting a stations.
Besides that, it’s a great system with features such as AUX in jacket, A USB stick reader, MP3, WMA and many other formats support, nice blue-tooth integration, and so on, and so on...

P.S.
Watch the following music video http://www.youtube.com/watch?v=7Hwe-Pt7Fe0, and click the like button, will ya?

Python as a Research Tool

2010-08-06T07:15:00.000-07:00

I love the Python programming language. It amazes me how when someone writes pseudo code to describe some algorithms, it tends to be a valid or almost valid Python code, even if the person who wrote it has no idea what Python is. Python is just the most natural way for humans to describe code.
Today I would like to discus the uses of Python as a research tool. I tend to believe that many different researches could benefit from this tool. I use Python for any kind of research I perform. Let’s take a look at my Python usage during the day:
First for any calculation I need to do, I use Python instead of calc.exe. This way I’ve got a log of all the operations I’ve been doing, I can play with the numbers in various ways, and see how everything changes if I just change a value in any of the steps of my calculation. I find the Python Reinteract interpreter, to be the best environment for the task. For those of you who are not familiar with Python Reinteract, it’s an interpreter in which you can go back to any executed line and change it, and see all the results reevaluated in cascade. A little bit like a Soviet encyclopedia, because it’s possible to rewrite the history.
This tool bring us to my college studies, in which I use Python to solve Linear Algebra and Calculus questions. The math modules that comes with Python and the Linear Algebra modules that comes with the Reinteract environment are perfect to solve, test, visualize, check guesses and gain better understanding of the studies.

But my true love is Idle-spoon, a simple variation of the well known idle-fork. The things that where added to the idle-fork in the idle-spoon version are better navigation, a Squeezer (shown in the pictures below) and enabling of more then one instance. When I preform research, the current status of the interrupter holds my current knowledge of the inspected target. I can access any piece of information, because it is all stored in global variables. This allows me to play with the data to try to make some sense of it.

The only thing I feel the lack of is a good assembly debugger to work inside the Python interpreter. As for PDB, I see no use for it due to the GDB syndrome it shows. GDB is a command line debugger that can make a good platform for writing debugging tools. But using the GDB directly is something that tends to be quite slow, ineffective, and limiting of expressiveness.
I’m currently checking the PyScripter, to see if it is any good, for now I can just say that it looks like there are still some functions missing or incomplete.

Other than the variants above (all built upon cPython), I found that there are more variants, such as iPython which doesn’t have any GUI based environment, and therefore I find it to be just a bit less comfort to work with. I love vim, and I sometimes use gvim to write big scripts. I once read in a book that there is a good eclipse plugin for developing Python, but it has no instant interpreter, and therefore should not be considered for research. And for last and least, the Iron Python / Jython, which should both be considered blasphemy. The implementation of the Python VM inside of the Java VM or any other VM, is something that makes no sense to me. It usually suffers from the lack of many modules that I’m used to work with, if it works at all.

Links:
http://www.reinteract.org/trac/
http://idlespoon.python-hosting.com/
http://code.google.com/p/pyscripter/

Big thanks to the Fox for helping on the making of this blog post.

Cellphones Party

2010-03-26T11:52:00.000-07:00

A cellphone is actually a computer with a microphone and an amplifier.
We used to think that its speakers are quite lousy, and rightfully so, because they've got no sound box which is a crucial part in creating a good natural sound. Nonetheless our judgment is based mostly on phone calls' quality which is pretty bad because of the GSM encoding the voice go through when going over the cellular network.
Current phone technology though, with smart phones such as the iPhone, the N95 and Android based phones got better sound quality than ever before. These phones became quite popular recently, striking me with the idea of putting a bunch of those phones together to play music. The quantity of phones might just prove enough to compensate for the quality.

My idea is to write an application for smart phones, to find all the phones running the application that are located in the same room (or preselected phones). The application will synchronize the phones by locating the distance and direction from each other, and then play some music as best as possible. Finding the direction and distance might be as easy as playing a short tone, and waiting for a reply from the other phones over Bluetooth or similar means. By measuring the reply time of about three or four phones, it's possible to calculate the direction and distance.

Although the phones won't produce the best music quality, it could be fun to play with. For instance:
1. Playing perfect surround sound, which means making sound as if it is coming from different parts of the room, even from places with no phones.
2. Creating Active Noise Control, or an interference sound wave. This can create better sound, cancel out noises or even create a sound that only a certain person or a group of people in the room could hear. As far as I understand, it is a bit out the plausible range of the speakers and the computational power of the CPU, but I would love to hear more of the subject from anyone whose got a better understanding.
3. Creating a sonar, to create a 3d map of the room and the objects it contains. Again, my lack of understanding forbids me from knowing the plausibility of the challenge.

On a different but related subject, I like the idea that everyone in a party would have the ability to vote for the next song on the play list. It is already common to find in restaurants songs menu which you can choose song from by sending SMS, but still putting it as an extra interaction of the parties with the DJ has some added value to the concept. Allowing people to watch the play list of the party, voting for songs, and sending insulting messages to all the people who vote for U2 songs is a must for every successful party.

P.S.
I forgot to thanks Werner for helping me on the last post. Big thanks goes to Omer for this one, check out his new awesome fun web-game @ http://www.knowthesong.com/app/

Patch like there's no tommorow

2010-03-18T10:04:00.001-07:00

On this post I would like to tell the story of three little binary patches I've done recently. I find patching to be the highest form of hacking, it requires decent reverse engineering skills combined with good OS understanding. Every Pirate must have its own eye patch.

1. Gmail Notifier:

Not long ago I bought a USB mail notifier, which is a small LED lamp in the shape of an envelope, that glitters every time I get a new email. About 8 USDs on DealExtreme (http://www.dealextreme.com/details.dx/sku.27062). I didn't quite like the software it came with, so I decided I would add the ability of turning the LED on n' off to some better mail notifier. I've spent some time figuring out how to control it using a C++ tool that I wrote, that did not work whatsoever. After some frustrating long hours of reading on the MSDN, I turned to reverse engineer the C# software that came with the device combing some USB port monitoring. After failing again to turn on this stupid LED, I called Python to the rescue. I found out that there is an HID USB module for Python that makes life so much easier. I must say that the Python module was so good at explaining everything, that after two minutes of playing with it, I instantly got the freaking device on, I understood what was wrong with my C++ code and I gained a better understanding of the entire HID mechanism. And my message for everyone who reads this post is, don't work hard, use Python. Anyhow, now I got a small script that sets the USB device to whatever color I choose. I installed the Gmail notifier that is written by Google, set it up, and almost instinctively loaded it to IDA. Strings like "%d unread mails" or "No new mails" were easy to find, so it became quite clear where the patch should go. Using Ollydbg, I wrote the patch down. Ollydbg has a good assembling option, where one can enter assembly code easily, check the encoding and later copy it into the original EXE file. Easy as one, two, three. If anyone has ideas on ways to improve this process, please do tell.

2. SWF32.dll. I've written before about my Flash games cheating experience. One of the problems I was telling you about was patching an Action Script byte code at real time, because after the Flash VM loads the code it changes it and optimizes it, and makes it hard for me to find the relevant code in the memory. So I wanted to add an option to patch an SWF file just after the browser is done loading it, but a second before it's loaded by the VM. The SWF file format supports ZLib compression, and most of the games out there take advantage of it. So I thought a good place to patch would be after the file is inflated. On this attempt I wanted to write down a patch that is a bit more complicated; a patch that would load a set of binary alterings for the SWF file from some text file, check that the original bytes match the target (To avoid oopsies) and apply. So for this patch I used the Microsoft Detours Library, published for free, examples included, on the MSDN. I found the detour library to be very intuitive and useful.

3. The Matrix. I found the bug on the Matrix that allows Neo to jump over buildings, I fixed it and banned the user... Ok, I had another real patch, but I think I'll save it for another time.

Generic Game

2009-11-27T13:12:00.000-08:00

I like playing card games, and lucky me, there is a huge variety of card games to choose from.
Some of the games I like to play got a PC version as well, Solitary, Harts or even Taki are all very common casual games to play on the computer. I tried to figure out the reason, why it is that all the PC version of the games are so doll, poorly implemented, and generally very limited. For example, there is a local law in the realty version of Taki that if someone is left with only one card in hand he must declare "Last card", or else he have to take another seven new cards. Now the problem with Taki PC implementations is that it does not aware of this law, and there is no way for players to add it to the game. Another example would be the luck of undo in the windows solitary game.

Now it's one thing to say, "Oh, look at all these crappy games", and another to show that it's possible to implement it fairly better with less effort. So, let me explain, what could be done better.
When some people are gathered around for a good game of Munchkin, the only thing that supervise the game, and make sure that everyone are playing by the rules, is the players themselves, and none but them. I suggest the creating of a new gaming system that would replace all other PC card games whatsoever. The new system would have no rules programed into it. That's right no rules. Living back the need for rules would make it much essayer to program. Rules are taking the most time and effort to program, one can compared it to a big state machine, which none likes to write down, and none should. Furthermore, the more options that the game has, such as the "Last card" rule in Taki, the more pain in the ass it is to program it, and the poor developers are doomed to always forget some rules that are found in the real world game. It's time to give the players back the control over the game, and untie the bondage. All we need is a system that supplies a full discloser on what’s going on in the game. In this new kind of system, none would be able to perform a move in the game without everyone else to know about it, but nothing would stop him from performing it. I believe it's cryptographically possible to create such an environment using basic concepts of modern cryptography. Moreover, it would be possible to prove that someone took a random card from a virtual deck of cards, but none would have the information on which card it is, but the player who got it.

Of course, we are still left with the problem of two players join forces to win the game together, but that is a none virtual world problem as well.

I say it's time for us to have a descent card games system, made specifically for card games, but not any one in specific. The platform would allow anyone to load any kind of cards he or she likes as long as that person got the cards pictures in his / her arsenal of cards. It would be possible to take a card and put it on a virtual game table, or to hold it in virtual hand. Any player would be able to see what’s going on the table and to count the number of cards the other players are holding in their hands. Many games got different common move, such as putting a card from your hand on the table sides up in one game and sides down in another, therefor configurability is highly important.

So who wants to write it down with me?

Call waiting the feature that can't

2009-10-23T07:39:00.000-07:00

I'm not so sure if this thing is the same all over the would, but what I'm gonna describe here is the horrors of call waiting in Israel.
From the old times in which we used to share the booties over BBSs, the times when we used to play duke3d / c&c over modem connection, and the times of the very first steps we stumbled in the new born technology that is the Internet, the call waiting was a nothing but a big pain in the $%*. I remember how everybody just looked for a way to disable this new awful feature. Today, the feature turned to be, rightfully, a great deal of laughter material for many sitcoms.
Once one chooses to use it, he can never be sure about who would show up on the other side after clicking the green button. The situation I found the most annoying is getting a call waiting while listing to the recorded messages. Not only that it's impossible Ignore the call waiting due to the fact that all the buttons on your phone are now used only for the purpose of answering the call, but if you choose to take the incoming call, you are ought to lose the last message for ever, with no chance to ever recover it. Just say "NO" to call waiting.

Sentrigo Passwordizer

2009-09-02T10:09:00.000-07:00

I haven't posted for quite some time as my recent fun project failed to produce any worthwhile results. I hope to find the time to polish it, to be able to publish something.

Meanwhile some interesting stuff has happened at my work which is worth writing about.
I have found some security flaw in the all mighty SQL Server database, all versions included.
My company, Sentrigo, has asked me to write a Proof Of Concept which later we decided to make into a tool which mitigates the problem. We published the tool for free download on our web site http://www.sentrigo.com/passwords.
The tool created some buzz (We call it buzzwordizer), so I decided to write down what exactly stands behind it.

It appears that SQL Server is saving in memory all plain text passwords of any user that is currently logged in with a specific kind of authentication called native SQL authentication (enabled only in mixed mode). The passwords are saved intentionally in an internal data structure containing log-in information. That data structure is kept allocated in memory, it's not just some memory left-overs wandering around the free blocks in the heap. I know this for sure, because I have succeeded in writing a tool to jump through some pointers in constant offsets in memory, to get from the global sessions table to all passwords. Needless to say, I have never seen these passwords vanish from memory for as long as the user is still logged in.

There are only two ways to log in to SQL Server. One is this method and the other is Windows authentication, which lets Windows perform the entire process of logging in. The latter method is not flawed. Microsoft suggest that you use the Windows authentication method, and even refers to the other one as deprecated in some cases. Despite that, Sentrigo has learned that many users still use the less recommended method, because it is easier to configure.

Now, one may ask what is so wrong in saving plain passwords in memory? Every trained Ninja knows that a highly privileged log-in is required to gain access to process memory. And once such log-in is obtained, the sky is the limit for what the user can do with it. On the other hand, up until SQL Server 2008 there had been a SQL command called DBCC BYTES that allowed a privileged user to read the local process memory remotely. Notice that being a database privileged user does not necessary mean being a local machine administrator, on the contrary - some organizations separate the two for security reasons, which is violated by this flaw.
Furthermore, the flaw could be combined with some other flaw which provides only memory leaking, to create a remote passwords dumper, although I'm not familiar with any such flaws at the moment.

To summarize it I would like to quote my CTO Slavik Markovich, from one of the posts published about this bug:
"Developers go to great lengths to ensure passwords are not even transmitted in clear text (for example at the time of login), let alone stored in a readable form. Users have come to expect that their personal passwords, are exactly that –personal – and that not even administrators can see them. Exploiting this vulnerability, an administrator will be able to see the passwords of users and applications that have connected to SQL Server, all the way back to the last restart. We respectfully disagree with Microsoft’s view that since it requires administrative privileges, the risk is mitigated. Even if you trust your admins, there are plenty of hackers capable of gaining escalated privileges, who could now easily access other systems across the network using these passwords."

After all, I would not consider this as major security problem as remote code exploitation, but it does indicates low security considerations, and could lead to bigger problems.

The thing I have found the most amazing about it is the way the Microsoft Security Response Team downplayed it. I have met more than one guy from the team in the past, and I must say that the team includes some well trained Ninjas that really should be adored for their good understanding of technical and low level details. They are all well familiar with every security aspects, and they have done some miraculous work in the past. On the other hand, from my point of view, they got a big fail on bureaucracy. They were quoting stuff from their books about how you should always trust your Administrators, and by that, they have failed to address this bug in the correct manner. And last and not least, the bug is still there. Bruce, to me you are still a phenomenal Ninja.

Relevant links:
http://www.sentrigo.com/
http://www.sentrigo.com/passwords
http://www.slaviks-blog.com/
http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090902005149&newsLang=en
http://searchsecurity.techtarget.com/loginMembersOnly/1,289498,sid14_gci1366853,00.html
http://www.securitypronews.com/insiderreports/insider/spn-49-20090902PasswordFlawFoundInMicrosoftSQLServer.html
http://www.eweek.com/c/a/Security/Microsoft-Downplays-SQL-Server-Database-Vulnerability-893487/

Anti Theft

2009-08-07T02:42:00.000-07:00

Welcome to my 2nd post, and for this post I already would like to introduce a guest, so please welcome him with cheers and rise your cups of Grog for The Raven Shkol.
All Ideas and stories for this entry are credited to both me and Shkol all the same.

So, it all started not so long ago, when I got to become a victim to a crime activity. Someone broken to my apartment, while I was away, and stole my work's laptop. Actually he also took my lock-picking kit (Look at the Irony, my lock-picking kit got stolen)
Luckily me, I had backups of everything, and the laptop was not an expensive piece of hardware.
But, this incidence got me thinking on what could I do better to make sure this would never happen again.
Soon enough I called Shkol to the rescue, because he got quite a wide experience in getting robbed, mugged or strangled to death.
We found out that there are many really cheap and simple solutions, to make it much harder for someone to break to your flat.
But, this is not what we would like to discuss here. What we really would like to go over is the ideas we had gathered for protecting either computers or the information on them form physical thefts.

Some of the ideas we got were simple and wired at the same time such as:
Example (For desktop computers only) Buying heavy weights at the local sports store, I got me about 10kg. Put the weights inside the computer case. Make sure the weights are well tied to the case and invisible from out side. Hope, no one would be determined enough to steal such a heavy piece of metal.

While other ideas were as trivial as locking the computer to something with a chain or so, for most computers cases got a place to put a lock on. Although, these locks are so easy to overcome for the trained ninja, in my case a burglar would find the lock-picking tools in the drawer next to the computer (and if that is not enough, there is a beginners lock picking guide next to it).

Some solutions were involving software solutions to make sure no one can access your information even if he get to put his hands on your precious hardware.
Either by encryption, Yes, I know it's quite a dull one. Anyway here are some links to good implementations we found:

Another approach to the problem would be using a data bomb. Its seems like there are programs to erase all the information on the disk once someone is giving a wrong password 3 times or so.
Or a better way to get the same effect would be to change your login account to be hidden, and create a "honey-pot" user with no passwords and a startup script which makes a fresh new brick out of your box.

The clothing store solution; using a two small devices that starts an alarm once the distance between the two is more then an apartment length (which is very small, in my case). I would recommend putting one of the devices inside the computer case and the other buried under the tiles. Very good and cheap such devices could be bought from DealExtreme:

If we are looking for some sensors to monitor any move of the computer, one common device that is packed with sensors would be a cell phone. Even the simplest phone with camera has an accelerometer in it. The accelerometer could be used to identifying the computer is pulled up. And once the situation is recognized sending an SMS or performing a call to 911 with pre-recorded message could be nice (But try not calling 911 on false positives, ok).

But, lets just say that we deal with quite a determined scum, which was able to pass all of our defense systems (And was strong enough to carry 15kg computer, down the road). Is there a way now, to find the new location of our precious? Well in case you thought about it in advance, there are some. One can buy some kind of a GPS device to send in a Beacon once in a while, just hope the signal would be strong enough, and that it wont be pointing to location in the middle of the ocean.
I tend to think that a solution using an IPhone with the "Find My IPhone" app could give out good results, quick and simple.
The thing is that these days I tend to think it's possible to achieve same results using just WiFi. Cell phones with WiFi and GPS became very popular lately, and if someone would establish a project for volunteers to map the locations of most WiFi hotspots / home routers, it would be possible to identify the location of devices with just identifying which WiFis are around it. Unfortunately, someone told me http://www.wefi.com/ thought about it before me.

And now for a bit less practical solutions:
A really awsome project could be, to write a new BIOS firmware to hold a true password protection, one that is not as simple to overcome as removing the battery from the mother-board. Most of the complicated work has already done in projects such as OpenBios, and this could be really nice extra feature to add to it. Of course, it won't protect the information found on the disk (unless you add some kind of encryption to it), but it sure could make an untrained ninja to think he just stole a 10+ kg brick.

You can train your computer to remember which WiFis are found around it, and to ask for password to approve any work in a new WiFis environment.

Finnaly, here are some links to relevant websites, that are worth a better page rank:
http://www.bzeek.com/
http://www.loki.com/
http://www.wigle.net/

So, that's what we had to say on the subject, I would love to hear any new solutions to the problem, so feel free to drop me a message.
Assaf Nativ
(and The Raven Shkol)

Flash games cheating on Facebook

2009-07-18T01:49:00.000-07:00

Some time ago I told a friend of mine, that I can easily beat his score in Jet Man the Facebook game, by using the well known technique of cheating.

The guy said he does not believe me, because if I could do so, then other people could do so and then there should have been many better high scores on the world wide table.
Little did he know that I'm a well trained Ninja (Or pirate, I have this identity crises right now).
I was sure it is possible and very easy to achieve, though I hadn't done anything like it, just yet.
I was very enthusiastic about it, and about a year later I started working on it. By that time I had found out that there are many people who cheat on Facebook games, so I thought that now I have to prove my superior mind.
From small research on Google, I found that the subject is more common than what I thought at first. The potential of the matter can be described in the ad found on one of the top google results:

Quickly I discovered that all of these games are written in Flash with some help of Facebook lib or so.
I went through about 5 different ways of cheating before I found the one that fits, and I'm going to describe the entire learning process I went through for other people to learn from my mistakes and maybe give me some new techniques and ideas, because I'm really out of new ones by now.
My first target was How Big Is Your Brain, which would help me prove the fact that mine is the biggest.

Without further ado, my first attempt
Memory scanning. As old time cheats I thought this must be the easiest and the most nostalgic way to overcome the problem.
The concept is simple, just do as following:

Accumulate some points, search the number in the FireFox process memory. You would probably find more then one instances of the value.
Gain some more points.
Search for the new value among the addresses you got from the last step.
Repeat the process until you are left with one address containing the value of your current score.
Set the value to a big big number.
Enjoy the results.
Eat some pancakes, which is what every ninja do after a long day of games hacking.

One can use program like "Cheat Engine 5.4" which could be freely downloaded from http://www.cheatengine.org/ or a python win32 debugging module.

This method fails miserably due the fact that the Flash engine saves all values in memory encoded in some way.
Google suggested that the encoding method used to be the value multiplied by eight. The encoding has changed since, and no one has yet to reveal and publish what it is (you laze ninjas).
Beside that, all strings are encrypted, no one yet to publish how (You laze pirates).
I started reverse engineering the engine, but lacked the time to complete the task (laze me).
If anyone is interested on hearing more about that, just contact me by email or so.

Method number two, using r4zcheat
While researching the solution for the last problem, I stumbled upon an application called r4zcheat.

This neat tool, allows you to load a Flash applet and explore all the variables, their names and values and change whatever you like at real time. Isn't that awesome?!
The only problem with that is the fact that it loads the SWF file outside the browser environment, while all the Facebook games requires the browser to handle everything in communicating with Facebook.
I was not to give up just yet!
First I've asked the guy who wrote the r4zcheat to send me the source code, ~~but till the time of writing these words, I yet to get any answer from him.~~ For my good luck, the guy happened to be a true hard core pirate, so after I dulled him to death he was glad to send it to me.
Reading the code, I found out that it's only taking advantage of the well documented Flash API, mainly with the function GetVariable, which is called from the ShockwaveFlash object (Some kind of all in one object that is used for all the control over the Flash engine instance). The flash application does not work inside a browser because it needs to create the Flash instance to have a reference to it and to invoke its' functions. I have tried for a little while to hook the iExplorer process, and look for the Flash instance address in memory using some pattern searching, then call these functions from an injected thread, but it took me too much time, so I decided to try another approach.
Btw, I used iExplorer and not Firefox on this attempt because there are some differences on the use of Flash between the browsers, it seems like iExplorer is using the FlashXX.ocx file while Firefox is using NPSWF32.dll. I am not so sure what is the big difference, and why there are two kinds of ways to use the embedded flash engine.

And that would bring me to the 3rd attempt
Fooling around with pseudo random numbers generator.
Well I thought that If I'll just patch the flash random function to always return the same numbers, I would always get the same questions in the game, right?
This would allow me to just remember the answers to get a very nice high score (but still in the reasonable range), after all "practice makes perfect".
So back to disassembling the Flash engine. Without getting too much into boring details on how disassembling is done, I would say that I needed to find the code that is relevant to the random function, within the entire binary file.
First I dived into documentations reading about the Flash programming language which is called Action Script (the phase I like to call RTFM).
I found out that there are many versions for the language each supports a new set of opcodes, while fully backward compatible with the old ones.
By disassembling I easily found the main processing loop that reads the next instruction and execute it. The function, of course, is mostly made of a huge "Switch" like code that operate on every different opcode (I found that there are many ways to improve the code for Flash to make it run faster, but that's a different story).
I've investigated the function that handles the RANDOM opcode (0x30) to find out exactly were does it spit out the new magic figure.
Luckily I found an inner function that handles all the random functionality. This function was not aware of anything like the Flash stack or so, but just returned a value using the EAX register.
I've encoded a small patch in pure assembly (Arrr) to read the values from file, instead of using the random function.
Then I made a backup of the NPSWF32.dll file and applied the patch to it.
I'm not so sure about what have I done wrong on this attempt, I'm just sure it did not worked as I expected.
It appears that Playfish (The company which made the "How Big Is Your Brain" game) has implemented their own random function in Action Script that uses the time as seed and some extra stuff.
I tried to make some workarounds for this, but I failed.

What would bring me straight to my 4th attempt
Slowing everything down. It seems like that all the questions in the game are very easy, it's just the time limit that makes it hard, so I've decided to try to fix this problem once and for all.
I thought about it for a while, and realized that the Flash engine must use the Windows APIs to read the local machine time to implement timers (Actually there is another way using the RDTSC opcode to read the timer, but I had some hope that they don't do that because that would have required a solution in the form of a driver, which is a great pain in the ass).
The general principle behind this method is to hook the Windows API functions.
This task is very easily done using the the Microsoft Detour library (http://research.microsoft.com/en-us/projects/detours/).
The functions we would like to hook are:

GetSystemTime kernel32.dll (http://msdn.microsoft.com/en-us/library/ms724390(VS.85).aspx)
GetTickCount kernel32.dll (http://msdn.microsoft.com/en-us/library/ms724390(VS.85).aspx)
SetTimer from user32.dll (http://msdn.microsoft.com/en-us/library/ms644906(VS.85).aspx)
timeGetTime from winmm.dll (http://msdn.microsoft.com/en-us/library/ms713418(VS.85).aspx)

There are more APIs made up for this purpose, but I've checked the NPSWF32.dll's import table, to make sure they are not in use.
Hooking those functions is something that takes some programming time, lucky for me at this point of the project my girlfriend dumped me, which left me much more time to work on a solution. (though it probably wasn't the best idea to ask her to proof this article...)
For a better understanding of the detour library, I would recommend the help file that comes with it, and many other tutorials living out there on the net, waiting for someone to read them.
I just hooked the SetTimer to set the user input to be twice the real input.
For the GetSystemTime, GetTickCount and timeGetTime APIs I've saved the first read.
Calculated the delta from each new call to the first one.
Set the result to be the first value plus delta / 2.
This approach has got me some good results, the game was about four times slower, and I was able to get myself a very good high score.
Only until I got to the end of the game to see a message that my score was not accepted for some reason.
Bummer server timeout or something.
I guess I could have sniffed all the packets sent from my game to the server and replay those in the right times, and hope they do not conceal any time stamps.
But I found this solution to be very dull, so I moved to the next attempt.
BTW, this approach has slowed FireFox down as well, creating some very kewl effects on some websites.

Number five, and final, disassemling Action Script
This solution is going through the following steps:

Get the SWF file of the game.
Learning Active Script assembly.
Finding a good flash disassembler.
Making a real time patches to the game.

The first part was easy, I used CacheViewer FireFox plug-in to get the SWF file.
But, 2nd part was not as easy as it might sound. It took me a while to find a good PDF file on the subject. The only thing I was able to find was the "Action Script 2 Virtual Machine overview" PDF file (http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf), which was quite good, but the game was using mostly Action Script 3 opcodes.
The second best thing I found was the source code of Flasm, which is an open source Flash files disassembler (http://www.nowrap.de/flasm.html). However the Flasm is currently missing some parts as well. So, currently I settled for these , but I'm still looking for better papers on the subject, so if anyone of you pirates out there got anything better, please, do share.
Finally I've stumbled upon the commercial Sothink SWF Decompiler program that had a free trail version, which happened to be very good.

The program had a decompiler option that gave out a very readable Action Script code. Thanks to the great extra feature of ASM view, it was very easy to locate the right point for patching.
By this method I was able to patch any code of the program but not the values nor the defaults of anything.
Further problems with this methods are:

I can't insert code I can only patch ASM with equal amount of bytes.
I should be very careful not to fuck up the stack.
I had to either find a way to make FireFox load my patched SWF file or patch at run time by searching the bytes I want to patch with some memory trainer such as Cheat Engine.
If I choose to patch at run-time, I had to do it when the code is already loaded, but not yet executed, or it would get optimized and harder to find in memory.
Programming in Action Script assembly is hard, though, lots of fun.

To conclude, I would say that only my 5th attempt went by with good results, although, I do believe that with a little bit of an extra effort I could have make all the other attempts work as well.
I found out that many people are developing automated scripts to play the games for them, using many OCRs and other kinds of methods, this is a very vast and interesting technique that I might write about in a future post, because now I have lots to say on the subject, and little time to do so.
One might ask why Flash games and not something more interesting such as World Of Warcraft, and my answer would be using a picture from the outstanding web-comic XKCD:

That's it for now. Hope you enjoyed reading this post, and got a bit of inspiration on developing ninja skills.

And remember, it's only cheating if you get caught (Al Bundy).

Cheers,
Assaf.

Many thanks to Omer Enbar and Avital Zipori for reviewing and proofing my English.