Finding Free Tickets, Exploring Aeroflot's Game

    It all started with the fact that I got a link to the Aeroflot promotion website . The promotion consists in passing a small flash game and earning bonus miles. The main prize of 150,000 miles is received by the player who takes the first line in the ranking. Actually, the principle of rating formation aroused my interest in this promotion.

    As everyone is well aware, flash application code is executed on the client side, so protecting against dishonesty is a very difficult task. In fact, the only right decision is to transfer all the game mechanics to the server side, and the flash application acts as a client to the API.

    Let's see how Aeroflot cope with this task.

    First, start the game with the developer’s console open in Google Chrome. And ... apparently, everything will be boring. As it turned out, a request to the server is sent only once at the end of the game.

    The data in the request is suspiciously similar to base64, but conversion from this encoding only leads to a set of binary data. This means that the request is encrypted somewhere deep in the client. Unfortunately, or fortunately, swf files were never resistant to decompilation.

    Just 10 seconds after viewing the ActionScript code, the following fragment is detected:

    public static function prepareForSend(param1:Object, param2:String) : String {
        return Xor64.encode(JSON.stringify(param1), "aef-game" + param2);

    Yes, it’s banal XOR encryption, which means that you couldn’t get involved in decompilation and restore the key of such a cipher in a matter of seconds. But if you still figure it out to the end, then the key here consists of two parts: the first is hardcoded in the function, the second part is obtained from the initialization parameters of SWF.

    this._token = stage.loaderInfo.parameters["token"];
    start : function( token, authState, connector, autoStart ){
        . . .
        this._token = token;
        . . .
    . . . 
    AEF.flashController.buildFlash({ token: this._token, connector: this._connector }, this._lang );
    . . . 
    AEF.start('c958c089505d321994578a12fabbe73d', true, "", false, 'ru');

    That is, the full key -  aef-gamec958c089505d321994578a12fabbe73d almost everything lies in plain sight, right in the code of the page.
    By the way, apparently, the developers were too lazy to independently implement the encryption algorithm and took advantage of a ready-made solution .

    Decryption result with a voiced key:

          "version":"MAC 15,0,0,152",
          "manufacturer":"Google Pepper"

    Formatting added for readability.

    As a result, anyone can send any rating they want. I don’t know how the organizers plan to separate honest participants from cheaters, but personally I have no desire to participate in this action.


    I do not have an Aeroflot Bonus card, so the results will not affect the overall rating.

    Also popular now: