Well after about two hours of total investigation time, I have discovered how people are able to cheat WhatPulse.org. I took the time to build up exactly 5004 keystrokes and an unknown amount of clicks for the next pulse. I ran Ethereal and then executed the PULSE! from the WhatPulse.org systray and stopped the capture. I then executed the following display filter for ethereal.
http contains “whatpulse”;
Below are the results.
There is the WhatPulse.org packet that updates your keystrokes. Isn’t she a beauty? I then examined the contents of the packet and the contents are as follows:
You will notice that in the contents is the following php execution:
Now, all one has to do is add the previous line to http://www.whatpulse.org/ and execute it from a browser to receive the same amount of keystrokes again. You will receive something like the following message if it is successful.
As you can see, it is very easy for someone to jack up their totals. There are limitations to the amount of keystrokes or mouse clicks that can be contained in a single PULSE (its is based on average keys per second). Therefore, calculate what size pulse you will need to average a target keys per second on a given interval (I recommend 4 KPS). Lets say you want 30 minute intervals.
30m(60s)(4kps)= 7200 Keys
Take the time to build up a 7200 key pulse and capture the packet. At this point you can use Windows Task Manager or Cron to execute the php get request located in the packet on 30 minute intervals. Now just sit back and watch your totals go through the roof and feel the guilt of being a CHEATER!!! Just think, by clicking this link you will be adding 25000 keystrokes to my WhatPulse total. I wouldn’t recommend it. That would be cheating 🙂
PS. Please remeber that if you get the following message when clicking my link, other people are having to much fun clicking it.
Also, I do realize that my username and password hash are revealed in the command. Please don’t waist your time hacking it. Whats the worst that could happen, you interfere with my account on an already flawed game.