This Is How People Are Cheating on WhatPulse

Well after about two hours of total investigation time, I have discovered how people are able to cheat WhatPulse.org. I took the time to build up exactly 5004 keystrokes and an unknown amount of clicks for the next pulse. I ran Ethereal and then executed the PULSE! from the WhatPulse.org systray and stopped the capture. I then executed the following display filter for ethereal.

http contains “whatpulse”;

Below are the results.

There is the WhatPulse.org packet that updates your keystrokes. Isn’t she a beauty? I then examined the contents of the packet and the contents are as follows:

You will notice that in the contents is the following php execution:

/bin/pulse.php?an=dmacattack&pwd=ilvnjkolnpkjpxighh&kc=ktMmtjnvcnr5on
SfpZfoAfphgeKhieio4jl8kl0kuSmkCdjwekMfhdglqhrskulmpxmuGnvgpkS&mc=ihMj
hjkic&tsec=1113336962

Now, all one has to do is add the previous line to http://www.whatpulse.org/ and execute it from a browser to receive the same amount of keystrokes again. You will receive something like the following message if it is successful.

As you can see, it is very easy for someone to jack up their totals. There are limitations to the amount of keystrokes or mouse clicks that can be contained in a single PULSE (its is based on average keys per second). Therefore, calculate what size pulse you will need to average a target keys per second on a given interval (I recommend 4 KPS). Lets say you want 30 minute intervals.

30m(60s)(4kps)= 7200 Keys

Take the time to build up a 7200 key pulse and capture the packet. At this point you can use Windows Task Manager or Cron to execute the php get request located in the packet on 30 minute intervals. Now just sit back and watch your totals go through the roof and feel the guilt of being a CHEATER!!! Just think, by clicking this link you will be adding 25000 keystrokes to my WhatPulse total. I wouldn’t recommend it. That would be cheating 🙂

PS. Please remeber that if you get the following message when clicking my link, other people are having to much fun clicking it.

Also, I do realize that my username and password hash are revealed in the command. Please don’t waist your time hacking it. Whats the worst that could happen, you interfere with my account on an already flawed game.

Advertisements

3 thoughts on “This Is How People Are Cheating on WhatPulse

  1. I remember the time I’ve hacked Project Dolphin ( http://www.project-dolphin.nl/ ) and was in the first place for 2 or 3 days 😛 I thouhgt about using ethernet too that time, but simple tsearch did the trick 🙂 And it was much easier cause you had to run the client once a month, change the value of keystrokes (in plain text), submit to server, done.

    Result was pretty same as yours – I’ve been removed (boohoo, people can’t take the real competition LOL). But it was fun gettin’ there 😛

  2. By the way, if someone Googling for how to cheat WhatPulse will find this page and have more expirience with tsearch then with the Ethereal, then the offsets are :

    Keys – 4609F0
    Clicks – 4609EC

    Have fun 😛

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s