Skip to content

Instantly share code, notes, and snippets.

@themaoci

themaoci/EFT-Login-Abuse-System.md Secret

Last active March 29, 2024 12:39
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save themaoci/7dc9002713265f489e83c3cd428f0529 to your computer and use it in GitHub Desktop.
Save themaoci/7dc9002713265f489e83c3cd428f0529 to your computer and use it in GitHub Desktop.
Download ZIP
Abusing EFT trolologin system
Raw
EFT-Login-Abuse-System.md

EFT is using login system to authenticate user and set him a proper session id after that its easier to access game without any credentials. Official game launcher is using proper login system which also includes captcha, BUT there is one catch... they forgot to remove old ass login system from ingame, which was leading to this url:
below 12.11: "/client/game/login"
after 12.11: "/api/editor/login"
it accepts only POST data (below csharp code for POST data generation)

string loginPostData = new JavaScriptSerializer().Serialize(new
{
    email = LOGIN_EMAIL,
    pass = string.Concat(MD5.Create().ComputeHash(Encoding.UTF8.GetBytes(LOGIN_PASSWORD)).Select(x => x.ToString("x2"))),
    version = new
    {
        major = GAME_VERSION,
        minor = "live",
        game = "live",
        backend = BACKEND_VERSION,
        taxonomy = TAXONOMY_VERSION
    },
    device_id = LOGIN_DEVICE_ID,
    develop = true,
    sec = 1
});

as we see its not that hard to login into the game and retrive PHPSESSID which can be later abused.
About Login Data
LOGIN_EMAIL - as name states its simple email address you registered your account,
LOGIN_PASSWORD - its simple md5 hash (WITHOUT ANY SALT) of your ingame password (its very insecure if database will got leaked somehow there will be a great trouble with hacked accounts etc.)
LOGIN_DEVICE_ID - in simple words its text which represents your deviceID it can be whatever (even "ILikeAnimusSoBadly") if its verified using hardware activation with email generated code you can put there whatever you want. By default there should be "Unity Unique Hardware ID"

its not ending there... so what we can do now we login succesfully using out poggers login link, whats now ? Well after login is completed we gather PHPSESSID of that response after that we can make a bot which will use same PHPSESSID (it was abused in the past), or we can just start game skipping launcher completly... (yes we can do that...)

EscapeFromTarkov_BE.exe -token={PUT RETRIVED PHPSESSID HERE} - config={\"BackendUrl\":\"https://prod.escapefromtarkov.com\",\"Version\":\"live\"}"

yea just for good measure we include a config here also :)

@SJDavies2020
Copy link

Interesting, I didnt think the launcher could be bypassed. I gues you could creat a .bat file with the call and any launch params?

@themaoci
Copy link
Author

themaoci commented Apr 3, 2021

@SJDavies2020 if you put wrong useragent connection will be refused most likely and account also banned after they check logs ;)

@SJDavies2020
Copy link

SJDavies2020 commented Apr 3, 2021 via email

@themaoci
Copy link
Author

themaoci commented Apr 3, 2021

@SJDavies2020 JET is working on it not SP-Tarkov ;)

@SJDavies2020
Copy link

SJDavies2020 commented Apr 3, 2021 via email

@themaoci
Copy link
Author

themaoci commented Aug 8, 2021

updated url for 12.11 lmao

@n3rdsupreme
Copy link

Is the endpoint still available? I'm getting 403 with this body (email & pass are of an existing account ofc):

{ 
    "email": "asd@gmail.com", 
    "pass": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
    "version": {
        "major": "0.14.1.3.29351",
        "minor": "live",
        "game": "live",
        "backend": "6",
        "taxonomy": "341"
    },
    "device_id": "Unity Unique Hardware ID",
    "develop": true,
    "sec": 1
}

and User-Agent "UnityPlayer/2019.4.39f1 (UnityWebRequest/1.0, libcurl/7.80.0-DEV)"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment