Tuesday, March 6, 2012

Dealfun DealWheel - Programming for free stuff

    There was once a website called DealFun. It was a so called "penny auction", It charges customers 60 cents per bid. The item being auctioned starts at zero dollars and every time somebody bids on it, it goes up a penny. Auctions usually had a start time of 24hrs. Within the last few seconds of the auction people really start to bid, every bid placed resets the auction time to 15 seconds. So a $300 item might go for $200, but getting the price up that high requires 20,000, sixty cent bids, or $12000 worth of bids! So there were many people paying for the items, but only one person actually got it.
    In order to incentivise people to use their website, they had various promotions, such as 100 free bids with the purchase of 250 bids. They also implemented something called the Deal Wheel. Which is something like the Wheel of Fortune, so every time the user spun the wheel, they would win a prize. They would win 1-10 free bids or a mystery prize. Spins were limited to once per day. Bids were almost worthless because of the difficulty of actually winning an auction. Mystery prizes were actually physical prizes though. So I decided to write a program that would win a mystery every spin.
    The DealWheel itself was a Flash app on their website. Figuring out how this operates is the first step in determining how to only win mystery prizes. We will start with a program called Wireshark (formerly known as Ethereal). This program monitors network traffic. So we will start it up and select the network interface that brings us the internet. We will make an assumption that the flash app is communicating over HTTP, and that it is communicating to the same DealFun server that is serving the webpage. Looking at the info column for these specific conditions yields good results. In particular a POST request to DealFun, requesting a file named /dealwheel/spin.php looks particularly interesting. 
    If you look at the post data, you will see that the flash app sends prize%5Fid=2, or prize_id=2 in the screenshot above. This wheel should be pretty easy to rig. We just need to find out what the id's correspond with. If you look further into the capture, you will see the file /dealwheel/wheel.xml is loaded. This file gives the flash app, everything it needs to know in order to build the wheel, including the id. We now know that mystery prizes have a prize_id of 10.
    It is now time to build an app to send our prize id to DealFun. I did this in C# as my first attempt at making a program in the language and was rather impressed with C#. It was pretty simple to build a gui and the HTTP interface was not bad, but still not very flexible. Many lines of the HTTP header can be hard coded into the app, such as the user agent, the file being requested and so on. However some things need to be dynamic, like the cookies, since they do expire. I also needed to build a login prompt in my app to authenticate the user.
    So once the user logs in to the app and the cookie is stored, the wheel.xml file is loaded and parsed so that if DealFun ever changes it's prizes, the app will still work. The user can then select what prize they would like from a drop down list and the program will send the POST request to spin.php with the proper id and authenticated cookies.
    After a few months, the app no longer worked. By using WireShark, I was able to analyse the problem and find out that the login interface had changed and I would get an authenticated cookie, but DealFun would also redirect and deauthenticate it. However in the browser I was able to login just fine. Most likely the error was not emulating a browser close enough, either by not loading the homepage before logging in or having and improper referrer in the HTTP header or something similar. While it is possible to have the app simulate a browser more closely, that is also a lot more work, and it was a fight working with the C# HTTP library and custom headers.
    After a little research, I found a tool called Fiddler. This is basically a proxy that you install on your computer that redirects all web browser traffic through. While the stream is running through Fiddler, it has the ability to modify, stop or redirect it. In our case, we will want to modify a stream that is directed towards dealfun.com and contains the path /dealwheel/spin.php . From there, we will replace the POST data containing the prize_id from the DealWheel app with the prize we want (most likely 10 for a mystery prize).
    Fiddler was surprisingly lacking in documentation, however with their plugin FiddlerScript, made it easy to guess which functions should be used. For this purpose, Fiddler seemed to work very well and did just what it needed. However because scripting is done in JavaScript, I feel that Fiddler may not be as flexible as it could be if it had a C++ API or something similar. The advantage of it is that it just works from the moment you launch it. Also the DealWheel script was able to be accomplished in 2 lines of code and once it is running, you just use the browser as you normally would. The disadvantage is you need to modify the code if you want a prize other than the mystery prize.
    As of this writing the DealWheel has been "under maintenance" for several months. It also appears that DealFun has not had any auctions for 5 days. My guess is that DealFun is out for the count. I believe they probably got shut down because their premise is a sham and has been likened to gambling. Still, I'm happy to have won some free stuff from them. You can download the C# program and the Fiddler script from my code page. Happy Hacking!

1 comment:

  1. this is really too useful and have more ideas from yours. keep sharing many techniques. eagerly waiting for your new blog and useful information. keep doing more