Owning Tarkov’s Marketplace

Flea Market Botting

Initially, I needed to know what the requests for the market were. For this, I used Wireshark and Fiddler 4, which provided me all the packet capturing needed to begin decoding the messages. Oh and one more issue, these packets are clearly packed or encrypted, here is what I noticed in Fiddler 4.

Okay, so they are packed or encrypted, but with what? The request header does not have a tag signifying the Content-Encoding. So in the case that I found something useful, which I did not, I went into the Tarkov application to find where the requests are sent. For this, I used dnSpy, as Tarkov is a Unity-based game. After some time, here is one of a few web request modules I found.

Sweet! We can see the game uses SimpleZLib on a JSON formatted string. So now to take our Fiddler / Wireshark data and decompress with ZLib. For Fiddler, I followed this Stack Overflow┬ápost w/ a few tweaks to automatically decode Tarkov requests. This lets me look at the request I sent, and the response I received both in JSON string format. For Wireshark, I created software to take the RAW TCP Stream data, and apply ZLib decompression to the content bodies. This works well, but Fiddler’s is better, so here is the fiddler code snippet and an example.

Alright, so now I went ahead and decoded every packet required to view, buy, list, sell, and collect money, everything needed to automate the process.

This all got a bit more complicated with the move to HTTPS, but with Fiddler 4’s HTTPS support and a few other tweaks, you can still recover these packets and their data.

Next, we dive into figuring out how to send these packets.

Liked it? Take a second to support Lystic on Patreon!
About Lystic 23 Articles
ArmA Scripter. Former cheater. Always have security in mind.