Okay, so we have a bunch of packets, we just need to fire them off to Tarkov’s API. This section will cover the two methods I created. This initial method worked for the HTTP endpoint but is no longer viable with the move to HTTPS. I have included it because it’s cool.
So we know the game has the session. So it must exist in memory. So we need to figure out where it is at. To do this, I first loaded up Tarkov and dumped all of the Unity objects from the GameObjectManager to know what objects are active at startup. Clearly, the session must be in an object here, because at this point we just fired off a bunch of requests to get character and profile data.
I no longer have this list saved, so here is the one object that caught my eye: Application (Main). This looked promising, maybe the session passes through here at some point. So I dug back into dnSpy and pulled up a class that looked like it could be what this references.
Okay sweet, now look at that field, _backend, that looks even better. Doing some analysis we can see it is used here:
This is it, I think we are onto something, let’s go into the backend class and see what we find.
BAM, There is the session ID. Now it is stored a few layers deeper, but after 2 more offsets, we find the pointer to the PHPSESSID required to fire off requests. So now we have everything we need to start falsifying requests. Packets to send, headers, and our Session. Pack this all into some software and we are done!
Well, we were done, but with HTTPS, this method is no longer viable. Even with the session ID, we do not have the HTTPS cert required to make requests. Sure we could dive into the in-game web client and rip it out, but that is just getting really complex. We could inject into the game and use the built-in network itself, but that puts us at more risk than just botting the network.
So let’s go even riskier. Lets fake the entire client. Login, Session, and Botting. Let’s trick the API into thinking we have launched our game.