Owning Tarkov’s Marketplace

Flea Market Botting

So we need to fake a login, but I am not seeing any login requests from Fiddler 4. Is the login not over the web? That wouldn’t make sense. No this is a Fiddler bug. It is hiding TLS v1.0 requests from us. I never managed to solve this, but that is okay, our good friends at Unknown Cheats can help us out with this thread, FenceKiller.

One quick note before anyone opens that project, the games Anticheat does check Visual Studio project history, so it is very likely that opening FenceKiller in Visual Studio will result in a Ban. So we will open it in our favorite Notepad++.

FenceKiller is quite mangled code, but it does have everything we need to fake a login request. The request body, the Keep-Alive request, and even some functionality for verifying hardware codes. With this, if I run my bot on an Alt Account, under a VPN or Proxy connection, I could prevent the game devs from cross-account banning me. So this is nice. Here are the request structures:

But this login request requires a few things. Version Info, some other integrity checks, an MD5 encrypted password, and a hardware id. Breaking this down step by step.

Version Info: You can grab this from the applications Manifest file. Pop EscapeFromTarkov.Exe into a resource viewer or editor and grab these from the version info.

Hardware Id: I don’t want my real HWID, but I do want something close. So first I need to figure out what hardware code they send. I could look at a packet, or check the launcher config file for my last saved hardware id. The file is located in your appdata. I am not going to post mine as I do not want to be banned. But, FenceKiller proved you can send anything for this and it will not auto-ban your account.

User/Password: The Email field is not really an email, it is the username tied to the account. You can get this by logging into your account on Tarkov’s website and viewing the name under your profile details. The Password field is just the MD5 of your password, we can just do this on the fly inside our bot, so no big deal.

Now the integrity checks are weird. Since the time I began this project, FenceKiller has had the correct values for this. However, they are stored in the unity application, so it is possible to dump these from the game resources. I have not figured this out, but I will update this post when I do.

So we have all our fields, now we fake our login and go. Yes, but also no. After the first login, Tarkov will require us to verify our hardware Id by sending another request with the contents from our email. So we just need to check if Tarkov is requesting this, and ask our user for the code Tarkov automatically emails them. This is just a bit of logic, but our request is all there and we are good to go.

So we now have our login working, we have the requests required to do every step in the market manipulation, now we can get started on our code!

Liked it? Take a second to support Lystic on Patreon!
About Lystic 23 Articles
ArmA Scripter. Former cheater. Always have security in mind.