WindowsLive Messenger Plus - 6th Birthday Comp

WindowsLive Messenger Plus are holding a 6th Birthday Competition. Prizes range from t-shirts to gaming consoles.

To participate, users have to download plus, click an icon and play a game. They are presented with an image, and have to randomly click anywhere. There are 45 secret coords. added each week. Click one and you've won.

Well I was bored, and extremely frustrated seeing as though I hadn't been able to win anything after a few hours… Decided to run though a packet sniffer, I'm really new to all this. (13yo). Turns out you can access it through firefox with the UserAgentSwitcher set to 'MessengerPlusLive'. http://contest.msgpluslive.net/play.php?. You have to manually change the co-ords. in the url though.

Hoping anyone interested can help me figure this out. I guess it's already been done… Thanks anyway.

Any ideas, email's snip

Write a bruteforcer in javascript/php.

yeah write a php/js script that will change the url through the entire range of it all so you can win :D that isnt true hacking but its sort of related

SANTA wrote: yeah write a php/js script that will change the url through the entire range of it all so you can win :D that isnt true hacking but its sort of related

Yeah it is, you are coding something to make the system act in a way which suites you

You have to get a Valid Session after each click, their not that stupid ^^

How do you get a valid session?

mozzer wrote: How do you get a valid session?

i'm testing…

i sniffed the packets and found this was sent with the cookies:

usermsn=irkp20045zcly.vkomhl. (my email) userlg=no (language, norway) opt_usrcount=12153 opt_prizetotal2=48 opt_prizeleft=40 cache_usrcount=12153 cache_prizeleft=40 cache_prizetotal=48 playing=1 lastplaypos=

the cookie usermsn needs to contain you'r email address, mine was "irkp20045zcly.vkomhl."

javascript:void(document.cookie="usermsn=irkp20045zcly.vkomhl.") then spoof Useragent to "MessengerPlusLive" as said before..

i get the image on http://contest.msgpluslive.net/play.php and i can click the image, but it doesn't write the right Coords in the url, just:

http://contest.msgpluslive.net/result.php?coords=?undefined,undefined

Also, seems like your Session expires after some minutes..or clicks

EDIT:

if you use IE, you can click the image like you do in MSGplus, you have to spoof you'r User-Agent, and then get your cookie from MSGplus for it to work..

Reg edit for User agent spoof: http://ultimate.hotserv.dk/IE7_mod.reg Reg edit for Default User-agent: http://ultimate.hotserv.dk/IE7.reg

lol, good luck though..you have to try 535,500 times to get all of them ;)

700x765 = 535,500

http://contest.msgpluslive.net/result.php?coords=?**0,0** to http://contest.msgpluslive.net/result.php?coords=?**700,765**

That's not that much.

spyware wrote: That's not that much.

well, you have to sit and watch each try, cause you get a submit form when you get the right one, and if you don't submit it, someone else will get it..

EDIT:

fuck GOD Damn, someone just won ^^