( News Archives - Votes Page - FlashClient Info - vL64 Decoder Diary - Proxy List Start )




Current Habbo-related programs:
A Fully functional Packetlogger (Client packets only) - Dashboard 30_11_09 Release1

Current projects:
99%] Tutorial: The Furni bug UK database
50%] Tutorial: The Furni bug US database
45%] Project:  vL64 Decrypter collection (PHP, AS3, JS, VB6, C#, C++, Python and Java)
42%] Project:  vL64 Encrypter collection (PHP, AS3, JS, VB6, C#, C++, Python and Java)
40%] Tutorial: The Ultimate Headers & Packets guide
40%] Project:  Shenk's DIY Hotel Kit
32%] Project:  Shenk's screenshot collection
25%] Program:  [C#] Shenk's Amazing Figure Realted Shiz
25%] Project:  Restraining Order
10%] Project:  JailBait
10%] Program:  [C#] Shenk's Bot-ational Bot Handler
[  0%] Program:  [C#] Opensource Habbo login

[Green %  means the project is ongoing]
[Yellow % means the project has recently been worked on]
[Red %    means the project is currently at a stand still]

[Green Text in the project description  means the project has been completed]
[Yellow Text in the project description means the project has been started]
[Red Text in the project description    means the project has not been started]




  Donate to ShenkX:  


Current Goal: £50.00/£50.00
Current Goal: £50.00/£100.00
Current Goal: £150.00/£250.00



News

21-08-10 - New XSS Exploits

UPDATE2: I also just added another section to my: Eastereggs, Tips & Tricks page: Permanently Selected Buttons

It's a pretty pointless little bug... but I thought I may as well add it.
I was told quite a while ago about it - I forget who told me... but yeah, enjoy it!

UPDATE: I just removed the following sites from my Links page (Since they're all dead):
0wn.us
Jewlake.com
Habblet.es
HybridCore.net
SnGForums.biz

I'm sure most of you already know... but there's been two new XSS exploits found.

The second one found is another in the Billing's page (There was another XSS exploit found in here a few months ago, as well as that uploading bug):
https://billing.habbohotel.com/payment/service/new_post.jsp?

Here's my example of an XSS exploit in this page:
https://billing.habbohotel.com/payment/service/new_post.jsp?habbo_name=">>script<alert("www.ShenkX.co.uk Pwnz!")>/script<

The other was found in the CAPTCHA field on the Habbo Help Tool, unfortunately... this location doesn't exist on HabboUS anymore... but here's an example of it on HabboNL:
http://www.habbohotel.nl/iot/go?lang=de&country=de&captcha=

And... here's my example of an XSS exploit in this page:
http://www.habbohotel.nl/iot/go?lang=de&country=de&captcha="<>iframe src=http://www.shenkx.co.uk/News.php >

Erm, it's best to use URL encoding while making you XSS exploit (Because things like the: LessThan/GreaterThan/QuotationMarks/QuestionMark/ect characters don't copy well - even my HREF above uses URL-encoding!

What URL encoding is (If you don't know) is basically encoding (changing) characters into two letter/number equivalents (with a % in front of it).

So yeah, anyway, here's a few useful characters:
Space (" ") = %20
Quote (""") = %22
GrtTn (">") = %3C
LssTn ("<") = %3E
OBrkt ("(") = %28
CBrkt (")") = %29
Dollr ("$") = %24
Ampnd ("&") = %26
PlusS ("+") = %2B
Comma (",") = %2C
FSlsh ("/") = %2F
BSlsh ("\") = %5C
Colon (":") = %3A
SemiC (";") = %3B
Equls ("=") = %3D
Quest ("?") = %3F
AtSym ("@") = %40
HashS ("#") = %23
Pecnt ("%") = %25
OSqBr ("[") = %5B
CSqBr ("]") = %5D

That'll do I reckon? You can probably find some sort of encoder or something on Google, it'd be easy to make one... to be honest... I might make one for you... would only take a few minutes! Lol... yeah, might do that...

Finally, here's a couple of images, incase they're patched by the time you see this update:
XSS Exploit 1: Help Tool CAPTCHA
XSS Exploit 2: Billing Page

So, that's all I'm posting at the moment... and the site has an uncertain future to be honest...
This is due to me getting more, and more annoyed with all the fuckers demanding me to do updates...

So yes, ShenkX may close soon... so get your full in case we do! (If we do, I doubt it'll be forever - just for a months... probably).
- Alex (Shenk).

--------------------------------------------------------------



20-08-10 - Some late, late news!

Firstly, I'm back down to £150 of donations because Klaus (Aka JNike) reversed his £30 donation...
He also seems to have told PayPal that I said I'd send him an item... so he's made everything a hell of a lot more confusing for me... so yeah, thanks for that.

Anyway, let's go through Habbo-updates here's a list of new RELEASES:
The rest are coming soon
RELEASE56-27701-27700-201008130247_8f6c54151a631c1552c883f01f200163
RELEASE56-27832-27828-201008191645_766a36bf51826f1ddedd1b2b1dab4995

Here's a list of new SWFs:
I think I'm missing some RoomSWFs etc?...
- /h_lion.swf
- /sh_lion.swf

I noticed there's a new pet command also:


There's a fail in the catalogue lion's image, it overlaps:


I also noticed the other day that the shine on the IM has shifted to the left quite a bit:


Brett posted a cute little bug (From this Habbo Article) on my Shoutbox a few days ago (Although it has since been changed):


Hmm... what else...
Gah, there was so much I was planning to post about, God damn it.

Well, I guess I'll just update if I remember any of them.
- Alex (Shenk).

--------------------------------------------------------------



06-08-10 - Quick update...

11-08-10: Finally managed to get the News page working again... erm... I have quite a few things to write about so hopefully I'll have some news for you guys tomorrow! ^^

First off, a few days ago I noticed a fail on Runescape, the new item-images fail (Quite a common mistake - this is about the 10th time I've noticed a newly released item-image is too big for the item-image-frame), here's a few examples:


It's probably fixed by now, haven't checked... erm... d0ka posted something quite interesting on my shoutbox yesterday, a HabboHome with a broken avatar-image:
HabboHome Image.

What else... nothing really... there's fuck all new on Habbo and I haven't been around recently to write/code any updates to be honest!

My site-host is kinda dead at the moment also, my AWStats has been down for a month and I can't use the FTP, so updating the site is really annoying at the moment - that's one of the reasons the updates have been so far between.


I'll try and have something decent for you ready next update... either the screenshots, ticketsystem or a tutorial/easteregg etc.
- Alex (Shenk).

--------------------------------------------------------------



04-08-10 - Five Group Icons Tutorial.

Yep, as promised, here's a more detailed version:
Five Icons in a Group Badge

Also, I've been talking to a few of my friends and it turns out:
1.) HabboBR had the invisable-widget option released years ago.
2.) Apparently, like I suggested... the big avatar-glitch is to do with the old clothing, why my avatar doesn't do it... is possibly because my avatar is too old to do it... I dono, I'm still confused about this one!
3.) I noticed that widgets in black is still possible also... I accidently did it while doing the massive-broken quote-note thing.

Erm... I'll hopefully release some more of these tuts soon... since they're mostly unpatched, even though they've been around for years, which is nice!

That's all for now, keep voting guys!
- Alex (Shenk).

--------------------------------------------------------------



03-08-10 - Sorry for how late this is!

UPDATE2: Okay, it's really simple... I worked it out within a few minutes!
All you have to do is add a second "s" code, so here's the easiest way to do it:

1.) Easiest way to find the code for the 5th icon is to blank out (un-tick the boxes) all the other icons, then save it with Tamper Data turned on, not check the POST_DATA field... and look for the line that says "code=", it'll then say s00000 (The "s" means it's an icon instead of "b" which is background... the red is where your specific code is; the last number is for placement and all the others are to do with colour/logo type etc)...

2.) Now you have your specific code, stop Tamper Data and put all your other icons up normally (Not sure if you can have a background AND a 5th icon... didn't try) anyway... now turn Tamper Data on before you save it...

3.) Now click save... and at the end of the "code=" part in the POST_DATA field put your code, so it looks a bit like this:
onData=%5Btype%20Function%5D&%5F%5Fapp%5Fkey=8A4F0A71AED646EB42A78C68BCA316D6%2Eresin%2Dfe%2D3&code=s06048s06046s06042s06040s06044&groupId=1337
(This code will give you five green-skulls in dice-placements).

Easy!... I'll clean the tutorial up sometime soon... hopefully most people will understand what to do from this though!



UPDATE: Since people KEEP asking for the Five icons in group badge exploit (Originally released by Magnea in 2008, I think?) I decided to go searching for it...
I found the original thread (On HabboxForum) where he released:
Add anyone to your group (Patched and released on here);
Hidden URL-redirecting (Patched and released on here);
Invisible Group Badge (Patched, just tested it...).

But, it doesn't have the 5icon exploit... which is odd... so yeah I'm confused now, I'm sure it was him that released it...
Anyway, I guess this means I'll have to write the tut for it, so it'll come as soon as I'm done.
First, I need to borrow someone's group so I can test and screenshot etc, erm... so if you have one I can try it on, please Shoutbox/MSN me!

I'm sorry about how late progress with the site has been lately... I've just lost interest recently to be honest... as well as being quite busy, I'm sure it'll pick up again though!

First I want to say a massive thanks to:
Henrik who donated £100 to me on the 21st and 24th of July,
and also to Klaus JNike who donated £30 to me yesterday (2nd of August).
I'm so thankful for all these donations!...
They not only give me motivation, but they open up lots of other possibilities for the site... not to mention keep me up-to-date with my rent/food costs, so once again a MASSIVE thanks to EVERYONE that's donated so far and I look forward to more in the future!

The below was written on the 30th for release on the 1st:

I'm sorry my updates have been SO rare lately!
I've been with my friends and family mostly...

Although, I have to admit the last couple of days I've been on the computer...
Someone from HabboxForum (Called AidenFTW24 who I don't really know... and I think he doesn't know about this site either...) bought me a Runescape membership, so I've been trying to get my quest cape back - I've been a non-member for months so there's quite a few I needed to do...
In fact, I've been back on RuneScape for 2days and I've done 5/8 quests!
I've actually, weirdly, got back into Runescape... didn't think I'd ever enjoy it again.

Anyway, that explains, vaugly, what I've been up to.
So, Habbo-related... erm... well, a new release came out yesterday (Or the day before):
RELEASE55-27565-27564-201007300247_5e27dadc921d6bf318a5016de725badd
Lol @ "Bad" release -chuckles- ... damn, that was a bad pun...

What else... erm... "clickjacking" has been patched... the other day
Pretty crazy to be honest... I posted an example of it almost 3months ago!
Usually when I post stuff, Sulake patch it within 24hours!

Hmm... do I have anything else to say... nope, not really...
I'll do some updates after I've finished these quests on Runescape... or if I get bored, maybe I'll do one tomorrow...

Actually, yeah... new poll in a couple of minutes to see what you want me to release tomorrow!

The below was compiled on the 2nd and written today (3rd):

I noticed my shoutbox has been full of people talking about HabboBR's HabboHome explotation-groups recently, there's a few quite good ones, here's two:
http://www.habbo.com.br/groups/hey (Found by CYB3R)
http://www.habbo.com.br/groups/yo (Found by myself)

It seems a guy called 98w is doing it all... the bugs/exploits include:
- Enlarged notes (Which has recently been unpatched, I did it today on HabboEN),
- BIG-avatars when they're meant to be small (This happened as an accident on HabboUK with a couple of my friends, it seems this guy has figured out how to do it though),
- Small text (I assume this is just done by some special chr, that's a VERY likely explanation...),
- Stickers/Widgets in black (Which seems unpatched on HabboBR),
- Various clothing glitches (Most of which are patched on HabboEN, but that I pointed out as they came out).

Anyway, here's a few pictures to illustrate the bugs:
Enlarged figures in FriendList:


Small text and enlarged figures in GuestBook:


I'm not sure if I posted an image of my HabboUK's friend's Habbo when his suddenly became enlarged?
I probably didn't, he's a close friend and he's not the type to get caught up in this kinda stuff!...
Anyway, I trust him totally and he told me he did nothing to make it do what it did... just one day he looked at his friendlist and it was just like that... also, note that it only happens with the avatar-maker for HabboHomes... so nothing unusual happens in the client!

So, looking at the avatars themselves, here's a couple of examples:
[Habbo Name: 98w.NU]
Big Avatar URL:
http://www.habbo.com.br/habbo-imaging/avatar/hd-600-%2Cs-0.g-0.d-4.h-4.a-0%2C2c1f4ea0b20229c29d6ee545bd93274a,s-0.g-0.d-4.h-4.a-0,431b87a23102db425ce38fe1893985c6.gif
My user with same look as above:
http://www.habbo.com.br/habbo-imaging/avatar/hd-600-1.ch-635-62.lg-695-62,s-0.g-0.d-4.h-4.a-0,f8a562e7869166aab745d5b667c38437.gif

Small [aka Big] Avatar URL:
http://www.habbo.com.br/habbo-imaging/avatar/hd-600-%2Cs-0.g-0.d-4.h-4.a-0%2C2c1f4ea0b20229c29d6ee545bd93274a,s-1.g-0.d-4.h-4.a-0,bda7601e1668c53a4f1977d097639bee.gif

My user with same look as above:
http://www.habbo.com.br/habbo-imaging/avatar/hd-600-1.ch-635-62.lg-695-62,s-1.g-0.d-4.h-4.a-0,4881e05380984e695256a3cfd21a1641.gif

So, as you can see they're quite different... they do use old avatars, which originally (I thought this with my UK friend also) I thought was the issue, but if we look at one of my Shenk accounts (The ones with the old-green hair etc) they look like this:
http://www.habbo.com.br/habbo-imaging/avatar/hr-165-1052.hd-180-1026.ch-255-1198.lg-270-1198.sh-300-1286,s-0.g-0.d-4.h-4.a-0,d0cfde5b7cf959750c7a5fe113939575.gif
And when we put these next to one of our special examples, there's still a lot that's different:
http://www.habbo.com.br/habbo-imaging/avatar/hd-600-%2Cs-0.g-0.d-4.h-4.a-0%2C2c1f4ea0b20229c29d6ee545bd93274a,s-0.g-0.d-4.h-4.a-0,431b87a23102db425ce38fe1893985c6.gif

The main differences:
The Head coding comes before the Hair coding,
The default Head code is "600" which is very odd since it's been "180" for a long time,
There's the addition of %2C's which are URL-encoded commas (","),
Instead of Hair/Body/Shirt/Trouser/Shoe codes - they use the old, string format: C2c1f4ea0b20229c29d6ee545bd93274a,

To be honest, I'm really, honestly, pretty stumped by it... so if anyone has any ideas further than what I've discussed, please do share them with me!

Anyway, onto the next point I made... I said that elongated-notes has been unpatched on all hotels (At least on BR and EN) so in case you've forgotten, here's how:
1.) Make a note with many chr(13)s, ie. click the enter button after each letter, like so:
S
H
E
N
K
X

2.) Do this for all 500characters (That's the note limit) then click preview, then continue.

3.) Now, when you try to save it it'll complain about this note being out of the boundries... so like with the widgets/stickers out of the frame exploit, we need to send this javascript line in the URL-bar:
javascript:isNotWithinPlayground=function(){return false;};void(0);

And you're done! (HERE's an example).

I also attempted to make an invisable note/widget like in the group-example... I get the feeling it may be patched though, although it did feel like I got close a few times...
Anyway, the skin used is called H (As apposed to: Default, Metal, etc.), you can find this by looking at the source:


I attempted to do it like we originally did (In THIS tutorial) but it didn't work...
All that happened (Using firebug-editing and HTTP editing) was several bugs including a bug where it stayed on the loading-button; another where the preview-box turned into just an orange bar and a couple of different ones that looked like this (One with the same text but in HabboHomes' font):


Which although quite entertaining, wern't what I was looking for...
I then set about editing a widget while it was on the homepage using HTTP editing, this also seemed to come quite close but no joy was had...
Again, it did feel like I was getting close though... with trying to change it to a "0" (The number it was before), "7" (The number after the last type) and I got some really odd bugs trying "H"!

So, pretty stumped by this as well... seeing as the group is new etc!
Well... if 9wc decides to share some of his habbohome secrets, hopefully he'll think of me!... I did add about twelve of his accounts earlier, so I'm sure he can contact me if he wants to!

Oh, also I saw someone on my shoutbox that didn't know how to have 5 group-icons!
It was only then that I realised I never made this tutorial... although this bug is one of the older ones, I mean it pre-dates things like: Adding anyone to a group etc!
So yeah, it's on my to-do list... along with everything else!

Right, that's gona have to be all for now... this post is already 3days late!
- Alex (Shenk).