GodMode in Backyard Monsters or “How do you exchange data with the application?”
Publication with the words of a friend.
Once I was invited to play Backyard Monsters on Google+ . The game is not bad, on the Internet they write that it is almost the # 1 game in social networks. I played myself, and once (like any programmer) it became boring to play further. Long expectations of the assignments, the high cost of actions (upgrades, the seizure of new bases) turned the game into a kind of farm - went in, “reaped the harvest” (fed noobs, non-records), put up some house for many hours (some for a week and more upgrades ). There was a thought about writing a bot. Here began the surprise of the hole in security.
To begin with, we looked at the traffic (with the help of Wireshark), looked at what requests the client and server exchange. Surprise times: the exchange is in plain text (it turned out to use JSON). Attempting to play around with the replacement of parameters resulted only in an Invalid hash error. Well, let's go pick the flash drive itself.
Internets advised AS3 Sorcerer for this purpose. Get a flash drive game is not difficult. We proceed to the preparation.
After a brief tinkering, the procedure for sending “messages” to the server was found. And right there next to the generation algorithm of that same hash - generated on the basis of the sent data, such a “signature” of the message. It's time to try to generate the query yourself, to make sure the guesses are correct. We take a python, for sending / receiving data the Internet prompts requests . We try to get information on our base. And ... PROFIT! There is a contact. Hooray!!!
With the conversion of the response from the string (JSON format) to data will work, on the advice of the Internet,
')
fbid turned out to be a G + ID, the one you need to look at the user profile.
The download was successful, you need to try to save something. The study of the unused traffic, the text of the flash drive, several attempts with errors, broken (so as not to go into the game) and successfully restored database - and as a result we have a working module for sending valid data to the server. Immediately found (and later implemented) several buns: setting yourself any amount of resources, the ability to proapat any building, pump the champion, pump the monsters through levels and skills, instantly create an army of any composition, get coins collecting fly agarics (240 coins in half an hour). What more could you want?
Let's look at the world around us, that is. Snifay, flu, prog, we get the result - a map of the world. What is there from the interesting?
Game user ID uid , bid database identifier. fbid all the same. Strange ... Further analysis showed that to glance to a neighbor for a visit only a bid already known to us is needed. We try to glance programmatically ... From the answer, eyes climbed on the forehead. And the complete data about the buildings, and about the champion, and about the monsters, and about their upgrades, and the unnecessary contents of the shop, and the amount of player resources. They tell everything as if I went home. Well ... you can see who is more profitable to farm. Uh ... what is this ...? Enemy fbid !!!
We look at the parameters necessary for the “conversation” with the server, we find the most necessary, discarding some in turn ... Two surprises - we need only fbid (G + ID) and several constants. So this ... fbid any neighbor turns out without any problems ... We check - even more eyes. What is this? Not only can you do anything with yourself, can you also arrange a holiday for your neighbors? So do. We put an Anonymusovsky Thor , so as not to shine and proceed. In the process a few less surprises, a portion of new knowledge and some fan.
The result is this and this .
The main bases of all players (with monsters and champions), donated by several hundred (or thousands? Who counts them) coins to everyone (who has more, who has less), are captured in one of the worlds (found who have not played for the longest and made it Chingiz Khan) the whole territory (wild tribe, secondary bases of players) and in a few days returned to its original state. The plans of the main player bases are laid out (the corresponding topic on the forum has been deleted).
There is absolutely the same hole on the congate , only the newer version of the game. But on Facebook the situation is better (for developers). You can swagger only with your data as you like. Here, in the role of the signed_request defender as a parameter for authorization.
Here you can take the source code of the working cheater for Google+.
Once I was invited to play Backyard Monsters on Google+ . The game is not bad, on the Internet they write that it is almost the # 1 game in social networks. I played myself, and once (like any programmer) it became boring to play further. Long expectations of the assignments, the high cost of actions (upgrades, the seizure of new bases) turned the game into a kind of farm - went in, “reaped the harvest” (fed noobs, non-records), put up some house for many hours (some for a week and more upgrades ). There was a thought about writing a bot. Here began the surprise of the hole in security.
To begin with, we looked at the traffic (with the help of Wireshark), looked at what requests the client and server exchange. Surprise times: the exchange is in plain text (it turned out to use JSON). Attempting to play around with the replacement of parameters resulted only in an Invalid hash error. Well, let's go pick the flash drive itself.
Internets advised AS3 Sorcerer for this purpose. Get a flash drive game is not difficult. We proceed to the preparation.
After a brief tinkering, the procedure for sending “messages” to the server was found. And right there next to the generation algorithm of that same hash - generated on the basis of the sent data, such a “signature” of the message. It's time to try to generate the query yourself, to make sure the guesses are correct. We take a python, for sending / receiving data the Internet prompts requests . We try to get information on our base. And ... PROFIT! There is a contact. Hooray!!!
With the conversion of the response from the string (JSON format) to data will work, on the advice of the Internet,
ast.literal_eval(text.replace('null','None')) . This is enough for parsing (plus a few more replays for our animal). The Python json-module was caught later, and not everything turned out easy with it. Of the interesting in the answer:')
{'fbid': '116797799793671216717', 'basevalue': 172461612,
'buildingdata': {'4787': {'l': 6, 't': 25, 'Y': -115, 'X': 235, 'id': 4787, 'fort': 4}, ...},
'resources': {'r4': 47358582, 'r1': 36449238, 'r1max': 75050000, 'r3': 72963216, 'r3max': 75050000, 'r2': 24155238, 'r2max': 75050000, 'r4max': 75050000},
'champion': {'ft': 1340003358, 'hp': 29751, 'l': 6, 'fb': 0, 'fd': 1, 't': 3},
'academy': {'C3': {'powerup': 3, 'level': 6}, ...}, 'quests': {'C51': 2, ...},
'credits': 4045, 'baseid': 1000071112, 'lockerdata': {'C10': {'t': 2}, ...}, 'userid': 79671, 'createtime': 1334196000, ...fbid turned out to be a G + ID, the one you need to look at the user profile.
The download was successful, you need to try to save something. The study of the unused traffic, the text of the flash drive, several attempts with errors, broken (so as not to go into the game) and successfully restored database - and as a result we have a working module for sending valid data to the server. Immediately found (and later implemented) several buns: setting yourself any amount of resources, the ability to proapat any building, pump the champion, pump the monsters through levels and skills, instantly create an army of any composition, get coins collecting fly agarics (240 coins in half an hour). What more could you want?
Let's look at the world around us, that is. Snifay, flu, prog, we get the result - a map of the world. What is there from the interesting?
{'53': {'77': {'c': 4, 'b': 3, 'uid': 79671, 'f': 4, 'i': 163, 'bid': 1000012527, 'fbid': 9223372036854775807L, ...}, ...Game user ID uid , bid database identifier. fbid all the same. Strange ... Further analysis showed that to glance to a neighbor for a visit only a bid already known to us is needed. We try to glance programmatically ... From the answer, eyes climbed on the forehead. And the complete data about the buildings, and about the champion, and about the monsters, and about their upgrades, and the unnecessary contents of the shop, and the amount of player resources. They tell everything as if I went home. Well ... you can see who is more profitable to farm. Uh ... what is this ...? Enemy fbid !!!
We look at the parameters necessary for the “conversation” with the server, we find the most necessary, discarding some in turn ... Two surprises - we need only fbid (G + ID) and several constants. So this ... fbid any neighbor turns out without any problems ... We check - even more eyes. What is this? Not only can you do anything with yourself, can you also arrange a holiday for your neighbors? So do. We put an Anonymusovsky Thor , so as not to shine and proceed. In the process a few less surprises, a portion of new knowledge and some fan.
The result is this and this .
The main bases of all players (with monsters and champions), donated by several hundred (or thousands? Who counts them) coins to everyone (who has more, who has less), are captured in one of the worlds (found who have not played for the longest and made it Chingiz Khan) the whole territory (wild tribe, secondary bases of players) and in a few days returned to its original state. The plans of the main player bases are laid out (the corresponding topic on the forum has been deleted).
There is absolutely the same hole on the congate , only the newer version of the game. But on Facebook the situation is better (for developers). You can swagger only with your data as you like. Here, in the role of the signed_request defender as a parameter for authorization.
Here you can take the source code of the working cheater for Google+.
Source: https://habr.com/ru/post/146195/
All Articles