Candy crush saga game

Candy Crush Cracker converted me from a mediocre-at-best "Candy Crush" player lớn a god-like crusher of candy.

Bạn đang xem: Candy crush saga game


BY JOE LEVY 

After receiving a lot of interest in Trivia Cracker, a Chrome extension that lets you easily cheat in the popular game Trivia Crack, I decided it might be interesting khổng lồ see if the same kinds of vulnerabilities existed in other popular games. Given its insane popularity, the first game I thought khổng lồ investigate, of course, was Candy Crush.

For those of you living under a roông xã, Candy Crush Saga is a match-three puzzle game for Facebook, iPhone, và Android, released bachồng in 2012. Even though it is essentially a reskinned Bejeweled, Candy Crush has managed to ride the “most popular” ứng dụng store charts unlike any game before it. Even now, three years after its release, it’s still going strong as a top phầm mềm in both the iOS and Google Play tiện ích stores. And that’s not lớn mention the insane 75 million likes Candy Crush has racked up on Facebook.

Given its popularity, you’d think the developers of such a polished & successful game might have taken the time lớn implement it in a way that is secure from cheating. But, as it turns out, writing some code to cheat at Candy Crush is actually fairly simple. Just lượt thích with Trivia Crack, over the course of a weekend I was able to lớn write & release a Chrome extension, Candy Crush Cracker, that converted me from a mediocre-at-best Candy Crush player khổng lồ a god-like crusher of candy. You can see Candy Crush Cracker in action below, where I use it to get extra lives và to beat levels with any score I want:

So what’s wrong with Candy Crush Saga’s implementation that allowed me khổng lồ so easily build a tool that lets anyone cheat? In short, beating a cấp độ in Candy Crush is as easy as sending a request lớn the Candy Crush server saying you beat the cấp độ. You can even skết thúc along a score—any score—to lớn say you beat the cấp độ with that score. The details of the vulnerability, how I found it, và how I built a Chrome extension to lớn take advantage of it are below.

How lớn hachồng Candy Crush Saga

1) Finding the vulnerability

Many of my friends are Candy Crush fanatics, achieving scores và reaching levels I never would be able to naturally. But while my Candy Crush abilities have continually failed me, I figured maybe my reverse-engineering skills could take me to lớn new candy-crushing heights. I suspected it might be possible khổng lồ sover my own requests to Candy Crush’s servers, or use some data in the responses sent to the client from Candy Crush’s servers, lớn gain an edge in the game. So, I started researching what kinds of data the Candy Crush client and server pass baông chồng & forth.

To inspect this data, I followed much the same process as with Trivia Crack. I played Candy Crush in my browser on Facebook, while recording và inspecting the requests và responses sent between Candy Crush’s client and VPS, using a tool I’d created previously called Gargl. Yes, I know I could have used Fiddler or Charles or Chrome’s Developer Tools lớn bởi the same. I decided to lớn use Gargl instead because in addition khổng lồ letting you view client/hệ thống requests/responses, Gargl also lets you modify và parameterize these requests, and then auto-generates modules in a programming language of your choice so you can make these same requests without writing a line of code. But more on that later.

Xem thêm: Tải Game Hoàng Thượng Cát Tường Hack Game Hoàng Thượng Cát Tường Không Ạ

Anyway, after telling Gargl to start recording and going to lớn Candy Crush on Facebook in my browser, the first step was to lớn figure out which of the many requests being sent on this Facebook page were related khổng lồ Candy Crush, versus Facebook itself. Inspecting the HTML on the page showed that the Candy Crush flash content is embedded into lớn Facebook via an iframe. The element right above this iframe was a khung meant to post lớn a peculiar URL – https://candycrush.king.com/FacebookServlet/.


*

Joe Levy


I knew King is the company that creates Candy Crush Saga, so I suspected this is the domain name where Candy Crush is hosted. The next step was just to start playing Candy Crush, & as I played lớn look at the requests Gargl finds that the page is making to lớn any URL containing “king.com”:


*

Joe Levy


As I beat levels in Candy Crush, I noticed a new request seemed khổng lồ be issued for each level. The requests seemed to be issued right after I successfully completed a level:


*

Joe Levy


So, it seemed, maybe the client tells the Candy Crush VPS when a game is over. This made me think maybe the client doesn’t just say the game is over, but also says whether the user beat the cấp độ or not, & if the level was beaten, with what score the user beat the level. 

I figured I had a lead, and dug into the details of this “gameEnd” request.

2) The vulnerability in detail

Using Gargl to look at the “candycrush.king.com/api/gameEnd3? request/response in detail, I was able to lớn confirm that it does indeed tell the VPS when the game is over, & the score with which the user beat the level:


*

Joe Levy


As you can see above sầu, the request sent lớn the VPS contains, as a query string parameter, a JSON object containing the score the cấp độ was beaten with, the ID of the cấp độ that was beaten, as well as a bunch of other information. The query string parameter’s name is a not-very-descriptive sầu “arg0?—maybe an attempt by the game’s creators to lớn try to lớn hide the fact that this parameter is the secret lớn making all your Candy Crush dreams come true!

The full value of the “arg0?parameter value looks lượt thích the below:


Joe Levy


From some experimentation & watching this request as I finished multiple levels, I was able lớn discern what most of the fields in arg0 mean, và where they come from. EpisodeId & levelId are used to identify the cấp độ, và can be found in the request sent to the VPS when you start playing a level—https://candycrush.king.com/api/gameStart2. 

Seed can also be found in this “gameStart” request, & seems to lớn represent a random seed for how the layout of the candy in the màn chơi should look. In addition, every API request made to Candy Crush must be sent with an “_session” query string parameter, to lớn identify the current user session. This value can also be found in the gameStart request, và really in any request lớn Candy Crush, for that matter.

Here’s what the https://candycrush.king.com/api/gameStart2 request looks like:


Again, it looks lượt thích Candy Crush’s creators are either really bad at coming up with creative parameter names, or they’re trying lớn obfuscate this information to make it harder khổng lồ manipulate their API. EpisodeId is sent via a query string parameter called “arg0,” levelId is sent as “arg1,” and seed is sent as “arg2.” For some reason, they did decide khổng lồ use a fairly descriptive name for the session token though—“_session.”

Other than episodeId, levelId, score, and seed, the rest of the fields in the gameEnd request’s arg0 query string parameter are unimportant, & can be hard-coded like above. That is, except for cs. Cs in this case probably stands for checksum, because if you vày not sover the right value for it, the request will fail. It turns out constructing the value of the checksum field is not all that difficult either. To get the correct checksum, simply MD5 hash a specific string and use the first six characters of that string as the checksum. The string to lớn hash matches the format:

:::-1:::BuFu6gBFv79BH9hk

UserId is the only piece of information we don’t already have sầu that is needed khổng lồ construct the above sầu string. It is sent in the “gameInit” request that happens every time you load Candy Crush Saga—https://candycrush.king.com/api/gameInitLight. You can make this request at any time (passing _session as a query string parameter, of course) and the response will contain your userId:


Great, we now have everything we need khổng lồ make the gameEnd request! 

Let’s try popping this information into lớn Fiddler’s composer, targeting the first cấp độ of the game, & see what happens when we enter a score of 100,000, calculate the checksum, make the gameEnd request, và then reload Candy Crush Saga:


Well, my friends, it appears we’ve successfully cracked Candy Crush!

While Candy Crush Saga did take some defensive sầu measures, allowing a single request to complete the màn chơi, with any score, is in direct conflict with the “Defensive Programming” practice of programming—particularly the “never trust the client” Web programming principle. Since the hệ thống has no control over how the client acts, it can’t assume the client will not act in a malicious way, & so must protect itself. A better way of implementing “completing levels” would be to make the client skết thúc every move the user makes in the cấp độ khổng lồ the hệ thống, and having the VPS determine if those moves successfully earn a score high enough to complete the level. While this method also isn’t perfect, it at least means the client, whether through manual user action or via some automated method, has khổng lồ play the level instead of just telling the VPS “I win.”

However, Candy Crush did not vị this, và instead trusts the client. Now it was just a matter of creating a malicious client to lớn take advantage of the fact that the client can just tell the VPS it won any arbitrary cấp độ. Ideally, one that would be easy for non-technical users to lớn install and use. Hmm…how about a Chrome extension that just adds a button to lớn the Candy Crush game, when played on Facebook, that when clicked beats the current level automatically??

3) Taking advantage of the vulnerability

As I mentioned above, Gargl allows you to lớn take the requests you had it record, modify & parameterize them as needed, & then auto-generate modules in a programming language of your choice to lớn make these same requests. I’m not going to lớn go into lớn the details of that process since you can look at one of my Gargl blog posts lớn find that info, but essentially I generated a Gargl template file for Candy Crush‘s various API requests, using the Gargl Chrome extension, và then used a Gargl generator khổng lồ turn that template tệp tin into a Candy Crush JavaScript library. Using Gargl for this allowed me khổng lồ create a JavaScript library that talks to lớn Candy Crush’s servers, without writing a line of code khổng lồ bởi vì so, & also khổng lồ have a template file around for the future in case I want to lớn do the same thing later with another programming language.

Once I had this Candy Crush JavaScript library, it was a simple matter of building a Chrome extension in JavaScript that runs on the domain loaded in the Candy Crush Facebook game page’s iframe (candycrush.king.com), adds a button khổng lồ the HTML for the game, & when that button is clicked asks the user for a score, does the above steps lớn find episodeId, levelId, seed, _session, & userId, và then issues the gameEnd request to lớn beat the current cấp độ.

Xem thêm: Đánh Giá Fujifilm X-E1


And just like that, Candy Crush Cracker was born! Curious about the exact details of how Candy Crush Cracker works? Check out the source code on GitHub.


Chuyên mục: