Louis Abraham's Home Page

/ How to hack Facebook Messenger Games 2/2

In the previous article, I showed how to modify the score sent to your friends from any game by exploiting the FBInstant API.

However, in some games, there are some achievements to unlock or money to buy upgrades. We would like to hack this as well.

In this article, I am going to make persistant changes in the game.

I’ll apply this technique on Everwing, a very popular messenger game.

The source code is available here.

Explanations

The problem here is that all the content is managed by a central server. We could try to write a bot, but it would be cumbersome as we would have to perfectly understand the protocol of the game.

But most of the game logic is executed by the browser, so there might be a way. Indeed, we are going to modify the source code of the game. To make the whole thing smooth, mitmproxy will help us by automating the process.

How to hack any game

1. Reverse engineer the source code

Now it’s pure reverse engineering. For example, to find the coins data of Everwing, I supposed the data of the gems was near and I started looking for the numeric value of the different gem sizes in the code.

We are very lucky because most of the games are not obfuscated or minified.

You can start looking for constants of the game or even try to understand how the game computes some interesting values. Be careful to use the patterns of the normal code and not of the formatted code.

2. Install mitmproxy

Just follow the instructions on http://docs.mitmproxy.org/en/stable/install.html

Don’t forget to install the certificates: http://docs.mitmproxy.org/en/stable/certinstall.html

The docs are well-written, don’t hesitate to read them to understand what a CA, a certificate or a MITM are.

Finally, redirect the connection of your computer. By default, mitmproxy listens on the port 8080. Just configure your computer or web browser to use localhost:8080 as http and https proxy.

3. Erase your cache and find the game url

By default, most web browsers use a cache to avoid reloading the game each time you play. You have to clean it to force your web browser to download it again.

Open the Network tab of the DevTools, open the game and look for the filename of the source. Copy the “Request URL”.

Today, the url of Everwing is

https://apps-141184676316522.apps.fbsbx.com/instant-bundle/1174389249249108/1804273522920866/browser-mobile.js

but the last sequence of digits changes sometimes (most likely with the game versions) so I use the regular expression

r'https://apps-141184676316522\.apps\.fbsbx\.com/instant-bundle/1174389249249108/\d*/browser-mobile\.js'

to recognize it. I suppose the system is the same for every game, so just use regular expressions.

4. Make a Python script to automate the replacement

I made this script, feel free to use it or improve it. Here are a few important points:

It provides examples of replacements to spawn more gems, earn premium coins, multiply the XP or the damages you deal.

Sometimes, the premium coins won’t augment if you push it too much, I guess there is a basic protection feature on the server.

5. Profit

everwing