In the previous article, I showed how to modify the score sent to your friends from any game by exploiting the FBInstant API. However, in some games, there are some achievements to unlock or money to buy upgrades. We would like to hack this as well.

In this article, I am going to make persistant changes in the game. I’ll apply this technique on Everwing, a very popular messenger game.

The source code is available here.

Note that the techniques I describe here can be applied to any game written in Javascript, as long as the client side is the one that makes decisions.

Explanations

The problem here is that all the content is managed by a central server. We could try to write a bot, but it would be cumbersome as we would have to perfectly understand the protocol of the game.

But most of the game logic is executed by the browser, so there might be a way. Indeed, we are going to modify the source code of the game. To make the whole thing smooth, mitmproxy will help us by automating the process.

How to hack any game

1. Reverse engineer the source code

• Locate the iframe of the game (explained here)
• The source should be in the first <head> of the iframe. For Everwing, it looks like <script src="browser-mobile.js"></script>
• Go to the Sources tab of the DevTools and look for the same file
• Download the code. It is advised to prettify the code before downloading it. Be patient because the source if Everwing is really big (more than 8 Mo of text). If it is too slow, download the source using the game url as described later.
• Open the code with a robust editor and start looking for relevant names / constants. If your editor crashes, use a better one like TextMate, Sublime, emacs or vim.

Now it’s pure reverse engineering. For example, to find the coins data of Everwing, I supposed the data of the gems was near and I started looking for the numeric value of the different gem sizes in the code.

We are very lucky because most of the games are not obfuscated or minified.

You can start looking for constants of the game or even try to understand how the game computes some interesting values. Be careful to use the patterns of the normal code and not of the formatted code.

2. Install mitmproxy

Just follow the instructions on http://docs.mitmproxy.org/en/stable/install.html

Don’t forget to install the certificates: http://docs.mitmproxy.org/en/stable/certinstall.html

The docs are well-written, don’t hesitate to read them to understand what a CA, a certificate or a MITM are.

Finally, redirect the connection of your computer. By default, mitmproxy listens on the port 8080. Just configure your computer or web browser to use localhost:8080 as http and https proxy.

3. Erase your cache and find the game url

By default, most web browsers use a cache to avoid reloading the game each time you play. You have to clean it to force your web browser to download it again.

Open the Network tab of the DevTools, open the game and look for the filename of the source. Copy the “Request URL”.

Today, the url of Everwing is

https://apps-141184676316522.apps.fbsbx.com/instant-bundle/1174389249249108/1804273522920866/browser-mobile.js

but the last sequence of digits changes sometimes (most likely with the game versions) so I use the regular expression

r'https://apps-141184676316522\.apps\.fbsbx\.com/instant-bundle/1174389249249108/\d*/browser-mobile\.js'

to recognize it. I suppose the system is the same for every game, so just use regular expressions.

4. Make a Python script to automate the replacement

I made this script, feel free to use it or improve it. Here are a few important points:

• Launch with mitmproxy -s mitm_everwing.py. Using the Python interpreter won’t work.
• Press ‘e’ to see the log
• mitmproxy automatically reloads the script if modified so you don’t need to restart mitmproxy
• url is a regular expression used to match the source of the game
• replacements is a mapping of strings to replace to their replacement
• disable_cache is a very useful function: it modifies the response headers to prevent the browser from caching. Thus you don’t have to clean your cache every time you modify the script. However, you can disable it so that the browser will use the cached version even without the MITM.

It provides examples of replacements to spawn more gems, earn premium coins, multiply the XP or the damages you deal.

Sometimes, the premium coins won’t augment if you push it too much, I guess there is a basic protection feature on the server.

5. Profit