I decided to use Gargl instead because in addition to letting you view client/server requests/responses, Gargl also lets you modify and parameterize these requests, and then auto-generates modules in a programming language of your choice so you can make these same requests without writing a line of code. I played Candy Crush in my browser on Facebook, while recording and inspecting the requests and responses sent between Candy Crush’s client and server, using a tool I’d created previously called Gargl. Yes, I know I could have used Fiddler or Charles or Chrome’s Developer Tools to do the same. ![]() To inspect this data, I followed much the same process as with Trivia Crack. So, I started researching what kinds of data the Candy Crush client and server pass back and forth. I suspected it might be possible to send my own requests to Candy Crush’s servers, or use some data in the responses sent to the client from Candy Crush’s servers, to gain an edge in the game. But while my Candy-Crush-playing abilities have continually failed me, I figured maybe my reverse-engineering skills could take me to new candy-crushing heights. Many of my friends are Candy Crush fanatics, achieving scores and reaching levels I never would be able to naturally. You can even send along a score – any score – to say you beat the level with that score. The details of the vulnerability, how I found it, and how I built a Chrome extension to take advantage of it are below. So what’s wrong with Candy Crush Saga’s implementation that allowed me to so easily build a tool that lets anyone cheat? In short – beating a level in Candy Crush is as easy as sending a request to the Candy Crush server, saying you beat the level. You can see Candy Crush Cracker in action below, where I use it to get extra lives and to beat levels with any score I want: Just like with Trivia Crack, over the course of a weekend I was able to write and release a Chrome extension, Candy Crush Cracker, that converted me from a medicore-at-best Candy Crush player to a god-like crusher of candy. But, as it turns out, writing some code to cheat at Candy Crush is actually fairly simple. Given its popularity, you’d think the developers of such a polished and successful game might have taken the time to implement it in a way that is secure from cheating. And that’s not to mention the insane 75 million likes Candy Crush has racked up on Facebook. ![]() Even now, three years after its release, it’s still going strong as a top app in both the iOS and Google Play app stores. Even though it is essentially a re-skinned Bejeweled, Candy Crush has managed to ride the “most popular” app store charts unlike any game before it. Given its insane popularity, the first game I thought to investigate, of course, was Candy Crush.įor those of you living under a rock, Candy Crush Saga is a match-three puzzle game for Facebook, iPhone, and Android, released back in 2012. Links below have been updated to point at the new location, which contains the source and installation instructions.Īfter receiving a lot of interest in Trivia Cracker, a Chrome extension that lets you easily cheat in the popular game Trivia Crack, I decided it might be interesting to see if the same kinds of vulnerabilities existed in other popular games. Due to this, it can no longer be installed directly via the Chrome Extension store, and must be downloaded and installed from its source instead. ![]() Update: King, the maker of Candy Crush, has request Candy Crush Cracker be removed from the Chrome Extension store.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |