There is new retro Steem game by @LimeSoda. Hodl the Coin is a tribute to Flappy Bird in the galaxies. Player try to hodl the Steem coin through downsides and upsides for as many days as he can. Mouse left click is the only controller there.
Game gathered many fans, especially in Deutschland community. Even the Challenges did happen for SBD's prizes!
So I tried to take part in this too
I took a shortcut of course :> Instead of spending much time clicking, tried to achieve high score through workaround. And it seems that game has not only one hole. Oh where was I during @limesoda challenges...
TBH there is not much reverse engineering play if full source code is accessible. All the game is in single
main.js file. All I had to do is modify few variables, depend on what I wanted to achieve. The bigger trouble was to inject modified code into the browser, but hey for what do we have local proxies ;)
I will present here 2 ways to set 5000 score instantly (it can be unlimited but who cares about the numbers).
One way is to set initial score to 4999. After 1-2 seconds play the coin will reach '5000 days' and can kill itself in glory.
... this.currentScore=4999 ...
Very similar to above, let's just increase the incremental value every tick (1-2 seconds) to 5000. Player will start from 0 score as normal, but first tick will score him +5000 immediately.
... this.currentScore+=5000 ...
First of all, if game has to be a challenge, its code should be obfuscated. It makes much harder to look into the code for cheater (or abuser). Minifying is not enough as it can be reversed easily.
Server side verification
I have read some author's publications of statistics eg. how long players play, how many times they went to leaderboard etc. I am wondering why uploaded player score is not verified even by simple timer on the server. I have made 5k points in just one second. It should be easy to catch ;)
What would stop me from modifying source code is simple check of file checksum. It can be even CRC32, but pretty standard these days is MD5 or SHA256 fingerprint. Only if main.js file on my computer would be verified with server-share this would be perfect.
Thanks to authors
Thanks to @luschn [dev], @maybelater [pixelart / sound] and @berndpfeiffer [pseudorefactoring and bugcreation] for this nice yet another Steem game ;) I saw Your Roadmap and I believe it wil be a success.
Tip from me: make Hodl the Coin open source at Github and the game development will explode! You have my words ;)
Please take this article as a bug-hunting contribution towards improving the game :)