How to achieve unlimited score in 🎮 Hodl the Coin Steem game [Hack]

in hodlthecoin •  4 months ago

image.png

There is new retro Steem game by @LimeSoda. Hodl the Coin is a tribute to Flappy Bird in the galaxies. Player try to hodl the Steem coin through downsides and upsides for as many days as he can. Mouse left click is the only controller there.

https://games.limesoda.com/hodl-steem/

Game gathered many fans, especially in Deutschland community. Even the Challenges did happen for SBD's prizes!

So I tried to take part in this too

I took a shortcut of course :> Instead of spending much time clicking, tried to achieve high score through workaround. And it seems that game has not only one hole. Oh where was I during @limesoda challenges...

Hodl the Coin shares Phaser.io engine. Most of Phaser games are client-sided. This means all the game is downloaded to the web browser and kept all javascript code (engine) there during gameplay. I was surprised how easy it is to just modify code on my computer :O Javascript isn't even obfuscated and sended high scores are not verified by the server side. This makes perfect scenario to cheat a little.

Reverse engineering

TBH there is not much reverse engineering play if full source code is accessible. All the game is in single main.js file. All I had to do is modify few variables, depend on what I wanted to achieve. The bigger trouble was to inject modified code into the browser, but hey for what do we have local proxies ;)

image.png

I have set local proxy on my machine and intercept all HTTP responses via Burp Suite

I will present here 2 ways to set 5000 score instantly (it can be unlimited but who cares about the numbers).

1st example

One way is to set initial score to 4999. After 1-2 seconds play the coin will reach '5000 days' and can kill itself in glory.

...
this.currentScore=4999
...

currentScore.gif

Modify source code intercepted in Burp Suite (proxy)

5000.gif

Proof of work

2nd example

Very similar to above, let's just increase the incremental value every tick (1-2 seconds) to 5000. Player will start from 0 score as normal, but first tick will score him +5000 immediately.

...
this.currentScore+=5000
...

currentScore2.gif

Modification

ezgif-4-8197e1b1bd.gif

Proof

Weak points

Code obfuscation

First of all, if game has to be a challenge, its code should be obfuscated. It makes much harder to look into the code for cheater (or abuser). Minifying is not enough as it can be reversed easily.

Server side verification

I have read some author's publications of statistics eg. how long players play, how many times they went to leaderboard etc. I am wondering why uploaded player score is not verified even by simple timer on the server. I have made 5k points in just one second. It should be easy to catch ;)

File checksum

What would stop me from modifying source code is simple check of file checksum. It can be even CRC32, but pretty standard these days is MD5 or SHA256 fingerprint. Only if main.js file on my computer would be verified with server-share this would be perfect.

Thanks to authors

Thanks to @luschn [dev], @maybelater [pixelart / sound] and @berndpfeiffer [pseudorefactoring and bugcreation] for this nice yet another Steem game ;) I saw Your Roadmap and I believe it wil be a success.
Tip from me: make Hodl the Coin open source at Github and the game development will explode! You have my words ;)

image.png

Please take this article as a bug-hunting contribution towards improving the game :)

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

This is why you are so awesome. I am glad to have you on my team. My wife and I can learn so much from you thanks for sharing this you smart guy you!

You got my full upvote!

You are the best and you give notice of how to use the game correctly, I applaud your opinion.Your opinions and experiences are very useful to me. Thanks my friend

Hahaha! Thanks for putting so much time in our little flappy bird Clone. We didnt think that anyone would even play the clone in the first place. So we didnt care a lot about securing it. And now we have livestreams and even a how to hack post! Thats fucking awesome :)

Great Work!! Thanks for your time!

Btw. We didnt do any sbd challenges, as this was just meant to be entertaining.

Actually we were thinking about making it open source.

·

Actually I played more with its source code than real game.
Thanks for a few kind words ;)

·
·

Famous last words. Andi (@luschn) asked me (@berndpfeiffer), when he was almost finished with the basic game, if he should put some time in securing the game and I said "no, i don't thing that anyone will play it more than once" :)

Talked to the guys and I think we will honor your name and efforts ingame in one of the next releases in some way :)

Congratulations @mys! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of comments

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

Do you like SteemitBoard's project? Vote for its witness and get one more award!

I knew that sooner or later someone was going to try to perform a cheat/hack, though I was expecting it to come in a different form than what you've shown here. Thankfully, this game isn't being played for high stakes yet. I trust that @limesoda will fix this before they deploy Hodl The Coin in their bid to take over the gaming world. =P

Awesome. We Steemians want games. When is Steemjet getting a game?