How I reverse engineered a $10M facebook canvas game
Allen Joseph
Posted on June 3, 2021
You might be wondering that I would have used a huge setup like the one given above to reverse engineer Facebooks best canvas game of 2013.
Well, no!.
My setup was more of like……
Why I did that:
I was a 15-year-old boy who was playing around with Adobe’s Flash software and well to be really honest I was bored.
Reverse Engineering the game allowed me to improve my understanding of client side connections and server-side connections.
About the game:
Stick Run is a free jump’n’run game that has been playable on the social network Facebook since August 2010 . The game was developed and published by the then 14-year-old German Marc-Emanuel Otto . [2] It reaches a total of 43 million users. [3] Furthermore, it has been available free of charge for the Android operating system since 2013. [4]Marc-Emanuel Otto was even noticed in the American press among the game developers there. The game regularly ranked among the top 10 games on facebook in various areas. As a result, TigMar GmbH was founded, which made it possible in 2013 for Nekki [5] to participate in Stick Run by porting the game software embedded in Facebook to Android and Apple smartphones in cooperation.
I have to be honest that it was a lot of fun :)
Finding the right track:
To reverse engineer any game the first thing we need to look for was the file but in the case of a flash game, what I needed was it’s source .swf file which would be embedded in any website with the flash plugin.
Finding the .swf file would be a piece of cake considering Google chromes element inspector with a lil bit of HTML knowledge.
The next step was to decompile the swf file but for that we need an external software. I used Sothink Swf Decompiler( my personal fav!) to decompile and view the entire code of the game.
In the below link you can find the code dumped.
https://pastr.io/view/1nrSZuI0Oci
After analysing the code I reached onto line 3349 with a public function ‘connectOAuth’.
In the above code, I came to realise that Stick Run stores its data onto a BIGDB database online known as “Player.IO” and every database over there has a private key (stick-run-mdvkubomx0eisctikvcha) to connect with it but…. there’s an obvious flaw with this system.
What if……
What if someone like me would connect to the database through my custom made flash file and send requests to the server?. There’s no real way to prevent this except to put all the main digital asset code in the server-side code.
Looking into the data:
After managing to get the private key from the above code, the first thing I did was importing the private key and making another flash file with some very quick and dirty API requests to the server to cross-check for any verification.
I made some item requests and some coins hack from the swf file. I hacked the coins to somewhere around 999999999 but they had an build-in ban system hence somehow they managed to ban me. xD.
But guess what?. I managed to unban myself with the same API requests.
Conclusions:
Yes, even the top notch games can be hacked. Security is obviously a myth.
Maybe if the developer is’nt lazy, he could try to fit the client-side code’s important asset handling in the server-side itself. :]
Thank you for reading!
Posted on June 3, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.