29 points by thunderbong 18 hours ago | 3 comments
p2detar 16 hours ago
One day a colleague of mine found he could use Cheat Engine to scan the memory of the Flash application and change some values in order to get an upper hand and win PvP matches. Turns out the devs neither did nor verified the PvP battles server-side. It was all done client-side and after the battle the client was sending the server info about who won. A fix would require a complete rewrite of the game logic.
We had several weeks of "fun" beating the shit of everyone in our game world. The devs attempted to make some fixes - make it harder to load the flash file, obfuscated (Base64-encoded) the JSON data sent to the client - this was a funny one, since it was irrelevant. In the end, as the author here says, it was no longer fun, so eventually we stopped playing.
joshstrange 15 hours ago
It turned out that when you queried the map it returned a ton more data than it displayed (data you would normally need to scout for). Also a ton of endpoints, like the one to load your own town's info, would also work if you used an enemy's town id (but with your auth key still). There was little to no verification/authentication blocks that I ran into.
I spent the next 2-3 weeks writing little CLI tools to talk to the API cultivating in a small suite of web-based tools that used assets I ripped from the game to display info (using the currency icons, using the building sprites, etc) until I got bored of the game and the reverse engineering and just walked away. It was fun for a little bit operating with perfect knowledge and using some of that info to put my thumb on the scales for myself and my clan but in the end it become more work than fun and so I stopped.
ncr100 17 hours ago