

I built a tool to hack Letterpress - ontoillogical
http://finite.state.io/blog/2012/11/09/hacking-letterpress/

======
scoates
At risk of contributing to the comment soup…

[Some colleagues and ]I have been doing some research on Letterpress for the
past couple weeks (expect a HN story about us later this week… I hope). We
independently discovered this hack last weekend. Here's some information:

\- the client is trusted; the opponent's client does not validate a played
word

\- Game Center is a naïve carrier for turn-based games; no validation is done
on the server side

\- Game Center is naïve by design; this is the beauty (and one of the
drawbacks of GC—another major drawback is that your client only works with GC,
which means you can't easily port to other platforms, and if you do port, you
can't play cross-platform games because non-iOS devices can't use GC). The
real beauty here is that Loren/Atebits doesn't need to run _any_ server
infrastructure. Apple does it for him. This is a huge benefit to games like
this.

\- We contacted Loren; he was really cool about it, and doesn't seem to care
that Letterpress is cheatable in this way. I'm with him on this. It doesn't
matter.

\- There's no leaderboard, nor even a long-term score in Letterpress. This
cheat doesn't matter.

\- As far as we could figure, there's no way to fully validate both clients
without 1) adding a server component, or 2) losing the ability to port
Letterpress games between devices (from iPhone to iPad, for example); I'd love
to hear ideas about how this could be possible if you think we're mistaken

\- The dictionary files live in the application's `o/` directory, as a series
of text files, named by the word's first two letters. e.g. "imbecile" would be
in `o/im.txt`

\- The app will re-read dictionary files on launch (or maybe at word play);
either way, the dictionary can be changed _during_ a game; it's even possible
to start a game with a person and immediately play the winning 25-letter word,
before the opponent even gets a game-state notification from Game Center

\- There are 271377 words in the Letterpess dictionary.

\- The longest words in the Letterpress dictionary 21 letters long. There are
three of them: `counterdemonstrations`, `hyperaggressivenesses`, and
`microminiaturizations`

\- There are 124 two-letter words

We'll try to outline some of the other Game Center research in the article we
publish. We welcome future upvotes. (-:

S

[edit: auto-paragraph fail, tyop]

~~~
smosher
_... I'd love to hear ideas about how this could be possible if you think
we're mistaken_

(The following probably isn't what you had in mind by "fully validate", but I
think it puts it considerably closer to the challenge of defeating binary
validation. Assuming everything has to happen in the app, infallible
validation is impossible anyway.)

You would get pretty far by introducing internal data validation routines and
making them compare the output of these routines based on challenges they
issue to one another. That would require any attackers to introduce new code
paths to defeat it. I've no idea if this can be negotiated practically over
GC, but I can only assume so.

Also, I take issue with this:

 _There's no leaderboard, nor even a long-term score in Letterpress. This
cheat doesn't matter._

I don't really care about leaderboards. I do care about the experience I have
when I'm actually playing the game. I know this was probably meant in the
sense that the incentive is lacking, but I disagree. Some people enjoy ruining
other people's fun. The worst experience I've had was hack-enabled griefers in
a cooperative game.

~~~
jperras
> The worst experience I've had was hack-enabled griefers in a cooperative
> game.

If that is the _worst_ experience you have ever had, then you lead quite a
charmed life.

------
Karunamon
Neat I guess, but I wish it hadn't been released. There's something to say for
security through obscurity when the target is only a video game.

I hope my boss doesn't find this. He's already a prolific words with friends
cheater.

~~~
smosher
_There's something to say for security through obscurity when the target is
only a video game._

There is. In case you were curious, it goes a lot like this: _It doesn't
work._

It doesn't take a genius to crack a game. The most important quality one needs
is curiosity. I've personally lost count of the number of games I've messed
with, and that's not a boast. Anyone can do it if they try.

I've never done it to cheat at a competitive game, however I have had a number
of competitive and even cooperative games ruined by people cheating in such a
manner. If it can happen it probably will, especially if the game is popular.
Developers of commercial games should be obligated to take this kind of thing
seriously (I am looking at you, Team Meat.)

~~~
Karunamon
>There is. In case you were curious, it goes a lot like this: It doesn't work.

Sure it does, enough, anyways. I'd be willing to be the majority of players
don't cheat and have no interest in cheating.

The remainder that have an interest can be futher subdivided into "no idea
how, no idea how to begin", "no idea how, but curious enough to look", and
with the addition of the author's post, "no idea how, but a google search away
with step by step instructions".

It's a cool hack, don't get me wrong, but now the developer is going to have
to rewrite their system to mitigate this, and in the meantime, there are going
to be a bit more dicks in the world.

But at least there was a nifty wrapper released- I just wish it wasn't for
black hat purposes ;)

~~~
smosher
Of those with interest, if any of them are programmers or have the slightest
curiosity about what all those files are for, they're abundantly competent to
pull off this hack. Not necessarily the automation, but they can make it
happen.

 _but now the developer is going to have to rewrite their system to mitigate
this_

This hack was literally waiting there for anyone who cared to look. Please
don't tell me you've forgotten this:
<http://img820.imageshack.us/img820/1641/itsfinetrustme.png>

------
jlongster
It seems like the app could do a simple checksum check of the file before
using it.

~~~
mcpherrinm
It seems like the next step would be to modify the binary or wherever the
checksum is stored.

~~~
0x0
But if you modify the binary, you'll need a jailbroken phone to decrypt it
first. If an unencrypted binary is leaked online, you would still need to
jailbreak your phone to run it, or you'd need to pay up for the ios developer
program, and re-sign the app with your own certificate and make sure to modify
all the app IDs embedded too.

Significantly raises the bar for casual cheating.

Edit: Oh, and if it uses game center, then I think you won't be able to match
any opponents since you're no longer running on the official app ID.

------
KaoruAoiShiho
As a developer it's really easy to do simple client side auth like this.
Adding server side auth creates a great deal more work and potential usability
issues.

As a business question, is it worth it to think about cheating in advance and
try to prevent it?

Just going by the example of Letterpress, it seems the answer is a resounding
NO.

~~~
kylec
There doesn't need to be any server-side auth, you could have the opponent's
device to check the validity of the word when it's played. If it's not in
their dictionary, it rejects the play.

~~~
bonzoesc
Why not just reject every word your opponent plays?

~~~
ghayes
You and your opponent could verify your dictionaries when you are matched up.
Checksum mismatch = cancel match-up. Cheaters would be naturally weeded out.

~~~
evan_
I'd only need to hack my copy of the client to send a pre-determined checksum
value- or recalculate it from a different dictionary than the one that's
actually used.

If hacking the client is too much of a bother then I'd just have to put a
filtering proxy in front of the app to accomplish the same thing.

The _only_ solution to this is to check words on the server.

~~~
ptomato
I'd point that unless I'm greatly mistaken there is no server involved, as it
is all done through Game Center's turn-based game functionality.

~~~
Jare
AFAIK you are correct.

------
bvdbijl
I made a Python implementation of the DrawSomething API
<https://github.com/boukevanderbijl/drawsomething-api>

Draw Something uses a key value storage to store all game state including user
profiles, drawing and gamelists. You can edit all games and users, and give
yourself as many coins as you want

------
masklinn
A better hack would be to do image recognition on the board and have an
arduino or lego play for you. Just loading your OS's dict[0] in a trie and
filtering using the characters on the board, you can already pretty easily win
games without even using any strategy (just try the longest matching word with
a letter or two you don't own), add a very basic AI to get the board painted
in the shortest possible number of moves and you should be done (nb: an
extension would be deciding on suffix-pruning, as I believe letterpress
doesn't allow suffix extensions of already-used words)

[0] using letterpress's own dictionary file would be better as it'd avoid
words which are in one but not in the other.

------
ujeezy
Thanks for releasing the libimobiledevice wrapper! That's probably worth its
own blog post. I'm already thinking of ways I can use it for interesting hacks
of my own :)

~~~
ontoillogical
I'm glad you found it useful!

Libimobiledevice does a lot of things, and as I mentioned in the post I've
only implemented a subset so far. I'd like to make it more feature-complete
soon.

You should come help out in <https://github.com/stateio/imobiledevice>.

------
pom
Interestingly, this would allow custom localizations. I'd love to play it in
French but as far as I can tell the word list is only in English.

~~~
kennywinker
you'd have a bit of trouble with character frequency. As someone who's tried
to play (english) scrabble on a french scrabble set, I can attest to this.

~~~
RandallBrown
the letter frequency in Letterpress is already a little off. I've had games
with one or two vowels and like 4 x's. It was tough to finish.

------
peterhajas
Modifying a file isn't really "hacking". I was hoping to see automated playing
or maybe some math regarding tiles and words to play.

~~~
Negitivefrags
Actually that is exactly what hacking is.

I find it highly ironic that people post stories about hacking this thing or
the other all the time, most of which do not even resemble the original
definition of the word in any way and yet a story about an actual hack has
this comment on it.

Hacking is exploiting code in a way that it was not intended to be used.

------
askimto
An unfortunate but understandable consequence of going Game Center only is
stuff like this.

~~~
ontoillogical
Does Game Center not allow you to do certain kinds of server side validations?

~~~
askimto
GC is the only server side thing in this case.

~~~
ontoillogical
I haven't looked into how Game Center "turn based games" work until now. It
looks like you can cheat this way at any game with the concept of legal and
illegal moves.

------
callmeed
I've been wondering how hard it would be build an app that accepts a
Letterpress screen shot and gives you the optimal word to play

~~~
smackfu
<http://letterpresscheat.com/>

The OCR part on top of this would be easy, it already exists for Soduku
solvers.

------
cncool
Game Center should allow developers to write server side code, not unlike
Cloud Code by Parse.

------
tehwalrus
you see, I wrote a python script which chugs through SCOWL (a dictionary..)
with certain constraints to help me win the endgames, and I felt bad. This
feels, somehow worse (although at least this hack is obvious to your opponent,
mine was more covert.)

