Hacker News new | past | comments | ask | show | jobs | submit login
Winning at Candy Crush (stavros.io)
409 points by sokratisp on Nov 15, 2013 | hide | past | web | favorite | 144 comments

My game cheat story starts way, way back, playing Wizardry on the Apple II. In this game, you go through a dungeon, killing monsters and collecting treasure and experience. Fun, but slow going. So I found out where in memory these values are stored and started manipulating them, giving myself tons of experience and new treasures.

Everything went fine until I put in an invalid treasure value which apparently caused some random memory locations to be modified, corrupting the game. Unfortunately, game state was written back to the same floppy disk that holds the game itself, rendering the game unplayable.

Fortunately, I could borrow a second floppy drive, borrow an uncorrupted copy of the game, and repair the game with a disk-to-disk copy. Unfortunately, I plugged in the disk drive connector crooked, sending -12 volts into a chip on the controller board that didn't want -12 volts. The result was a "pop" and a disk controller that no longer worked. Needless to say, my father wasn't happy.

Finding the problem was easy - it was the chip with a square hole blown out of it where the silicon had vaporized. Unfortunately getting a replacement chip wasn't easy when you live in the middle of nowhere. So I built a replacement circuit on a solderless breadboard and wired it into the controller board, and everything worked fine until I could get the proper replacement chip.

TL;DR: cheat at games and you will be punished

I guess its a half full / half empty thing. You wrote:

TL;DR: cheat at games and you will be punished

And yet I would haver written it, "Cheat at games and you will learn all sorts of cool things." :-)

It is either scary or hilarious how many programmers were created by the desire to cheat in video games.

Kens was being poetic.

I know :-)

> TL;DR: cheat at games and you will be punished

I would rather say that the moral of this story is: "cheat at games and learn more about computers and electronics than you ever thought possible".

Neat story. I guess cheating by trial and error doesn't work so well when the impact of an error is physical...

I got into programming through cheating. When I was a little kid I wanted to win at some ZX Spectrum game - Treasure Island Dizzy or something like that. Fortunately, Your Sinclair magazine published a guide on how to PEEK and POKE your way to unlimited lives. That blew my mind, and I credit my interest in the inner workings of computers back to that experience :)

But, did you beat Andrew's evil incarnation, Werdna?

Identify-9 ... yeah, you're welcome. :)

In 2009, when Farmville was the New Hotness, I checked it out to see what all the fuss was. After all, it was rumored to be minting $1 million per day. Soon after, I saw that a lot of my friends were playing. Girlfriends were getting boyfriends to tend their crops for them while at work. They were very scrupulous with the design of their farm and tending their crops. But I wanted to just be at the top of the leaderboard.

Unlike later games, it was possible to keep leveling up and making money by farming only instead of inviting friends. Plow fields, plant crops, and then harvest them hours later -- repeat as fast and as frequently as you can. TONS of tedious clicking. Of course, I wanted to automate it, and I wasn't alone. Searching around, I found a Perl script that someone had written and I adapted it for my PC.

I just fired up Farmville, and here's what my farm looks like: http://i.imgur.com/nrtkitJ.jpg. It's almost all crops (maximize $) and it requires the farmer to be trapped within hay bales. Otherwise, he walks to where you're clicking and can sometimes get in the way of the click. It would mess up every now and then, but was fairly reliable -- just run the script and let it do its thing for a few minutes. The trick was to flip the game into full screen mode, zoom all the way out, start at a known (x, y) position on your screen's resolution, and then loop through all crop positions by incrementing/decrementing (x, y). Only slightly tricky because of the isometric view and avoiding clicking on some non-crop positions. Picking the right crop was important too, to maximize yield. I just wanted to do two runs a day: first thing in the morning and then in the evening when I got home from work.

I moved up fairly quickly and quit when I beat all of my friends. Got some jeers from those who thought I was actually playing Farmville so much, but had a few requests for said script ...

http://www.sikuli.org Is my GOTO GUI scripting language for game scripting. Graphic templates are fuzzy matched. Actual scripts are python. Inbuilt OCR. I can do that kinda thing very fast. Its really awesome and put of MIT

Cool. I used AutoIt for similar stuff:


Scripting is some dialect of BASIC and also has OCR.

Don't advertise that on the forums!

P.s. I have to say that as an MVP ;)

Militarised Volcano Police?

Just doing my bit.

You just keep nuking that lava into jail where it belongs. People said it would never work, that you just couldn't police volcano eruptions with the threat of massive nuclear retaliation, but they don't say that anymore, do they? Not since they all died in the giant radioactive caldera, anyway.

Or if it's a similar game on a set-top box / console, use http://stb-tester.com (aka Sikuli for set-top boxes). :-)

Hopefully this gets some attention so people start to work on all the issues it has.

oh wow, that is pretty damn amazing.

I ended up coding my own version of something like this, with I think a few enhancements to make my life much easier.

First, I assumed the crops were laid out in a grid without any offsets. This then allowed me to define the grid in a 2d array and mark squares to skip over very easily.

Second, rather than assuming that my cursor is starting at some spot on the screen that I had to keep duplicating, I just start the cursor over the first farm plot.

Third, I actually never move the cursor to a new farm plot position. Instead, I scroll the screen and replace the cursor where it started.

I had exactly the same experience, using autohotkey, and blogged about it at the time http://teh.oarsum.com/posts/cheating_and_game_design.html.

(tl;dr: if it's easy to script your game and win, your game design is busted)

I had a somewhat similar story a few years ago with Bejeweled 2 (except that I didn't seek a way to cheat, just came across it).

I wrote it up here: http://timotheeboucher.com/on-writing-laconic-error-messages... but the gist of it was that their score submission endpoint required a checksum, but the error message if the checksum was wrong was:

    <Response type="error" reason="Checksum failed (ext_csm = cc7ae8d3d26d911f9d6e6178d93b9fc0, int_csm = c1f19e476622b8df7f830ee0c45df533)" server_ver="1.0"/>
Yes, the `int_csm` value is the checksum the server expected instead of the one I had passed. It would tell you "you're wrong. But here is the correct answer". I could then just re-submit with the proper value…

Hmm, if that was me (as the server programmer) I'd return a purposely different checksum[1] in the error message and then (internally) flag anything that was then submitted with that 'incorrect' checksum.

What you do with these flagged entries is up to you:-

a) Delete the scores after an hour or so (giving the chance for the user to check things)

b) Only display those scores to the user that logged in

c) Flag the entire account as 'cheat' and ban it after a few dodgy submissions


1. i.e. expected hash is hash(real_salt+data), supposed expected hash (returned to client in error message) is hash(cheat_salt+data). You obviously never return the real expected hash.

d) Send the user to your careers website...

What you propose wouldn't work. The only way to find the salt is to look at the Flash file, and, at that point, you'd notice the fake salt anyway.

Maybe I'm overly cautious, but in today's world, where even simple URL manipulation can be regarded as hacking, I would be very reluctant to post exploits like this. It's crazy, but this can be construed as wire fraud or computer crime:

18 U.S.C. § 1030(a)(4)

Whoever— (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period . . . shall be punished as provided in subsection (c) of this section.

"Protected computer" in this context means any computer that is connected to the Internet. And the value obtained would be unlimited use of the game, which would normally be a limited. True, that last part is up for debate, as it is possible to play the game without paying, but I wouldn't want to be forced to argue this in court...

When you say "today's world" I think you mean "today's U.S.A"... The rest of the world, doesn't seem to have as crazy anti-hacking laws, as the US.

Germany is pretty harsh too. If I remember correctly you can't even have "hacking tools."

Many countries have pretty aggressive anti-hacking laws. The UK, for instance, has a very similar piece of legislation that in theory makes URL manipulation illegal.

Fortunately not everyone of us is in the US so this does not apply to every reader of HN.

I've worked on a few flash games in my free time. Ultimately since the game code resides in the client, it will always be feasible to cheat. That, of course, doesn't mean you can't deter some.

One of the things that kept people from snooping around was encryption. All communication went to 1 vaguely named endpoint with 1 parameter, which was a an encrypted list of the parameters and the action to take. This will deter some, but not others.

At the start of a game, the client had to contact the server for a key. This changed each time you played. Any score submission required this key - if it was wrong I ignored it. Only 1 score submission per key.

Note that you have other useful information now: you know how long they were in game to get their score. I flagged scores that were abnormally high for the time it took to get them. I would then review them, and based upon their score history hellban them - they could still play, but no-one saw their high scores except themselves.

If Candy Crush did something similar, they would likely catch you. You wouldn't even know until you gloated and your friends said they can't see your score. Some people who got hellbanned would contact me, and I'd give them a free pass.

Of course you could cheat and get a normal score in a normal timeframe, but I didn't care as much about that.

Beyond trying to thwart cheating, I'm a big fan of cheating in games myself. It's part of why I enjoy eve online so much, because they encourage the usage of 3rd party tools more than any other game I've played.

The most extensive thing I've programmed for cheating is probably a custom MUD client to facilitate multiplay. The clients report to eachother information they know. All clients keep the state of the group and the things I'm fighting. They also keep track of which client can do what, so I can type into any client that I want to heal someone and the program will figure out which client is able to do that, and tell it to do so.

Even though it doesn't have a winning / losing condition, I had coded an automated bot[0] to draw for me in Doodle or Die[1]. Stopped using it when people started complaining though. It was supposed to be quick and dirty, that's why it's a windows forms application. But of course I kept improving it for a while. After implementing a very basic plug-in system, I realized I was spending too much time on it =) Here's an example drawing from a friend of mine, using my tool: http://doodleordie.com/c/EGXBBJeMU45#2

[0]: https://github.com/egeozcan/DrawThatThing

[1]: http://doodleordie.com

Hi, I'm one of the creators of Doodle or Die.

The drawing tool in the game and the anti-cheating systems are both things I created.

I'm impressed with your app. Instead of converting a bitmap to a pixel-by-pixel rendention (which people have done and it looks obvious) it re-draws it like a real drawing, picking one color at a time.

Paying users get a replay feature. It replays fairly realistically and that's difficult to detect as cheating.

Nice work!


Thanks, it's great to hear that from you. I was also going to implement the brush changing logic which would enable it to draw on large areas of single color with a big brush and further optimize other parts to make it even more realistic (detect shapes and draw them completely and draw over them like humans and so) but then I thought, that would ruin the fun. Actually I'm a paying user of the game[0] and never had the intention of ruining the fun for anyone, so I stopped. I'm a big fan of DoD and how it evolved.

Keep up the good work, and thanks for being nice =)

[0]: http://doodleordie.com/profile/egeozcan

Back in the day I would log onto yahoo chess and beat everyone by simultaneously playing expert mode in windows chess and just mimicking the expert modes moves on yahoo as mine. Good times, never lost.

Many people tried that strategy against Kasparov.

No seriously


People still do that in chess.com. It is really annoying, because even if you are good enough to beat the computer, playing against a computer is very boring.

I hate you. I'm sure I played people like you. I like long games but people cheating forced me to play speed which I really hate.

Isn't the rating system supposed to solve this problem?

Unless people intentionally griefed by creating new low-rating accounts to cheat at.

I wonder if you played anybody who was also proxying Windows chess? Battle of the computer wits!

It would be interesting to have the various consumer chess programs play each other a few hundred times to see who wrote the best chess bot.

A few hundred? Hundred thousand, maybe. Here are several sites where volunteers run computer chess tournaments 24x7 and publish the resultant rating lists.

http://www.husvankempen.de/nunn/ http://www.computerchess.org.uk/ccrl/4040/ http://ssdf.bosjo.net/list.htm

There are more but these are the reliable and longest running that I know of.

This is already a thing - see http://en.wikipedia.org/wiki/World_Computer_Chess_Championsh...

It's enough of a thing that there was drama and accusations of cheating/plagiarism a few years back http://en.wikipedia.org/wiki/Rybka#WCCC_disqualification_and...

There's also a (fictional) movie about this that's pretty interesting; http://www.imdb.com/title/tt2007360/?ref_=fn_al_tt_1

Step 1: ATT adds the 'infinite lives' interception/response to the proxy servers for the Starbucks hotspots/WiFi.

Step 2: Starbucks Marketing advertises 'Unlimited Candy Crush lives at Starbucks!'

Step 3: Profit! Well, assuming all of the squatters actually buy stuff.

I like it. Almost all the Candy Crush players I know set their clocks forward to instantly get more lives though.

Ha, I used to be lazy and set the date forward by 1 month, instead of the hour or day. Then one day I realized the iPhone has a max date set in 2055 or something - you can't set your time past that. I wonder if iPhone dates will stop working when we reach 2055??

Nah, there will be a call for consultants to come in and fix the "Y2K55 Bug".

Step 4: Get DMCA'd for "circumventing" a "copyright protection system"

More like CFAA (unauthorized access). One might avoid certain penalties by staying under $5000 equivalent IAP. Of course this sounds ridiculous, but we live in ridiculous times.

I'm struggling to come up with a way in which the lives system could possibly be defended as a copyright protection mechanism (it's a mechanism to funnel users into it's in app purchases, not to prevent use of unauthorized copies... and in fact copies of the software are given away freely). This is basically Gamesharking your game, which has been upheld in courts IIRC.

I guess if you buy the game and then don't have to pay to play, it's ok, but in this case you can buy playtime so it's a bit different.

I would imagine the legal issues would be more around using the Candy Crush Saga brand name for marketing purposes without a business relationship.

Awesome breakdown. I wrote a blog post in late September - based on some industry rumors - that speculated on whether Candy Crush was "cheating" by varying the random seed to generate monetization or retention events:


Based on the "seed" going back and forth at the start/end of games, I'd have to assume that they are doing something with it. Anyway to see if that's happening?

They're probably generating the level with the seed. I don't think it's very useful, other than testing on their end (so they can check afterwards what the level was).

By the way, if you liked this, there are more posts in that series: http://www.stavros.io/series/winning/

Cool - will check out the series.

You could be right, but I think the seed is a lot more interesting. If you simply wanted to generate the level, you could use a random number generator on the device and wouldn't care about logging it.

As you showed by varying colors, the candy distribution determines how likely the player is to win, whether they fall just short of clearing the level, etc. This will have a significant impact on whether they pay to continue, buy boosts, etc.

It is possible they do this.

They may not have done it at launch but as more and more people play and they collect the stats for each seed, I'm sure they can track how easy / difficult each seed is and send the seeds that they wish to do whatever objective they have.

Most of these F2P play games collect and analyze an insane amount of player activity and have sophisticated analytics that they then analyze to make the game more addictive or to increase player spending.

You could have a few people collude to collect a number of incoming seeds on the same level and compare for non-random seeming collisions.

Awesome! I once wrote a boggle solver to beat my friends at Bogglific on Facebook. It was loads of fun until I was banned from the game.


Also, my solution can easily do boards up to 30*30 or so

Heh, I was mainly out to beat my co-workers, though if one of my co-workers was a fellow programmer I'd probably have had to improve on my algorithm.

Yeah it's kind of unneccesary, I just wanted to see how fast I could get it :)

Do you have the code for it? I didn't see the code on your blog? I would be interested to see how it worked.

I just checked my old archive folders and it looks like the code was lost when Dreamhost borked up my home directory a few years back. I assure you it was pretty gross :)

I don't know how valid it is now, but in July of 2011 I reverse engineered some aspects of Zynga's Words with Friends and put it up online: https://github.com/v64/fiend

The most interesting part was the way they decided to do the random generation of letter tiles. At the start of the game, each client was given the same PRNG seed (in the case of Words with Friends, the PRNG was a Mersenne twister), and when tiles needed to be drawn from the bag, instead of having the server tell you what tiles you received, you would use the preseeded PRNG to randomly draw your tiles from the available pool.

Of course, as your opponent is also doing this with the same preseeded PRNG, this also allows you to determine what tiles your opponent has, and what order the tiles will be drawn in for the rest of the game.

F2P models are so strange.

Game piracy used to mean stealing the game. Now 'piracy' is getting extra lives.

I used to cheat at SongPop using the multi-finger multitasking on the iPad (pausing the game a fraction of a second after a song started playing, having plenty of time to guess the song properly). I could beat anyone using this technique, but it required manual work.

I expected a similar "hack" with Candy Crush, and was surprised by how "high-tech" their solution is. Good stuff.

Remember Draw Something? That game that was sold for $180 million to Zynga? I wrote an API library for that in Python https://github.com/bouk/drawsomething-api that allowed me to just add coins (the currency they sell for real money) through simple API calls.

Good times

I think Candy Crush also sells gold for real money, and you can just add that using my script too, although I am not sure.

I am sure they did this to offload the server.

I remember reading an article about some javascript games and how to find the balance for game state server-side check.

source : http://fugiman.com/blog/2013/08/17/on-click-fueled-javascrip...

A long long time ago before I ever wrote a line of code, I'd just play all the games I could. I was fascinated by how they worked. I later found a book on BASIC that introduced programming by having the reader write simple word games. After learning the basics, I then would wonder how FF1 managed to change states from being in a tiled map and exploring the world into a battle screen and back again, which led me to more learning and eventually I ended up making a very shoddy Zelda clone that ran in DOS. I think I was 11 or 12 at the time?

Anyway, one day a long time after that, I was playing this new mod for Half-Life called Counter-Strike. It was fun, and I had started learning C and about OpenGL to understand a bit more about how HL worked itself. But on this day I saw a guy just running through de_dust getting tons of headshots. Watching his camera, it seemed he had superhuman aiming. Comments about cheating flew, and this was long before the game was infested with cheats. He also seemed to know where everyone was. How?

A few hours later I discovered he was using a cheat called ViperG. It along with another cheat called XQZ were the only known public cheats at the time. ViperG was open sourced on a forum called clientbot at the time. Since I was learning C, I was actually able to read the code. Back then, HL only imported mod client function implementations using DLL imports, so you could write a DLL that exported fake client functions while also importing the real ones from a renamed client.dll, which let your cheat intercept all of the client API calls. Most in ViperG were just pass throughs, but one would gather entity information from a drawing API and another would draw some text on the screen in a HUD update API, etc. It was almost no code but it rendered little '+' signs on every player through walls and would let you automatically aim at their heads. Crazy.

This is when I realized that I could actually take software people had written and break it to make it do whatever I wanted, and that's when I feel like I really started learning things. Understanding how programs ran on my OS and learning how to reverse engineer came pretty rapidly. XQZ was closed source but had some really nice features, so I'd reverse its gl function exports and figure out exactly what it was doing so I could replicate them in my own cheat.

Doing what the author did here for modern MMOs can actually be a very difficult exercise, even for seasoned reverse code engineers. I've done it for several games, essentially reversing the entire netcode to write cheats that automate client actions, and there are all sorts of ridiculous traps I've seen to prevent you from doing so. One game even went so far as to require you to parse a terrain file and send the cell ID of your movement target in every movement packet, along with the absolute coordinates. This was slow as an iterative find process as a map had tens of thousands of triangles and you'd be sending these quite often, so naively you'd just loop over each triangle and check if your target coordinates were inside of it. This gave me a nice introduction into quadtrees and other algorithms that can make this operation asymptotically much faster. Yay learning.

To this day, I can only play a game so much before I get an overwhelming urge to break it. I think that despite the stigma of cheating, it's a great way to learn. It's comparable to taking something apart to see how it works and change it around a bit. Just don't take it too far and ruin games for other people.

Cool story, and I can see the appeal. But as a (long ago) competitive CS player, I hate(d) your kind.

If you think about it, I bet what you actually hate are the folks who just downloaded the cheat and used it, without knowing anything about it. But what if everyone wrote their own exploit? Eventually every game would devolve into Core Wars, but this would be kind of cool.

If everyone did write their own exploit, I'd still have hated it. Cheating in those kind of games really does ruin the game for everyone else. Enabling those people to do what they did was nearly as bad IMO.

I competed in a couple of the early CAL seasons legitimately (main and then invite). Most of us never condoned cheating in league play or even in most public servers. That's the part where you're ruining games for other people. There were, at one point, quite a few servers dedicated to cheating, however, and even a competitive scene to see who could make the best cheats.

But leagues actually made things more interesting. They started creating their own anti-cheats and those were just new shiny toys to break as well. It's quite satisfying to defeat them, even if the goal isn't to cheat in a league.

The worst cheaters seemed to be the guys that played in the [inter]national competitions. They would cheat, say "online doesn't matter, LAN noob", and ruin the game for everyone.

But like I said, I can see the appeal of creating the cheats at least. My first introduction to real programming was creating a mIRC script that would login and "vote" on a popular local website where there was a 15 minute delay between votes - where the developer kept changing forms and URLs to stop my script from working.

were you part of any communities? mpc, ogc, game-deception?

I was. Unfortunately it seems like they're all dead or generally inactive these days. I do wonder where the new communities are, because surely there are kids going through the same things we all went through in learning by breaking things.

Kids today grow up with iPhones and iPads instead so there's not much opportunity to do anything outside the box.

I built a small app to cheat at Landlord (http://www.landlordgame.com) to check and buy venues from anywhere in the world. There was also a small script to get huge amount of coins (through faking twitter and facebook sharing).

After 10 days i was number one in the rankings. Scores and amounts of $ was so large that the iphone app was starting to bug... Of course it does not work anymore.


It looks like the author is decompiling the Flash SWF for the Facebook game. Would there be an equivalent way to do this for games on an iPad/iPhone without rooting the device?

Yes. Unpack the .ipa file (it's just a ZIP archive) and then use any ARM disassembler on the actual binary.

It'll be harder, but not impossible to do (as we've seen by the twitter app API secret leaking some time ago).

Wouldn't you need to decrypt, on a jailbroken device, it to get something useful out of the assembly? Or is that not needed for disassembling?

The binaries are not encrypted, they're just signed.

Is that a new thing? Last I checked, the executable was heavily encrypted in the code section..

The binaries are indeed encrypted, as evidenced by running "otool -l <binary>|grep cryptid". Why do you think otherwise?

Sorry was just wrong.

How does one get to the .ipa file?

it's in the iTunes directory on your computer

Isn't the Flash version using the same back end and API calls as the iOS version?

iOS version works offline, so I imagine everything is local to the device.

And yet the Facebook app stays in sync?

What's the best solution for this, managing game state server-side? Did they do it this way to offload storage and processing for scalability reasons?

For FarmVille we sent the actions back to the server and then validated against game state there. It's the only real way to protect against cheating. However, if I were building the game again today, I'd just do what King does and have the client manage the state. It turns out that the set of people that would do this and the set of users that would convert into paying users has very little overlap. The overhead of managing state on the server is that you'd have to write your game logic twice (once in your client-side language and once server-side, though with a scripting language you may be able to avoid this). Second, we benchmarked this approach and found that you can handle 10x the number of players with the same hardware by not doing any server-side logic/validation and just having the server be a dumb pipe to store player state.

Here's a talk I gave on the FarmVille approach: http://www.slideshare.net/amittmahajan/rapidly-building-farm...

and one on the king approach that we're using at my current company: http://www.slideshare.net/amittmahajan/gdc-2013-ditching-the...

Very, very informative, thank you. I too have been wondering about this exact thing - if it's worth the trouble in the end, to do server checks and whatnot. Seems it's not, in these cases :)

I guess the first question is: why prevent people from doing this?

In my opinion, with games like this the ultimate goal of the server is to make sure one person doesn't ruin someone else's fun. Seems fine to let them ruin their own fun.

A lot of people play games to compete with their friends. If everyone's just hacking to maximize their score, the legitimate players - and these are the ones who see the ads, and therefore are important to keep around - will leave your game.

For one, sanity checks (this level can't really be solved in two seconds, that score is too large, etc). For two, probably more signing of requests, but that's pretty easy to bypass too. You really shouldn't be able to get ten thousand of something when the most the game gives you is two or three per day, though.

I guess they did it this way because they don't care about people cheating, since pretty much only one person (me) will bother to do it, and it will have no benefit other than their friends being puzzled.

> since pretty much only one person (me) will bother to do it

Just look at the leaderboards in iOS Game Center. Top lists are full of cheaters.

The best thing to do is basically to simulate the entire game for each player on the server side and verify every action the player does but this involves a lot more code and is also server intensive for many games.

There also things like signing each request and such but ultimately, the client can't be trusted and will always be able to cheat in some way (like automating clicks and actions via GUI scripting).

In one puzzle game I worked on, we recorded all the user's moves and sent them back to the server. Not too big for something like Candy Crush, and allows you to check the user actually played the game.

Of course, that doesn't stop the next obvious steps (implementing a full simulation, or controlling the game through the GUI), but neither of those can be stopped.

I'd think you'd want to make a signed hash of each request, so the server can verify it came untampered from the client.

Candy crush does this, and circumventing it was one of the points of the article. It is hashed with a secret key from the flash client. He just extracted the key from the client and started signing the requests himself.

He signed the requests. I think they'd need some sort of way to ensure that the level's initial settings were also used.

True, although it seems not all of the calls are like that, for example the number of lives.

Years ago, for fun, I wrote a Bejeweled Blitz player. As with others here, the fun was about the challenge, not about 'beating' the game.


Cookie Clicker: http://orteil.dashnet.org/cookieclicker/ This game is all client-side so it's easy to cheat. The cool thing is you actually get achievements for cheating!

In 2007 I did the same level of digging with a facebook puzzle solving game. Game used to post daily puzzles and top scorers (solving the puzzle in minimum time) were shown on global leaderboard. At that time, the app was not using any kind of hashing or validation. It was simply posting the score to the server so tempering the data was easier. After staying on top of global leaderboard for a few days (with impossible score of 1 second), the app developer contacted me and requested to stop cheating the system. I suggested him some changes and the game became much better

As long as using wget can lead to a conviction for hacking, it might not be the best idea to admit such a hack publicly...

But luckily in the EU the European court for human rights should stop such stupidity in its tracks.

The only winning move is not to play.

A strange game.

The only winning move is not to play.

relevant xkcd: http://xkcd.com/601/

Nicely done. Now I have to find the secret key...

You'll never find it, it's too well hidden! Muhaha!

P.S.: It isn't.

I used a APK "decompiler" once to get API keys and urls (wasn't for candy crush but for a music app using https).

I guess it should work here too.

I have a setup with my own WiFi, SQUID as a transparent proxy with self-signed CA generating "legit" site certificates on the fly.

The CA is loaded into Android as trusted, internet is disabled on every app except target to reduce noise (yay! UNIX users/permissions!) SQUID's built-in logging spills all the magic beans.

I take it that the secret key is visible in the requests within Charles?

Yes in a way, but actually no, it is hashed with some other values.

It's both hashed and the first few chars (four, IIRC) of the hash are transmitted, so it's really unlikely that one will be able to brute-force it.

I once lost a license key for a major enterprise system. It had to get a demo up and running ASAP. Luckily, it was an ASP.Net app. I was able to use .NET Reflector, find a code rewriting plugin, and I blanked out the function that did the cert check (always made it return true) and I was able to login.

This is one of my favorite exercises. I started out in a similar situation where it was necessary to get an .net app to act differently. The feeling of accomplishment was completely different than regular development. Now reverse engineering is a hobby I am very passionate about.

It's also incredibly insightful as a developer to see how crappy code can exist in very expensive software.

Oh man... when I opened the business rules dll in .NET, I got quite a shock!!! Worst code I've ever seen.

Wow! I'm surprised to hear that their production servers output a full stack trace.

Agreed, it reminded me of how the BitKeeper protocol was reverse-engineered by simply typing "help" in the TCP connection to the server:


Tridge noted that this sort of output made the "reverse engineering" process rather easier. What, he wondered, was the help command there for? Did the BitKeeper client occasionally get confused and have to ask for guidance?

This guy did it faster using memory hacking: https://www.facebook.com/photo.php?v=308857235912631

Great story. I think it's less about cheating and more about poking your way around public software. I appreciate the spirit of adventure in searching through the game.

That's true, I'm not interested in the game itself at all. I barely played it enough to write this, really.

  What’s this? It looks like we can just tell the game we finished a level, without any other hassle
the game insults players' intelligence on so many levels

You could also use a memory editor. Like this - http://www.ydesouza.com/crandy-crush

NameError: name 'start_game' is not defined

Fixed, thanks!

it is crazy that a game that makes multi million dollars every day has no server side validation at all and just trust the client. crazy

Why spend unnecessary resources? People trying to cheat will find ways that are very hard to prevent.

Which brings us to another question - besides hackers, who is interested in cheating these kinds of games? Probably people who want to impress their group of friends who also play the game. I smell a market opportunity here.

Surely there's a big market for cheats? You could sell Candy Crush powerups for half price to all those people who are buying them now...

Then you're either out in public, and they can retroactively fix the bug, or you're trying to sell them privately, in which case you're not gonna have much impact anyway.

It's the same as with hacking in mmo games. No one cares until you start publicizing your hacks, in which case they can just install your hack, see what bug it's abusing, and fix that.

Seems like a very small market to me: people willing to spend money on the game, but not spend that much money. Most cheaters want to spend $0.

Isn't that how Candy Crush makes money now? You spend money to buy your way to new levels, through the use of special items and bonuses. Or are you targeting the subset of people who want to pay to cheat, but want it to be secret.

I'd say that most people wouldn't consider paying for more lives cheating. But that editing the communication between the game and the client is.

It would be like playing an arcade game. Putting in quarters for more lives isn't cheating. Creating a device that you can put in the quarter slot and pull out to reuse that triggers the game to think it's just got a quarter is.

It's curious.

> Probably people who want to impress their group of friends who also play the game.

Or those who get stuck on one level, and find it more frustrating than fun to keep playing it over and over.

Why? People who are:

1. skilled enough to hack it AND 2. so interested to play the game that they would pay for something in it

are very very rare.

Unless you have world-wide score list that people actually care about or something like that.

In the app store they collect around $850,000 per day.

This is so much faster, I had been using CheatEngine to modify the values, then play the entire level.

The best way to play this game.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact