[TUTORIAL] Simple hack of online save file using Charles Proxy

s810car

s810car

Active Member
190
12/09/16
97
Thread Author
First Post here, looking forward to learning new programming/hacking technique, site looks promising. In the spirit of offering information before just leeching it, I'm going to describe a simple hack technique for games with poorly setup backend server using one of my favorite network analysis tools, Charles Web Debugging Proxy

From their website:
About Charles

Charles is a web proxy (HTTP Proxy / HTTP Monitor) that runs on your own computer. Your web browser (or any other Internet application) is then configured to access the Internet through Charles, and Charles is then able to record and display for you all of the data that is sent and received.

In Web and Internet development you are unable to see what is being sent and received between your web browser / client and the server. Without this visibility it is difficult and time-consuming to determine exactly where the fault is. Charles makes it easy to see what is happening, so you can quickly diagnose and fix problems.
Click to expand...

Simply translated, this program allows you to see the "hidden" communication between your browser and the target server.
"Big Deal I can get that information off Firefox/Chrome etc. already"
Well the key difference is how the information is displayed and what you can do with it. Looking at a few of the key features:
  • SSL Proxying – view SSL requests and responses in plain text
  • AJAX debugging – view XML and JSON requests and responses as a tree or as text
  • Repeat requests to test back-end changes
  • Edit requests to test different inputs
Click to expand...
(Only partial list of key features, the ones that we will put to use)
As you can see, this will allow us to not only read and understand the severs response from a HTTPS game server (or most web pages using SSL), its able to easily modify requests sent to the server as a MITM application.

Ok Let's get started, for this PoC hack I will be using a completely unedited game from the Play store, Prince Billy Bob (Playstore Link: Game Lastely, the Android phone I have the game installed on normally, which will have to be run on wifi to connect to the proxy computer.

1st Step: Setup Charles
  • Install Charles following its standard direction, if you can't get that far without needing more detailed help, please exit stage right
  • Start up the program and setup the SSL web proxy. Here's how (DISCLAIMER: I have seen a few different versions of the toolbars in Charles, heres my version, just find the same information if you have a diff versiion):
    1. Go to Proxy > Proxy Settings
    2. In the Proxies tab enter "8888" in the HTTP Proxy Port field
      yyklFLH.webp
    3. Enable Transparent HTTP Proxying as well
    4. In same window, Go to SSL tab
    5. Check enable SSL and ensure under locations, it has a checkbox with * next to it and the checkbox is checked. Example:
      NoAoqh4.webp

    6. Check your computer's ipv4 address, if on the same LAN with your computer use the internal ip address before the router, should start with 192.168... or 10.0... assuming standard LAN setup. save this number for later. If not on the LAN with the computer, get on it (or setup an external proxy which is beyond the scope of this tutorial, as LAN setup will allow SSL responses in plaintext, you'll have to figure out your proper configuration to use an external proxy).
    7. Lastly, prep your two SSL certificates. Go to Help > Install Charles CA SSL Certificate. You are going to install on both your PC, and your android. PC installation easy, simply hit Install Certificate and let it select its certificate store, save and done. Next for Android, after hitting the menu item Install Charles CA SSL Certificate, choose the details tab, then copy to file. Save as a DER encoded binary X.509 (CER file) name it whatever and after choosing its destination, send it to your android phone via usb, wifi, sd card, NFC, bluetooth, aliens, IDGAF just send it onto your phone then use any decent file explorer to select and install it.
    8. Alright leave Charles open and now setup the target phone
2nd Step: Setup Android
  1. (if not already done) Install the game from Play store link above (or Gapps/sideload obv fine, just stating the point that the game itself remains untouched with this method, no version conflict to worry about, achievements are available, etc.)
  2. Change your LAN wifi settings. I believe its pretty universal among android versions on how to do this. Go to Settings >Wifi. Long press your network name, and select modify network.. Check the advanced options. Change Proxy settings to manual, scroll down the menu to proxy hostname, change to the LAN ipv4 address you saved from your PC. change proxy port to 8888 to match your settings above. You can leave the rest of the settings alone. Scroll back up and enter wifi password so you can save settings.
    0xGptGD.webp
Provided you did all that correctly, you should now be set. Test by going on Charles to verify the button that looks like a white circle with a smaller red circle is depressed, then going on your browser on your phone and search something on google, or go to homepage, etc. The second you tap any of those on your phone, Charles should come to life, populating its structure/sequence windows with all sorts of neat data.

All right you're all setup. Next post I'll have up shortly to detail what kind of details you want to focus on, how to get the server to throw you a bone to work with and not just facebook tracking data, etc. Lastly I'll show my specific exploit I used for Billy Bob .
 
Last edited:
Ok back to the hack.

1. Start Billy Bob game. Its going to load up a bunch of folders and info that if you try to figure out where anything useful is you may get lost, so sit tight and let the game start, load up google plus, etc. once its all done and it looks like Charles is done loading new folders constantly, we are going to
2. Stop the recording session (press white/red button). This info is mostly useless unless you want to dig for app api keys, hashes, fun stuff for more complex hacks, but this is a beginners tut to show the benefits of Charles at all levels. Personally I saved this session before I clear it for study later, but you may either save it or just clear it, its not needed for this hack.
3. Now that Charles is clear, restart the recording session. With all the junk out the way, its more likely to only call the server based on your input, thus easier to track what you want. So heres what i did. I started looking for things that you do that trigger a call to the games main server. Things to try include checking daily rewards, in app purchases, buying premium items in game using premium in game currency(read: currency they expect you to pay real money to get any decent quantity), or as I found for my example, the cloud save sent to Link is Broken . This one was the jackpot which gave me completely clear (thanks to Charles SSL credentials) JSON string the developer used in this save. Heres the string you can find by checking the request we sent to the server, easiest to read in Form view, itll look a lot like this
{
"_platform": "android",
"_userid": //CUT FOR OBVIOUS REASONS//
"_email":
"_savever": 1,
"_savedata": "{\n \"k_rst\": \"12,13,4,13,14,3\",\n \"k_opq\": \"1,1,1,1,1,1,1,1,0,1,1,0,0,1,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,0,0,1,1,0,0,0,1,0,1,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,1,1,0,1,1,0,0,0,0,1,1,0\",\n \"k_ess\": \"4\",\n \"k_est\": \"0,0,0,0,0,0\",\n \"k_ese\": \"5,6,10,0,0,0\",\n \"k_ab\": \"100716052702143602370037750986878757\",\n \"k_bc\": \"2647561\",\n \"k_cd\": \"351\",\n \"k_cf\": \"5\",\n \"k_de\": \"720\",\n \"k_ef\": \"4\",\n \"k_gh\": \"45\",\n \"k_hi\": \"2\",\n \"k_fg\": \"400,45,250,375,25,80,10,200,7,5,5,1,0,0,0,0\",\n \"k_rs\": \"10,15,10,11,10\",\n \"k_rq\": \"1,1,0,0,0\",\n \"k_ij\": \"1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,10,12,0,0,0\",\n \"k_jk\": \"25\",\n \"k_qa\": \"7\",\n \"k_qb\": \"233\",\n \"k_qc\": \"1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\",\n \"k_lm\": \"1026\",\n \"k_mn\": \"0\",\n \"k_no\": \"0\",\n \"k_pq\": \"1086\",\n \"k_mno\": \"0\",\n \"k_tqb\": \"0\",\n \"k_teb\": \"880\",\n \"d_high_stage\": \"1542\",\n \"d_total_stage\": \"16125\",\n \"d_revival\": \"35\",\n \"k_wx3\": \"4535983604716846964197\",\n \"k_yz\": false,\n \"package\": 0,\n \"package2\": 0,\n \"dlpackage\": 0,\n \"dlpackage2\": 0,\n \"tuto1\": 1,\n \"COMIC_SHOW\": \"1,1,1,1,1,0,0,1,1,0,1,0,0,0,\"\n}"
}
Click to expand...
skIO8ku.webp

Doesn't look like much up front, but you'll notice a lot of number match your details, for simplicity sake, heres a easy translation for most the variables, haven't played with all of them yet

{
\"k_rst\": \"2,2,7,2,2,1\",\n
\"k_opq\": \"1,1,1,1,1,1,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\",\n
\"k_ess\": \"4\",\n
\"k_est\": \"0,0,0,0,0,0\",\n
\"k_ese\": \"1,0,0,0,0,0\",\n
\"k_ab\": \"332903624298023419112611376864000000000\",\n \\CASH\\
\"k_bc\": \"490000\",\n \\KEYS\\
\"k_cd\": \"50009\",\n \\GEMS\\
\"k_cf\": \"700\",\n \\DEVILS COINS\\
\"k_de\": \"348\",\n \\FLOOR\\
\"k_ef\": \"1\",\n
\"k_gh\": \"38\",\n
\"k_hi\": \"1\",\n
\"k_fg\": \"300,45,175,359,25,80,10,182,5,0,2,0,0,0,0,0\",\n \\TREASURES ORDER 1. RING OF GREAT POWER 2. AMULET OF SHARP VIGOR 3. BLADES OF GALE
4. GOLDEN EAGLE STATUE 5. CLOAK OF AGILITY 6. MERCHANTS MASK 7. RING OF SPEED 8. GOLD CRYSTAL 9. GOLDEN KEY 10. TWINKLING KEYCHAIN 11. ELEC KEY 12. CROSS OF GREAT POWER 13-16 NEW ITEMS\\
\"k_rs\": \"7,1,2,1,1\",\n \\PET LEVELS ORDERED TOP - BOTTOM\\
\"k_rq\": \"0,0,0,0,0\",\n \\ BOOLEAN FOR EVOLVED PETS\\
\"k_ij\": \"2,2,2,1,1,1,1,1,3,3,5,6,3,4,1,14,2,11,24,23,0,0,0,0,0\",\n \\QUEST LEVELS FROM TOP TO BOTTOM \\
\"k_jk\": \"25\",\n
\"k_qa\": \"5\",\n \\BILLY BOBS 'X'TH DUNGEON K_QA = X
\"k_qb\": \"121\",\n \\MONSTERS BEATEN IN DUNGEON
\"k_qc\": \"1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\",\n \\ BOOLEAN FOR IS DUNGEON QUEST BEATEN FROM TOP-BOTTOM \\[/i][/b]
\"k_lm\": \"0\",\n \\ SEC LEFT FOR RAGE \\
\"k_mn\": \"0\",\n \\ SEC LEFT \\
\"k_no\": \"0\",\n
\"k_pq\": \"0\",\n \\ SEC LEFT FOR SHOES OF SPEED
\"k_mno\": \"999\",\n
\"k_tqb\": \"391\",\n
\"k_teb\": \"866\",\n
\"d_high_stage\": \"1107\",\n
\"d_total_stage\": \"14216\",\n
\"d_revival\": \"34\",\n
\"k_wx3\": \"1099699462946045\",\n
\"k_yz\": false,\n
\"package\": 0,\n
\"package2\": 0,\n
\"dlpackage\": 0,\n
\"dlpackage2\": 0,\n
\"tuto1\": 1,\n
\"COMIC_SHOW\": \"1,1,1,1,1,0,0,1,1,0,0,0,0,0,\"\n
Click to expand...


So in conclusion what I decided to do, was alter the numbers being VERY careful not to delete any delimiters like ,\": etc (in a file editor was easier for me to c/p but you can edit charles inline) and resend the save request with the altered numbers from Charles. You wont get a confirmation about your save from that, but its ok, once you get a 200 response from the server, you can hit load game from the app directly, and it will load the numbers you put in.
ZeDlhT8.webp

Sxg393M.webp

4Z3Dzqz.webp

Play around with it to see what you can do, and dont forget to go into your androiud wifi setting to disable the proxy when done or you wont be able to use the network properly unless your PC is on, etc. Charles stops when shut down so no need to do anything there.

This is a VERY simple hack to just give a taste of what you can do if youre squemish about editing smali/apk/etc. but still waant to dig into game modding. Have Fun!
 
Last edited:
Nice tut for MiTM. GJ
 
Handsom3 said:
Video please.
Click to expand...
maybe when i have time, its really not too difficult to do however, and the real goal of this tut is to encourage the user to get a feel of using a network monitoring tool that can alter requests etc. the specifics change every game so just following a video will show you for one game only, this one (tbh not even that good a game just a great PoC on a way to manipulate android games network traffic to your advantage).

tldr: Tut is to teach Charles not a universal hack method, but ill try to do a video asap

if you try it and have questions just post and ill respond. Thanks!
 
Handsom3 said:
Cause Im turk. I don't understand some words i need video hhh
Click to expand...
Fair enough but video takes a lot more time to do right, so ill compromise, i should be able to take screenshots of the respective screens in a couple days, that should be usable enough
 
Working on updating the tut with screenshot examples, should post later tonight, but going thru the instructions i left out a small detail or two, so double check if interested in trying it out. More importantly i forgot this disclaimer ( no not the obvious one of hacking servers is illegal yada yada)

WARNING
Adding a custom certificate to android like this requires elevated security on your phone, it will require you to add a lockscreen if you don't have one currently. There is a workaround bug though just Google remove lockscreen android ssl certificate, or something like that. It will also give a notification that your network traffic may be monitered, you can clear it but it'll notify every reboot, you can delete certificate if that's too annoying, imo nothing terrible to deal with
 
IronJack said:
how to install ssl certificate on android?
Click to expand...
Follow #7 up top, when you select the file on your android it'll pop up the option to install (i believe you need to be rooted to do it not 100% sure)
 
Cottonzmouuth said:
Nice tuts , what if I didn't have WiFi ? Can I use mobile data ?
Click to expand...
You have to be connected with your PC acting as a proxy server, that's all, i gave the simplest method. Google how to setup a proxy using 4G (or 3G w/e your phone has) in your situation, and only directions you skip in the tutorial is the modify network part, you still need the ssl cert, etc.
 
can you add the link for the charles proxy pls.? does it require a specific version or is it ok to use the latest? thanks
 
doesn't require specific version, i used 3.x for example and its up to 4.something,which i tried and also works. don't have link atm I'll have to find it but you can test with the demo version, ill find the other link after work tonight
 
Gonna give it a try, seems a good start for newbies like me.
Tnx for posting

:):)
 
U can use SandroProxy too for this hack xD its simply to use and its an android apps .. Need root
 
You must log in or register to reply here.
Back
Top Bottom