Cheating on Facebook games
28 May 2009I'm really not good at playing Bejeweled Blitz on Facebook.
To mess around with my family, I've been cheating pretty much since I played the game the first time.
Some of you have been wondering how that is actually possible. While it's not exactly a feat of genius, it does require some working knowledge of how Flash games work.
Flash is a client-side plugin that runs a program inside your browser. When you visit a page with a flash game on it, the program is downloaded from a website and executed on your PC. What's important is that the entire thing runs on your PC and then possibly submits a highscore to the gameserver. Nothing prevents you from faking the reply to the gameserver...
The data sent to the gameserver can be captured with a network monitor. It would be possible to change the transmitted data "in flight", but I didn't go through the trouble of doing all that and just transmitted a modified copy of the original data.
In the case of Bejeweled Blitz, the creators of the game wanted to be smart about it and tried to protect the integrity of the data being sent to the server with a field called "checksum". But it's not really difficult to get around it.
You can disassemble the flash game with a "flasm":
flasm -d bejeweledfacebook.swf
The code that generated the checksum is listed here:
push 0.0, 'md5'
new
setRegister r:5
pop
push 'checksum', 'myScore'
getVariable
push 'nonivechey902!0'
add
push r:3, 'fb_sig_user'
getMember
add
toString
push 1, r:5, 'hash'
callMethod
setVariable
In pseudocode that would read something like:
checksum = hash(getVariable("myScore") + "nonivechey902!0" + user.getMember("fb_sig_user"), "md5")
So, to set my score to 102101 (which is 1 higher than my mom's ;), I generate a new checksum
(I used userid 0123456789 in this example)
deepstar@phoenix:/tmp/bej$ echo -n '102101nonivechey902!00123456789' | md5sum
e3f37c9eb8c861818c0e4b32265be59d -
Next, I replaced the checksum in the datastream with the one above, and changed the score to 102101. Finally transmitted it to the gameserver and the score was set.