Skip to content

Candy Crush Is a Fun Game… Let’s Hack It

January 29, 2013

I noticed a bunch of my friends were playing a game called “Candy Crush”. I’m not much of a gamer nor do I have time to waste on games, but I had to see what the hype was all about. I mean, this game went viral and I want to know what they did right. So I played it. It certainly is fun. I played it for 6 days and reached level 105. Cool, but there are currently 305 levels and I don’t wish to waste any more time on this game. I got curious, so I started logging tcp packets sent back and forth to king.com through the flash client. I found a few interesting bits of information.

First, when I put my cursor over any of the beaten levels, I get a little popup image of that level. Each time I do this, I see the flash client making a GET request to
https://cc1.midasplayer.com/images/levels/XXX.png
(replacing XXX with the level number). Using wget or your browser, you can preview any level you like. For example,
https://cc1.midasplayer.com/images/levels/320.png
will show you level 320 (which doesn’t even exist yet).

Second thing I noticed, the flash client polls https://candycrush.king.com/api/poll and GETs a JSON encoded string with some interesting data:
{“currentUser”:{“userId”:XXXX,”lives”:1,”timeToNextRegeneration”:1780,”gold”:0,”unlockedBoosters”:[],”soundFx”:true,”soundMusic”:true,”maxLives”:5,”immortal”:false, “mobileConnected”:true}}
This data tells your client who you are, how many lives you have, sound settings, max lives….. and immortal? Woah. It appears the good folks at King have a secret setting called “immortal” (which of course defaults to false). How does one set “immortal” to true? Well, you can get creative. The idea is to deceive your browser and send it phony data. One possible solution is to add an entry to your hosts file or nameserver and point to an alternate server. Another method is to run a MITM attack on yourself and create a custom filter that alters the number of lives, number of max lives, and your immortal status. In case you haven’t noticed, it’s an encrypted request. So how would we bypass that? Well, ettercap can re-sign the packet with its own SSL cert (which would trigger a browser warning) but you can simply add the certificate to your exceptions list. All you need to do is edit /etc/etter.conf and uncomment the appropriate lines for your operating system. Since I am using Linux, I uncomment:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

and I set:

ec_uid = 0
ec_gid = 0

The third thing I noticed while running a MITM attack on an Ipad was that the mobile app version does not use SSL when calling the API. That makes it even easier to hack than the facebook app.

Finally, the simplest way to hack Candy Crush (or any other Flash based software) is to tamper with the data in memory. There is a nifty little tool that you can use for this: scanmem. On Ubuntu, you can simply run
sudo apt-get install scanmem
to install it. To explain scanmem, it’s a dumbed down version of a hexadecimal editor that allows you to scan/locate/modify areas in memory used by a local process. It reminds me of the 90’s when I used to crack copy protection from video games armed with nothing but a debug and zipzap (or gdb and hexedit on linux). The reason why I say it’s dumbed down is because it does all the difficult tasks for you. I can walk you through the cheating process.
1) get the PID for your browser/flash player. If you use firefox: ps aux |grep flash should return the process ID.
2) run scanmem
sudo scanmem
3) select the process from scanmem’s prompt:
pid [process ID]

4) pinpoint the section of memory that contains the bit of data you are looking for. If you are trying to give yourself more moves on a certain level, take a look at the number of moves you have left, and enter it in the prompt. For example, if you have 30 moves left, enter 30 at the prompt. It will likely find way too many matches to be useful. But that’s okay because scanmem tracks each of these memory locations for you. Make another move on the game so you have 29 moves left. Now return to the scanmem prompt and enter 29. The number of matches will reduce. Repeat the process until it returns 2 matches. Now you’ve pinpointed it!
5) change the value in memory. At the prompt, you type:
set 200
and it will give you 200 lives.

6) reset scanmem. If you’re trying to track a different value or the number of moves on a different level, simply type: reset.

(before running the hack)

(after running the hack… note the number of moves left)

Yes. It’s that simple. Back in the 90’s, I would have a notebook full of addresses that I considered “areas of interest” and use the process of elimination to pinpoint the right value. *sigh. Kids these days have it easy. If you’re planning on hacking candy crush, this might prove useful:
– number of moves: 2 matches
– bomb timers: 2 matches per bomb
– score: 4 matches
– checklists: 1 match (but not the value they show you on the screen. The game shows you the number of matches you have left to pass the level. In memory, it is stored as the number of items you have already destroyed: [Number of items needed to pass]-[Number of items you have left])

Enjoy!

About these ads

From → Hacks

18 Comments
  1. Alvin permalink

    Hi. Would you know the trigger port, trigger protocol, open port and open protocol for candy crush?

    • Hi Alvin, although I haven’t inspected the packets closely, it appears everything is sent via standard http (80). I was only really investigating the flash version of candy crush. It might be worth a closer look.

      • dsdsd permalink

        You would be correct. They are using a Jetty server (Java Servlet Container) on the backend being proxied through an apache http proxy.

  2. Agustin permalink

    Great!
    I have a problen though, I made it work to get more moves left on a level, but I cant seem to make it work to get more lives! Could you help me? Is the number of matches also 2?

  3. reggie s. permalink

    Hi really interesting hack trough flash player anyways is there any way using similar method that I can reset my candy crush facebook progress to start all over again ??? Please some one let me know thanks alot

  4. Dolce Panna permalink

    Hey man nice guide can i please ask if you can give me a fast explanation on how i can change my user data by using my facebook id so that i may change the resourses my profile owns and i would be identified from the games server with much higher resourses :) Thank you in advance here is my facebook http://www.facebook.com/dolcepanna2012/ please PM me :) Thank you again

  5. How do you decrypt ssl traffic?

    • simple answer is, you can’t. There are a couple tricks to bypassing it. One is to use an ettercap filter and drop SSL encryption altogether. The second is to issue a separate SSL cert as the man in the middle. Both methods are, however, very detectable.

  6. ฉันต้องการยกเลิกบัตรเคริตด่วน

  7. Bob permalink

    I didn’t know about scanmem ! It’s nice.
    Also, I’m surprised noone else seem to have “hacked” Candy Crush – maybe the players are not the kind of people who know about iptables, ssl, ettercap, and other goodies :D

    I’m more interested in hacking the mobile app, I might setup a squid server as a transparent proxy, to mangle the JSON requests.
    Meanwhile I have successfully played with scanmem to increase the number of moves, but I did not succeed in increasing the number of lives, maybe it’s because there is server communication between each death and that moves the number of lives in memory, so scanmem can’t find it.

  8. indivar permalink

    Thank you very much for your hack….!!!! really awesome…..and can you please let me know if any hack with pool live tour in facebook like increasing coins..buying cue’s…etc in ubuntu…

  9. mar permalink

    Is it possible with HxD on Windows?

  10. simple_mind permalink

    hi..i found this article very interesting although i couldn’t understand it much. Could u please suggest some possible reads related to this for beginner level knowledge…

  11. Rupali permalink

    Hi… While playing Candy crush in Tablet it does not give much boosters and benefits…
    At my workplace Facebook is open for all but games on FB are blcoked. Can you help me how to unblock candycrush on FB.

  12. Gore din Chitila permalink

    Many thanks for tutorial ! It works great in Linux Mint 14 ,too ;-)
    I have a problen though, I made it work to get more moves left on a level, but I cant seem to make it work to get more time on time limited levels, like , by example 189 !

    Any advice ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,488 other followers

%d bloggers like this: