Jump to content

Zirak

Member
  • Posts

    15
  • Joined

  • Last visited

Profile Information

  • iDevice
    iPhone 5s

Recent Profile Visitors

1,247 profile views

Zirak's Achievements

Newbie

Newbie (1/14)

387

Reputation

  1. I've ran some more tests and confirmed the game has server sided validation/damage computation (logic seems to be pretty good as well, as it seems to reliably know whether you should win or lose at the server level). It also explains how it can do quick battles in Arena and determine whether you should win/lose, seems like the determination is done by the server and leaves a small margin of error for RNG. This check doesn't apply if you fight your friends (from the friend list), but appears to be checked everywhere else... So the best that this thing can do is if you have a team that has a 10% win rate (and the game server knows that team has a chance to win legit), you can potentially spoof the stats to guarantee a win and save time... As a programmer I'm impressed with how they've pulled it out, since it means they need to simulate the game play (factoring in the time, and animation for each skill, DPS, skill stuns, etc.) and judge whether the team comp you picked with the gear is eligible for a win. I've tried spoofing one item on Shemira and have a fully loaded (legit) team try to clear 9-20, and was able to JUST barely clear it, and it would still fail with a battle_check_key error, so the logic to validate this must be really accurate. Here's a video:
  2. Damage is reflected in game, but it results in a battle key validation error when the game won packet is sent.
  3. I wrote a proxy that does exactly this, they initially use JSON to do the initial communication (to get stuff like the host IP and port), and then it establishes a WebSocket connection to it. If you change the WIN/LOSS flag to 0x01 (0x02 being a loss), it gets detected and fails their battle key check. The same goes if you manipulate the received packet to make the game think your heroes are like, let's say 120 when they are 90, if you win the match, the game battle key check fails and marks it as a loss... I've even tried by messing with the # of enchantments on weapons (spoiler alert, you can make them over 120, so you get HUGE stat bonuses). I'd need someone who is an expert at disassembling the binary of the game to identify how it's generating the packet, and see if we can identify what it uses to validate the packet the mobile device sends back to the server. Based at a glance, each sent packet seems to have a hash of some sort, but I have no clue how it's generated. I've tried enumerating each byte and creating separate md5 hashes to see if it'll match (e.g. take bytes 0 to 1, take bytes 0 to 2 ... take bytes 10 to 40, take bytes 11 to 40... basically all iterations) but nothing appeared to match that way. The funny thing is, if you manipulate the packet (like change a random byte which doesn't impact your hero stats), and you win the battle, the game doesn't cause any battle_key check errors, and it sends a successful response back, as if everything went smoothly... which throws the hash theory out the window, or does it? Again, would need someone expert at disassembling the binary to help me find out how the packets are structured. PM me if anyone knows more about this at a technical level (no leechers/beggers please).
×
  • Create New...

Important Information

We would like to place cookies on your device to help make this website better. The website cannot give you the best user experience without cookies. You can accept or decline our cookies. You may also adjust your cookie settings. Privacy Policy - Guidelines