Guide Using a game's API to give myself all items

Ted2 · November 19, 2020

Hello there,

Lately I've been playing around with API's from games & it's pretty fun actually
I thought, let's make a small guide/tutorial on an example game so maybe others can do awesome stuff too

So I'm sure most of you have ever played or heard about the game Bike Race. Well, this game got me into hacking mobile games & whenever I re-hack this game, I get new features & this was also the game I started experimenting this on.

Requirements for this:

Flexible
Jailbroken device
Some knowledge about http requests? (or just read it for fun..)

Flexible is one of the best tools out there if you're creating tweaks & need to debug something. Flex also has a "Network History" option, which logs all http requests that are being made by the app, in our cause Bike Race.

What a http request does is the following: It sends requests to a server & if the request is valid it'll give you a response.
For example when you clicked on this topic, you have send iOSGods a request to go to this topic, which returns this page as response.

So the main thing in the game Bike Race, are bikes, obviously. Since I've played this game for a long time back in the days, I happen to know that the developers store bikes into your account so when you come back it will restore them. But let's not get ahead of it & first start the game & log some network history...

So when I open up the game, stay on the main screen & look at my network history, I have like 36 requests being made by the game, most of them are stupid & not worth looking into, this is something you'll have to learn to recognize. But let's give you some examples for things that aren't interesting to look at:

A request for a image
a request to ad providers (may be interesting if you want to disable ads)
a request to crashlytics etc etc.

Some things that do seem interesting to me:

A request being made to a url that actually has the name of the game in it
A request being made with the word "player" in it

See the picture below, where the request boxed with red does not seem interesting, and the ones with green do.

Okay, so now think of what I've said: Whenever I come back to this game, it restores my bikes. To me, this sounds something like player related.
So if you look at the third request in the green box: bikerace-backend.tfgapps.com/players --> the long number above is the given ID.

This is a GET request, which means it's asking the url for data for this specific player. When I click on the arrow ('>'), I get some information about the request:

Request URL: https://bikerace-backend.tfgapps.com/players/974a6dd2-f0d3-4d55-b66a-a8a860641e51
Request Method: GET
Status Code: 200 OK
Response body: "Tab to view"

And some other stuff, but I'm interested in the response. Remember, when you send a request you'd want some kind of response. Sometimes this response is just a Status Code (200 OK, 500 NOT OK etc etc). So when I click "Tab to view" I get this response in json:

Spoiler


{
  "player" : {
    "worlds" : {

    },
    "isPaying" : true,
    "id" : "974a6dd2-f0d3-4d55-b66a-a8a860641e51",
    "guestId" : "b0eb68af8-5296-4d66-8bac-03c225c96448",
    "achievements" : [

    ],
    "tournamentsId" : "990bf6e4-ba4d-44a2-87fb-5684948101ae",
    "publicId" : "82cccb24-ff11-4195-81d8-133dda7c4910",
    "bikes" : [

    ],
    "retries" : 3,
    "referralInstallCount" : 0,
    "name" : "Guest_16006"
  }
}

I've started a clean account to minimize the json response, as it's very long in my original account.

Okay, so I've got some information about my account, as you can see my bikes is an empty array, because I do not have bikes yet. You can see some Id's for my account, my guest multiplayer name etc etc. So what now? Just change the bikes array right? Nope... this is sadly not how it works, this is the response from our GET request, we can't modify responses. If we could, then any game would get rekt.

All we got now, is player information which we can't directly modify from our request. However, remember: The game restores your progress, so at some point we it must modify our bikes array. So let's earn a bike & check our network history...

Ho-ly-sh!t, this seems interesting. The request method is a PUT, the name already explains what it does, it PUT's something into something... pls don't think about that kids . Jokes aside, this seems HUGE!

We also got something new, a request body. When you send data to a server (POST, PUT, UPDATE/PATCH etc), you enter it in the body of the request.
If I look at my request body, I see this:

Spoiler


{
  "bikes" : [
    6
  ]
}

Alright, so let's go a little back. Our request method was PUT, and it was send to the url https://bikerace-backend.tfgapps.com/players/974a6dd2-f0d3-4d55-b66a-a8a860641e51/bikes

So it's sending this data, to the player with the ID "974a6dd2-f0d3-4d55-b66a-a8a860641e51" & it's sending it the the players bikes.
Okay, so this is really huge then, as this is a PUT request, we know the url, the format of the data, meaning we can actually modify this.

Now comes the tricky part however, there are so many ways to send requests, you got tools for this, you can do it with curl from your terminal, you can do it with lots of programming languages etc.

I'm going to show you how I tested it: with Python.
Below, you'll see my Python code with comments that explain what what does.

# Importing the requests libary from Python
import requests
# Importing json, so we can print out the response in json.
import json

# Creating a function that takes one argument: The player ID.
def putAllBikesIntoiOSAccount(accountID):
    # The URL we have to send the request to, we got this from the image in the topic!
    url = 'https://bikerace-backend.tfgapps.com/players/' + accountID + '/bikes'
    # The headers, this is the same as MIME Type. Without the headers, it doesn't know what kind of data you're sending.
    headers = {"Content-Type": "application/json"}
    # The body, which will be ALL bikes (75 bikes total)
    body = {"bikes": range(1,75)}
    # The actual request being made. Notice the ".put", as we have to PUT bikes into /bikes.
    # First argument of 'put' is the URL it's being send to. Second the headers & lastly & most important: the body with our biks data.
    request = requests.put(url, headers=headers, json=body)
    # Printing our request, so we can see the result.
    print(request.json())
    return request

# Calling the function with my player ID
putAllBikesIntoiOSAccount("974a6dd2-f0d3-4d55-b66a-a8a860641e51")

Now when I run this python file, this is the response of the request we send:

{'bikes': [6, 1, 2, 3, 4, 5, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75]}

Wow! It seems to work, when I open the game: I got all bikes.

Playing around with games like this is much different than modifying their code directly, so that's why prior knowledge about making requests is kinda required.
The process of requests, I can't really explain. You will need some experience yourself, youtube has lot's of tutorials showing you how to retrieve(GET) data from a site, how to send(POST) data, how to update(UPDATE/PATCH) data etc etc.

I know most likely no one will try or understand this, as cheaters on this forum only do code patching, but this might be interesting for a curious person.
Also note that allot of games do have a proper API, where it will be very hard to find a request you can play around with.

Updated November 19, 2020 by Ted2

Laxus · December 23, 2019

Naisuuu

Question is do you need to run the python code everytime you open the game just do it once?

Updated December 23, 2019 by Laxus

bR34Kr · December 23, 2019

1 hour ago, Laxus said:

Naisuuu

Question is do you need to run the python code everytime you open the game just do it once?

No, it sets the bikes for your account. It's literally using what the game uses to notify the server when you earn a new bike or stuff like that. Nothing local :P

bR34Kr · December 23, 2019

@Ted2 Good job! You're jumping in an amazing world.

And btw, this

body = {"bikes": [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75],}

can be replaced with this

body = {"bikes": list(range(1, 75))}

X204 · December 23, 2019

Great

Ted2 · December 23, 2019

3 hours ago, bR34Kr said:

@Ted2 Good job! You're jumping in an amazing world.

And btw, this


body = {"bikes": [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75],}

can be replaced with this


body = {"bikes": list(range(1, 75))}

Correct, I do have that originally but I thought let’s keep it “simple “ for this “tutorial”

Though, now I think of it, maybe that is keeping it simple. I just happen to know most people here don’t code at all & thought 1,2,3...,75 would make more sense for them than list(range(1,75))

Updated December 23, 2019 by Ted2

Max-Q · December 23, 2019

17 minutes ago, Ted2 said:

Correct, I do have that originally but I thought let’s keep it “simple “ for this “tutorial”

Though, now I think of it, maybe that is keeping it simple. I just happen to know most people here don’t code at all & thought 1,2,3...,75 would make more sense for them than list(range(1,75))

Thats something i want to learn 😍😍Will try my best . Great stuff Ted2.

Ted2 · December 23, 2019

3 minutes ago, absolut1on said:

Thats something i want to learn 😍😍Will try my best . Great stuff Ted2.

cheers mate

B3albakii · December 23, 2019

amazing thanks

ubyt3x · December 23, 2019

Quote


body = {"bikes": [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75],}