This game: Bullet Force, recently appeared on App Store and has become somehow a little bit famous, so I decided to take a look at it in any form to get exploits or vulnerabilities. I always prefer hacking in my own way which is no memory search or debugging at all, but inspecting packets going through server-client. And I found some interesting stuff!
First of all, when you register a new account, the app access the database DIRECTLY to store the new user and some data, which is a very BAD idea indeed. Here is some proof:
Therefore, ANYONE can access the database with just some newbie SQL-Injection, modify values, and even steal accounts!
Heres an account email, but I won't show the password:
I successfully had access to this account! I could even PLAY with it too!
Proof of randomly chosen account password:
Then, I stopped messing around with accounts, I wanted some currency! The same thing I did before, i did it now with MY account. I got some gold, some coins and cases too, BUT I could also add me unlocks, kills deaths, etc.
Proof on device:
PIC 1: http://i.epvpimg.com/drqdd.png
PIC 2: http://i.epvpimg.com/4U0fh.png
However, Gold hacks gets you instantly banned.
I also noticed "accounts" TABLE on SQL had a variable called "unbanned" (Type: BOOL), therefore, anyone that gets banned can get unbanned so easily by just inserting a "TRUE"! Proof:
All in all... This game is still in beta, thats why its so simple and bad written. So guys, be careful if you rgister using the same password and email than your own. Finally found out how to get gold without ban (08/12/16)
PIC 3 (Unlocks): http://i.epvpimg.com/a2add.png
PIC 4 (Multiplayer):http://i.epvpimg.com/L4Fkb.jpg
If you want a free account with tons of gold: https://iosgods.com/...0/#entry1359042
If you want Credits and XP: https://iosgods.com/...ts-and-xp-hack/
Edited by Amuyea, 4 weeks ago.