Manipulating Android Applications , How i hacked quiz of kings game


first of all , its good to be back after almost 3 years
in this post i’ll take a look to most downloaded Persian game with over 2.2M unique players . the game is in Persian[Farsi] and its a QuizUp like game ,
i appreciate their hard work to create such amazing game regarding its lack of performance
OK , lets get down to business

Ive created two users , Mormoroth the actual me , and HackerAccount [the other me :D]which tries to win the game in an unfair situation

okay both accounts added each other and im going to send new game invitation to Mormoroth

1

as we intercepted the request we can see there is something interesting in request “Player_id=786375” so we can determine our opponents IDs
now we know Mormoroth player_id we’re going to use this ID later
and as you can see Mormoroth received a game invitation from HackerAccount

2

well im going to accept that challenge lets see who wins this game
lets see my statistics on Hackeraccount

3

4

now we see “user_id=2758283” which is my hackeraccount ID , but what if we change it with previously ID we acquired by sending game request to Mormoroth ?!
so lets see

5

Bingo ! numbers and percents changed
as you can see now we can view mormoroth statistics on HackerAccount !

actually we can see anyone stats there is no limits , and we can send game invitation to everyone , even bother other players and etc …

6

7

okay lets go play a game with myself
i explain it to you how the game works , A user will answer 3 questions and will get 3 flags with red or green color depend on how you answer the question , right = green , and red is for wrong answer , then its time for another user to answer questions but not in real time , you have 12Hrs to answer , lets play

8

as you can see mormoroth (the good boy) answered 2 of 3 with green flag now its my time to answer those questions
ok lets intercept request and see what is going on

9

as you can see my second answer is incorrect

10

lets analyze the request

well lots of interesting info
our second answer wasnt correct and it has “status”:-1″ and “answer”:2 values however the other two questions with correct answers have the value 1 for both status and answer variable so in next round im going to change those values to 1 and see what will happen

well i answered all questions incorrect as you can see three red flags

11

so lets just change the value of status and answer to 1 and resend request

1213
Well , that worked , now i can win every single game

but is that it ? hell no , lets see how far our bad boy can go

i ran Quiz of Kings on emulator to browse its files after installation

14

lets see what we can get by exploring application files and its configurations

so a cookie file and settings that contain lots of configuration on client ! dude what your back-end does exactly ?

15

as you can see “isLogin”:true,”username”:”HackerAccount” just come to my face , and thats it ? well im gonna change it with my other account “Mormoroth” to see can we login as anothr user without password or any authentication

okay i changed value to Mormoroth “isLogin”:true,”username”:”Mormoroth”

16

lets see if this gonna work or not

after couple of minuets application didnt respond so something is wrong

17

yeah , the settings file owner was root ! thats why app doesnt load . also you have to remove that cookie.txt file in order to get new cookie for new user you want to login as

okay in adb shell im going to list process and find this app PID , killing it chowning files to its default and run it again

18

well , everything is prepared and ready to go lets just launch the game

19

wooooooooooooooooooha we logged in as another user without any authentication and we can login as any other user we want

that HackerAccount hacked Mormoroth : ( : (

vulnerabilities reported to vendor and patched while you read this

any questions ? feel free to ask me on twitter

Have fun and be Safe !