mirror of
https://github.com/Grasscutters/mitmproxy.git
synced 2024-11-30 03:14:22 +00:00
106 lines
3.6 KiB
HTML
106 lines
3.6 KiB
HTML
|
|
||
|
## The setup
|
||
|
|
||
|
In this tutorial, I'm going to show you how simple it is to creatively
|
||
|
interfere with Apple Game Center traffic using mitmproxy. To set things up, I
|
||
|
registered my mitmproxy CA certificate with my iPhone - there's a [step by step
|
||
|
set of instructions](@!urlTo("certinstall/ios.html")!@) elsewhere in this manual. I then
|
||
|
started mitmproxy on my desktop, and configured the iPhone to use it as a
|
||
|
proxy.
|
||
|
|
||
|
|
||
|
## Taking a look at the Game Center traffic
|
||
|
|
||
|
Lets take a first look at the Game Center traffic. The game I'll use in this
|
||
|
tutorial is [Super Mega
|
||
|
Worm](http://itunes.apple.com/us/app/super-mega-worm/id388541990?mt=8) - a
|
||
|
great little retro-apocalyptic sidescroller for the iPhone:
|
||
|
|
||
|
<center>
|
||
|
<img src="@!urlTo("tutorials/supermega.png")!@"/>
|
||
|
</center>
|
||
|
|
||
|
After finishing a game (take your time), watch the traffic flowing through
|
||
|
mitmproxy:
|
||
|
|
||
|
<center>
|
||
|
<img src="@!urlTo("tutorials/one.png")!@"/>
|
||
|
</center>
|
||
|
|
||
|
We see a bunch of things we might expect - initialisation, the retrieval of
|
||
|
leaderboards and so forth. Then, right at the end, there's a POST to this
|
||
|
tantalising URL:
|
||
|
|
||
|
<pre>
|
||
|
https://service.gc.apple.com/WebObjects/GKGameStatsService.woa/wa/submitScore
|
||
|
</pre>
|
||
|
|
||
|
The contents of the submission are particularly interesting:
|
||
|
|
||
|
<!--(block|syntax("xml"))-->
|
||
|
<plist version="1.0">
|
||
|
<dict>
|
||
|
<key>category</key>
|
||
|
<string>SMW_Adv_USA1</string>
|
||
|
<key>score-value</key>
|
||
|
<integer>55</integer>
|
||
|
<key>timestamp</key>
|
||
|
<integer>1301553284461</integer>
|
||
|
</dict>
|
||
|
</plist>
|
||
|
<!--(end)-->
|
||
|
|
||
|
This is a [property list](http://en.wikipedia.org/wiki/Property_list),
|
||
|
containing an identifier for the game, a score (55, in this case), and a
|
||
|
timestamp. Looks pretty simple to mess with.
|
||
|
|
||
|
|
||
|
## Modifying and replaying the score submission
|
||
|
|
||
|
Lets edit the score submission. First, select it in mitmproxy, then press
|
||
|
__enter__ to view it. Make sure you're viewing the request, not the response -
|
||
|
you can use __tab__ to flick between the two. Now press __e__ for edit. You'll
|
||
|
be prompted for the part of the request you want to change - press __b__ for
|
||
|
body. Your preferred editor (taken from the EDITOR environment variable) will
|
||
|
now fire up. Lets bump the score up to something a bit more ambitious:
|
||
|
|
||
|
<!--(block|syntax("xml"))-->
|
||
|
<plist version="1.0">
|
||
|
<dict>
|
||
|
<key>category</key>
|
||
|
<string>SMW_Adv_USA1</string>
|
||
|
<key>score-value</key>
|
||
|
<integer>2200272667</integer>
|
||
|
<key>timestamp</key>
|
||
|
<integer>1301553284461</integer>
|
||
|
</dict>
|
||
|
</plist>
|
||
|
<!--(end)-->
|
||
|
|
||
|
Save the file and exit your editor.
|
||
|
|
||
|
The final step is to replay this modified request. Simply press __r__ for
|
||
|
replay.
|
||
|
|
||
|
## The glorious result and some intrigue
|
||
|
|
||
|
<center>
|
||
|
<img src="@!urlTo("tutorials/leaderboard.png")!@"/>
|
||
|
</center>
|
||
|
|
||
|
And that's it - according to the records, I am the greatest Super Mega Worm
|
||
|
player of all time.
|
||
|
|
||
|
Curiously, the top competitors' scores are all the same: 2,147,483,647. If you
|
||
|
think that number seems familiar, you're right: it's 2^31-1, the maximum value
|
||
|
you can fit into a signed 32-bit int. Now let me tell you another peculiar
|
||
|
thing about Super Mega Worm - at the end of every game, it submits your highest
|
||
|
previous score to the Game Center, not your current score. This means that it
|
||
|
stores your highscore somewhere, and I'm guessing that it reads that stored
|
||
|
score back into a signed integer. So, if you _were_ to cheat by the relatively
|
||
|
pedestrian means of modifying the saved score on your jailbroken phone, then
|
||
|
2^31-1 might well be the maximum score you could get. Then again, if the game
|
||
|
itself stores its score in a signed 32-bit int, you could get the same score
|
||
|
through perfect play, effectively beating the game. So, which is it in this
|
||
|
case? I'll leave that for you to decide.
|