<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta content="text/html; charset=utf-8" http-equiv="Content-Type"/>
<link href="../01-bootstrap.min.css" type="text/css" rel="StyleSheet"/>
<link href="../02-docstyle.css" type="text/css" rel="StyleSheet"/>
<link href="../syntax.css" type="text/css" rel="StyleSheet"/>
<title>mitmproxy 0.9 - Setting highscores on Apple's GameCenter</title></head><body><div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</a>
<a class="brand" href="../index.html">mitmproxy 0.9 docs</a>
</div><!--/.nav-collapse -->
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="span3">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li><a href="../index.html">Introduction</a></li>
<li><a href="../install.html">Installation</a></li>
<li><a href="../howmitmproxy.html">How mitmproxy works</a></li>
<li class="nav-header">Tools</li>
<li><a href="../mitmproxy.html">mitmproxy</a></li>
<li><a href="../mitmdump.html">mitmdump</a></li>
<li class="nav-header">Features</li>
<li><a href="../features/anticache.html">Anticache</a></li>
<li><a href="../features/clientreplay.html">Client-side replay</a></li>
<li><a href="../features/filters.html">Filter expressions</a></li>
<li><a href="../features/proxyauth.html">Proxy Authentication</a></li>
<li><a href="../features/replacements.html">Replacements</a></li>
<li><a href="../features/serverreplay.html">Server-side replay</a></li>
<li><a href="../features/setheaders.html">Set Headers</a></li>
<li><a href="../features/sticky.html">Sticky cookies and auth</a></li>
<li><a href="../features/reverseproxy.html">Reverse proxy mode</a></li>
<li><a href="../features/upstreamcerts.html">Upstream Certs</a></li>
<li class="nav-header">Installing Certificates</li>
<li><a href="../ssl.html">Overview</a></li>
<li><a href="../certinstall/firefox.html">Firefox</a></li>
<li><a href="../certinstall/osx.html">OSX</a></li>
<li><a href="../certinstall/windows7.html">Windows 7</a></li>
<li><a href="../certinstall/ios.html">IOS</a></li>
<li><a href="../certinstall/ios-simulator.html">IOS Simulator</a></li>
<li><a href="../certinstall/android.html">Android</a></li>
<li class="nav-header">Transparent Proxying</li>
<li><a href="../transparent.html">Overview</a></li>
<li><a href="../transparent/linux.html">Linux</a></li>
<li><a href="../transparent/osx.html">OSX</a></li>
<li class="nav-header">Tutorials</li>
<li><a href="30second.html">Client playback: a 30 second example</a></li>
<li class="active"><a href="gamecenter.html">Setting highscores on Apple's GameCenter</a></li>
<li class="nav-header">Scripting mitmproxy</li>
<li><a href="../scripting/inlinescripts.html">Inline Scripts</a></li>
<li><a href="../scripting/libmproxy.html">libmproxy</a></li>
<li class="nav-header">Hacking</li>
<li><a href="../dev/testing.html">Testing</a></li>
</ul>
</div>
</div>
<div class="span9">
<div class="page-header">
<h1>Setting highscores on Apple's GameCenter</h1>
</div>
<h2>The setup</h2>
<p>In this tutorial, I'm going to show you how simple it is to creatively
interfere with Apple Game Center traffic using mitmproxy. To set things up, I
registered my mitmproxy CA certificate with my iPhone - there's a <a href="../certinstall/ios.html">step by step
set of instructions</a> elsewhere in this manual. I then
started mitmproxy on my desktop, and configured the iPhone to use it as a
proxy. </p>
<h2>Taking a look at the Game Center traffic</h2>
<p>Lets take a first look at the Game Center traffic. The game I'll use in this
tutorial is <a href="http://itunes.apple.com/us/app/super-mega-worm/id388541990?mt=8">Super Mega
Worm</a> - a
great little retro-apocalyptic sidescroller for the iPhone: </p>
<p><center>
<img src="supermega.png"/>
</center></p>
<p>After finishing a game (take your time), watch the traffic flowing through
mitmproxy:</p>
<p><center>
<img src="one.png"/>
</center></p>
<p>We see a bunch of things we might expect - initialisation, the retrieval of
leaderboards and so forth. Then, right at the end, there's a POST to this
tantalising URL:</p>
<pre>
https://service.gc.apple.com/WebObjects/GKGameStatsService.woa/wa/submitScore
</pre>
<p>The contents of the submission are particularly interesting:</p>
<div class="highlight"><pre><span class="nt"><plist</span> <span class="na">version=</span><span class="s">"1.0"</span><span class="nt">></span>
<span class="nt"><dict></span>
<span class="nt"><key></span>scores<span class="nt"></key></span>
<span class="nt"><array></span>
<span class="nt"><dict></span>
<span class="nt"><key></span>category<span class="nt"></key></span>
<span class="nt"><string></span>SMW_Adv_USA1<span class="nt"></string></span>
<span class="nt"><key></span>context<span class="nt"></key></span>
<span class="nt"><integer></span>0<span class="nt"></integer></span>
<span class="nt"><key></span>score-value<span class="nt"></key></span>
<span class="nt"><integer></span>0<span class="nt"></integer></span>
<span class="nt"><key></span>timestamp<span class="nt"></key></span>
<span class="nt"><integer></span>1363515361321<span class="nt"></integer></span>
<span class="nt"></dict></span>
<span class="nt"></array></span>
<span class="nt"></dict></span>
<span class="nt"></plist></span>
</pre></div>
<p>This is a <a href="http://en.wikipedia.org/wiki/Property_list">property list</a>,
containing an identifier for the game, a score (55, in this case), and a
timestamp. Looks pretty simple to mess with.</p>
<h2>Modifying and replaying the score submission</h2>
<p>Lets edit the score submission. First, select it in mitmproxy, then press
<strong>enter</strong> to view it. Make sure you're viewing the request, not the response -
you can use <strong>tab</strong> to flick between the two. Now press <strong>e</strong> for edit. You'll
be prompted for the part of the request you want to change - press <strong>b</strong> for
body. Your preferred editor (taken from the EDITOR environment variable) will
now fire up. Lets bump the score up to something a bit more ambitious:</p>
<div class="highlight"><pre><span class="nt"><plist</span> <span class="na">version=</span><span class="s">"1.0"</span><span class="nt">></span>
<span class="nt"><dict></span>
<span class="nt"><key></span>scores<span class="nt"></key></span>
<span class="nt"><array></span>
<span class="nt"><dict></span>
<span class="nt"><key></span>category<span class="nt"></key></span>
<span class="nt"><string></span>SMW_Adv_USA1<span class="nt"></string></span>
<span class="nt"><key></span>context<span class="nt"></key></span>
<span class="nt"><integer></span>0<span class="nt"></integer></span>
<span class="nt"><key></span>score-value<span class="nt"></key></span>
<span class="nt"><integer></span>2200272667<span class="nt"></integer></span>
<span class="nt"><key></span>timestamp<span class="nt"></key></span>
<span class="nt"><integer></span>1363515361321<span class="nt"></integer></span>
<span class="nt"></dict></span>
<span class="nt"></array></span>
<span class="nt"></dict></span>
<span class="nt"></plist></span>
</pre></div>
<p>Save the file and exit your editor. </p>
<p>The final step is to replay this modified request. Simply press <strong>r</strong> for
replay.</p>
<h2>The glorious result and some intrigue</h2>
<p><center>
<img src="leaderboard.png"/>
</center></p>
<p>And that's it - according to the records, I am the greatest Super Mega Worm
player of all time. </p>
<p>There's a curious addendum to this tale. When I first wrote this tutorial, all
the top competitors' scores were the same: 2,147,483,647 (this is no longer the
case, beacause there are now so many fellow cheaters using this tutorial). If
you think that number seems familiar, you're right: it's 2^31-1, the maximum
value you can fit into a signed 32-bit int. Now let me tell you another
peculiar thing about Super Mega Worm - at the end of every game, it submits
your highest previous score to the Game Center, not your current score. This
means that it stores your highscore somewhere, and I'm guessing that it reads
that stored score back into a signed integer. So, if you <em>were</em> to cheat by the
relatively pedestrian means of modifying the saved score on your jailbroken
phone, then 2^31-1 might well be the maximum score you could get. Then again,
if the game itself stores its score in a signed 32-bit int, you could get the
same score through perfect play, effectively beating the game. So, which is it
in this case? I'll leave that for you to decide.</p>
</div>
</div>
<hr>
<footer>
<p>© mitmproxy project, 2013</p>
</footer>
</div>
</body></html>
