How to bot DrugWars and bypass encryption

in #drugwars6 years ago

I reverse-engineered the encryption used by @drugwars for fun, here it is. You will need Chrome to follow this guide.

All custom JSON transactions are now a string containing encrypted data. The encrypted data is the same format as before encryption started being used. The data is AES encrypted with a per Steem user key. This key can be obtained by opening the Network tab in Chrome's DevTools in DrugWars, and reloading the page. Find the WebSocket connection (use the WS button at the top), and go to the Messages tab. Go to the fourth message. Click the arrow beside the "1", then "response". You should see this:
image.png
The string beside "key" is important, save that as you'll need it. Now for the fun part: combining some JSON and the key to get the encrypted text.

  1. AES encrypt the JSON of the transaction, using CryptoJS, with the key you just obtained.
  2. Run .toString() on the output of that
  3. Remove all double quote characters from that.
  4. Replace "=" characters with Ml32
  5. Replace all "/" characters with Por21Ld
  6. Replace all "+" characters with xMl3Jk

Side note, it the method used for steps 4-6 was taken directly from a StackOverflow answer.

@drugwars, remember: all client-side encryption is terrible. Since only your server is supposed to be able to read transactions, it would be a lot better for everyone if you just skipped using a blockchain altogether. Just use a database!

Also, remember: DrugWars is centralized, in the state it's in right now.

Sort:  

This is hilarious. Thanks for sharing! I find it very ironic that they're now trying to encrypt the information coming in and out of the blockchain. A database would definitely make the most sense for them, but they still want to be considered a DAPP, most likely for marketing reasons...

Drugwars, you've got to figure something out

Last line os absolutely right. I don't see the point of using steem blockchain in this game.

Love it. Real decentralized games would be possible to use without the official game server. Obviously, bots would be relevant.

Paying for stuff using the Steem blockchain can make sense, but as long as there's no smart contracts the actual game logic will have to be on a server. That's fine, or one could simply use a different blockchain for that...

Posted using Partiko Android