Doodle Jump Hack
Doodle Jump is a game for iOS. I would like to hack the highscore of Doodle Jump. But I failed. Maybe other 1000 hackers came to the same point as me.
- You need a jailbreaked iPhone. Install Doodle Jump from App Store. You need Terminal app from Cydia. And also
- In the Doodle Jump options you must turn leaderboard score submission to auto. This cause that the score always will be submitted to http://limasky.com/.
- Before you start the game start tcpdump as root:
tcpdump -w ifdump -i en0. So you can sniff the packets from the game. tcpdump saves all packets to file
ifdumpwhich will be send over WiFi. Let tcpdump run while you play the game.
- Start Doodle Jump and play one game. Only one game with score > 0 is needed.
tcpdumpwith CTRL+C and transfer the
ifdumpfile to your PC. With a Packet analyzer like Wireshark you can now read the packets from the sniff.
A packet looks like this:
GET /limasky/webservices/doodle_jump/gethighscores.cfm?s=1708&sn=TheFox &shash=2088cffb1b83d986ee2a9609e69c75f5&uid=9fc51f9e64626801981ab594c 097477885c128f8&m=1&lng=de&gl2=0 HTTP/1.1 User-Agent: DoodleJump/1.13.2 CFNetwork/342.1 Darwin/9.4.1 Accept: */* Accept-Language: de-de Accept-Encoding: gzip, deflate Connection: keep-alive Host: www.limasky.com
At this point I failed. I failed because I need to send the right
shash variable to the server. It’s hashed for each score. If the hash is wrong the server will not take the score. At this point you need to crack the binary file of Doodle Jump by disassembling the code.
Update: On 2010-09-30 10:23, Doodle Disassbled <g@gr….net> wrote:
Hi guys, i disassbeled the executable and found how the score hash if generated. It’s a MD5 sum of gombalite + score. So if you want the shash of 1000000 points you have to get the md5 of gombalite1000000 which is 0cc64645f89d5044c4974ad85cbf5e78
ups .. sorry my i did a mistake: the word is gombaliste. So md5 gombaliste1000000 is 0cc64645f89d5044c4974ad85cbf5e78
Here is a PHP code example:
<?php $shash = md5('gombaliste'.$score);
Update, 2015-01-04: I sniffed the packets again and it’s still working with new variables like User-Agent and URL parameters. Still no HTTPS used, still the same hashing function. They only changed the submission timing. The score isn’t submitted immediately. After a few minutes after the game was over the score has been submitted.