Doodle Jump Hack

Published in category Security
on Christian Mayer's Weblog.

Doodle Jump is a game for iOS. I would like to hack the highscore of Doodle Jump. But I failed. Maybe other 1000 hackers came to the same point as me.

  1. You need a jailbreaked iPhone. Install Doodle Jump from App Store. You need Terminal app from Cydia. And also tcpdump is needed.
  2. In the Doodle Jump options you must turn leaderboard score submission to auto. This cause that the score always will be submitted to
    Doodle Jump Options
  3. Before you start the game start tcpdump as root: tcpdump -w ifdump -i en0. So you can sniff the packets from the game. tcpdump saves all packets to file ifdump which will be send over WiFi. Let tcpdump run while you play the game.
  4. Start Doodle Jump and play one game. Only one game with score > 0 is needed.
  5. Exit tcpdump with CTRL+C and transfer the ifdump file to your PC. With a Packet analyzer like Wireshark you can now read the packets from the sniff.

A packet looks like this:

GET /limasky/webservices/doodle_jump/gethighscores.cfm?s=1708&sn=TheFox
  097477885c128f8&m=1&lng=de&gl2=0 HTTP/1.1
User-Agent: DoodleJump/1.13.2 CFNetwork/342.1 Darwin/9.4.1
Accept: */*
Accept-Language: de-de
Accept-Encoding: gzip, deflate
Connection: keep-alive

At this point I failed. I failed because I need to send the right shash variable to the server. It’s hashed for each score. If the hash is wrong the server will not take the score. At this point you need to crack the binary file of Doodle Jump by disassembling the code.

Update: On 2010-09-30 10:23, Doodle Disassbled wrote:

Hi guys, i disassbeled the executable and found how the score hash if generated. It’s a MD5 sum of gombalite + score. So if you want the shash of 1000000 points you have to get the md5 of gombalite1000000 which is 0cc64645f89d5044c4974ad85cbf5e78
ups .. sorry my i did a mistake: the word is gombaliste. So md5 gombaliste1000000 is 0cc64645f89d5044c4974ad85cbf5e78
that’s all

Here is a PHP code example:

$shash = md5('gombaliste'.$score);

Update, 2015-01-04: I sniffed the packets again and it’s still working with new variables like User-Agent and URL parameters. Still no HTTPS used, still the same hashing function. They only changed the submission timing. The score isn’t submitted immediately. After a few minutes after the game was over the score has been submitted.

More Resources

Recent Posts

About the Author

Christian is a professional software developer living in Vienna, Austria. He loves coffee and is strongly addicted to music. In his spare time he writes open source software. He is known for developing automatic data processing systems for Debian Linux.