Jump to content

How can I be sure that the value is stored on server side?


Iqbroly
 Share

Recommended Posts

When I change the value of some item in game guardian and it doesn't work(or doesn't actually change the value permanently) does that mean that it is server sided? Or there are other things/steps I need to follow to confirm that it's not hackable. 

I don't want to spend time tricking something that's not trickable.

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...

Hello my friend, it may be protection from the game, or there is another code for it somewhere else. I will tell you a secret,

There are four types of the same hack in most games in different storage,

For example:

Hack damage 

Xa = 100

Cd = 1

Ca = 0.001

A= 2147483647

What happens is that all storage has the same hack but with different values, If the protection is in CD But it is not in Xa 😉

 

 

Edited by ENDUP
Link to comment
Share on other sites

On 8/27/2022 at 6:40 PM, ENDUP said:

Hello my friend, it may be protection from the game, or there is another code for it somewhere else. I will tell you a secret,

There are four types of the same hack in most games in different storage,

For example:

Hack damage 

Xa = 100

Cd = 1

Ca = 0.001

A= 2147483647

What happens is that all storage has the same hack but with different values, If the protection is in CD But it is not in Xa 😉

 

 

Wow, is this really possible? Because the value is still server sided. I will start changing other values too now.

Link to comment
Share on other sites

  • 4 weeks later...
Quote

How can I be sure that the value is stored on server side?

Hi! there's several ways that indicate this:

  • 1) Check if the game communicating with game server oftenly; even when not scrolling through in-game marketplace/items. You can use PCAPDroid or HTTPCanary to check your game connection.
  • 2) The game use Online Account / GPlay account, etc
  • 3) When you're changing some values, the game will revert it by sending some connection; check it on PCAP. For websocket connection, find the game connection that sill "Open".
     
Quote

 it doesn't work(or doesn't actually change the value permanently)

This could be the case but not always indicate the values being stored on server. Here's why:

  • 1) It's not a real value, meaning that is only visual and being updated based on real values. You should find the right one by finding what address that changing the visual, it may lead to the real one.
  • 2) The game has memory changes detection, it means you need to disable the address that access your values to make it stay unchange. See common hex patching here: Hex Patching
  • 3) The game is client sided but the server forcing previous saved values; you can just simply block the connection that causing this on PCAP.
Quote

I don't want to spend time tricking something that's not trickable.

Actually, server sided games can still be hacked but just need some different workaround instead of directly changing the values:

  • 1) If you want to increase the game money to buy some item, you can just hack the item instead. Change the price into 0 or Free state, each game may different, it can depends purely on currency or game state. For example: "free": false is a state of item that aren't free or you can change the price itself ("currency": 1234) something like that.
  • 2) You can do connection swap; using a network engineering using Postman, you can try to get a free item. When click on claim, change the Item ID on the game connection with Paid item, you will get paid item for free by manipulating this.
  • 3) If the game is related to Google Play accounts, you might check this post: Hacking Rare Currencies
Link to comment
Share on other sites

  • 1 month later...
9 hours ago, under_score said:

postman is so confusing, how do you do that?

Hi! to use Postman, You need to Understand 'How Transaction Works' on your game. Usually, the game use POST/GET methods to receive desired data (Currency, Item, etc). It doesn't have a steep learning curve, You just need things to be prepared:

  • - Understanding of HTTP GET/POST Methods
  • - Crafting Request Method with Headers
  • - Finds out data to be sent by the game (Parameters/Payload)

In Summary; Most server-sided games has it's own API with Authentication (Off course) that crafted inside POST request along with Data that will access API. Here's some Learning Material:

I've also Added some Overview on Postman using Microsoft Store API:
https://youtu.be/Np6R3vDWfr8

Edited by MainC
bug
Link to comment
Share on other sites

  • 1 month later...

Some games Uses Json /csv for items and in memory they use ID for every item ingame and from the ID it get it's information like status etc the ID might be an int value or pointer for unity games they usally use int value for ID or a string and for other libs like libcocos2d they use pointers 
in case U change the pointer and it's just visual then the data is server side in most cases it's both sides game and server and the server just check if it's the correct data depending on manythings like lvl / stages etc 
if the game isn't unity game use ida pro to debug that lib and search for encrypt function or md5 or whatever encryption they use after that use frida to hook that function and make sure that u use charls proxy or burpsuite as a listener and from thoes request the game made use that encrypt function as a new native function and copy it's data (encrypted in charls or burp ) to decrypt that data if you find somthing interresting edit it and use the encrypt function again to reencrypt it and post it to server-side
this is how you hack non unity game server side 
in case of unity game they most likly use strings to the items as const if the dump file doesn't give thoes strings try to find a method or a class related to thoes string and  write a custom script to dump them then from there u can hack the items easly 

Link to comment
Share on other sites

On 11/13/2022 at 6:35 AM, MC_ said:

Hi! to use Postman, You need to Understand 'How Transaction Works' on your game. Usually, the game use POST/GET methods to receive desired data (Currency, Item, etc). It doesn't have a steep learning curve, You just need things to be prepared:

  • - Understanding of HTTP GET/POST Methods
  • - Crafting Request Method with Headers
  • - Finds out data to be sent by the game (Parameters/Payload)

In Summary; Most server-sided games has it's own API with Authentication (Off course) that crafted inside POST request along with Data that will access API. Here's some Learning Material:

I've also Added some Overview on Postman using Microsoft Store API:
https://youtu.be/Np6R3vDWfr8

You can use PUT / PATCH / DELETE aswell to add shell code to server-side if they use weak security

On 11/13/2022 at 12:20 AM, under_score said:

postman is so confusing, how do you do that?

You can Use fiddler(avrage) / Burp-suite (pro) / Charles proxy (easy) 

Link to comment
Share on other sites

  • 2 weeks later...
On 7/13/2022 at 9:52 PM, Iqbroly said:

When I change the value of some item in game guardian and it doesn't work(or doesn't actually change the value permanently) does that mean that it is server sided? Or there are other things/steps I need to follow to confirm that it's not hackable. 

I don't want to spend time tricking something that's not trickable.

If it is a item from the store, you can just know it by changing the value of that item and then buying something in the game store. If the math done on the values you changed are based on the original value before modification then it is server sided. Regardless what the value shows on your screen.

Edited by Platonic
Added extra info
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.