by Flavio De Stefano

由弗拉维奥·德·斯特凡诺(Flavio De Stefano)

我学会了如何入侵Facebook Messenger Soccer游戏 (What I learned hacking the Facebook Messenger Soccer game)

Recently, during last European Football Championship, Facebook introduced a little game in the Messenger app that makes you lose hours and hours despite its simplicity.

最近，在上届欧洲足球锦标赛期间，Facebook在Messenger应用程序中引入了一个小游戏，尽管简单易用，却使您损失了数小时。

If you didn’t notice it, read this article on Mashable.

如果您没有注意到它，请阅读有关Mashable的文章 。

I have to admit… I totally suck at this game, so my best score was 9.

我不得不承认……我完全不喜欢这场比赛，所以我的最高成绩是9分 。

But, as a Developer, the best thing I could do was to beat my friends by hacking the game.

但是，作为一名开发人员，我最能做的就是通过黑客游戏打败我的朋友。

I really thought this would be simple.

我真的以为这很简单。

第一种方式：侦听HTTP请求 (The first way: Listen to HTTP(s) requests)

While developing apps, you immediately realize that you need an HTTP debugger tool to analyze incoming /outgoing traffic for you APIs.

在开发应用程序时，您立即意识到需要一个HTTP调试器工具来分析API的传入/传出流量。

Charles is the best tool I’ve found to accomplish this task. It has a very intuitive interface and you can easily use it for debugging and reverse engineering purposes.

查尔斯 是我发现可以完成此任务的最佳工具。 它具有非常直观的界面，您可以轻松地将其用于调试和逆向工程目的。

It was supposed to end at this point: I would have to analyze the API that the Facebook app used and just replay it with CURL while editing the data and the score sent to the server.

它应该在这一点上结束：我必须分析Facebook应用程序使用的API，然后在编辑数据和发送到服务器的分数时使用CURL对其进行重放。

Of course, the API calls are in HTTPS, so they’re encrypted.. but Charles can be used as a man-in-the-middle HTTPS proxy, enabling you to view in plain text the communication between web browser and SSL web server.

当然，API调用是在HTTPS中进行的，因此它们是经过加密的..但是Charles可以用作中间人HTTPS代理，使您能够以纯文本形式查看Web浏览器和SSL Web服务器之间的通信。 。

Perfect! So I installed the root Charles certificate on the iPhone, and I tried to inspect the traffic. But all HTTP calls to the Facebook servers were denied upfront during the SSL handshake phase.

完善！ 因此，我在iPhone上安装了Charles根证书，并尝试检查流量。 但是在SSL握手阶段，所有对Facebook服务器的HTTP调用均被拒绝。

Doing some research, I discovered that some company apps like Facebook and Google use an extra layer of security to ensure that the certificate provided by the remote server is the one which is expected. This technique is called Certificate Pinning.

经过研究，我发现诸如Facebook和Google之类的某些公司应用程序使用了额外的安全层，以确保远程服务器提供的证书是预期的证书。 此技术称为证书固定。

You can easily do this by including the public key of the remote server certificate within the application, so that it’s easy to validate the identity of the client for each HTTPS request.

您可以通过在应用程序中包含远程服务器证书的公钥来轻松地做到这一点，从而很容易为每个HTTPS请求验证客户端的身份。

This technique invalidates the Man in the Middle (MITM) Attack.

此技术会使中间人(MITM)攻击无效。

Great job Facebook! But…(remember, there’s always a but) there is a way to disable the SSL certificate pinning using some system tweaks only available on a jail broken device.

Facebook很棒！ 但是……(请记住，总有一个but)有一种方法可以使用某些仅在越狱设备上可用的系统调整来禁用SSL证书固定 。

第一种方法(增强功能)：越狱设备并安装iOS SSL Kill Switch (The first way (enhanced): Jailbreak a device and install iOS SSL Kill Switch)

My iPhone is currently running iOS 9.x, so at the time of this writing it was impossible to jailbreak. So I took an old iPad mini running iOS 8.3.x and easily jailbroke it using the TaiG tool.

我的iPhone当前正在运行iOS 9.x，因此在撰写本文时无法越狱。 因此，我选择了运行iOS 8.3.x的旧iPad mini，并使用TaiG工具轻松将其越狱。

Searching on the web, I found SSL Kill Switch 2, a Blackbox tool to disable SSL certificate validation within iOS and OS X apps.

在网上搜索时，我发现了SSL Kill Switch 2 ，这是一个黑盒工具，用于在iOS和OS X应用程序中禁用SSL证书验证。

Once loaded into an iOS or OS X App, SSL Kill Switch 2 patches specific low-level SSL functions within the Secure Transport API in order to override, and disable the system’s default certificate validation as well as any kind of custom certificate validation (such as certificate pinning).

将SSL Kill Switch 2加载到iOS或OS X App中后，会在Secure Transport API中修补特定的低级SSL功能，以覆盖并禁用系统的默认证书验证以及任何类型的自定义证书验证 (例如证书固定)。

The SSL Kill Switch uses MobileSubstrate to patch system functions like the Secure Transport API. They are the lowest-level TLS implementation on iOS.

SSL Kill Switch使用MobileSubstrate修补系统功能，例如安全传输API 。 它们是iOS上最低层的TLS实现。

This means that disabling SSL certificate validation in the Secure Transport API should affect most (if not all) of the network APIs available within the iOS framework.

这意味着在安全传输API中禁用SSL证书验证应会影响iOS框架中可用的大多数(如果不是全部)网络API。

Please, do yourself a favor and follow this blog that covers all these concepts.

请帮个忙，并关注这个涵盖所有这些概念的博客 。

So, I connected to the iPad using SSH and installed the package:

因此，我使用SSH连接到iPad并安装了软件包：

wget https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.10/com.nablac0d3.SSLKillSwitch2_0.10.deb --no-check-certificatedpkg -i com.nablac0d3.SSLKillSwitch2_0.10.debkillall -HUP SpringBoard

Once rebooted, I expected to see the plain traffic, but it was an optimistic vision: I got the same errors.

重新启动后，我希望能看到正常的流量，但这是一个乐观的愿景： 我遇到了同样的错误。

I tried this way for another hour. I read somewhere that Facebook and Twitter use the SPDY protocol for their API calls, and this could be a problem for Charles. So I installed another tweak that (theoretically) disabled the SPDY protocol, but it didn’t work.

我又试了一个小时。 我在某处看到Facebook和Twitter使用SPDY协议进行API调用，这对于Charles可能是个问题。 因此，我安装了另一个调整项(理论上)禁用了SPDY协议，但该协议无效。

Starving.

饿死了。

Looking at the project issues, I noticed that someone else had the same problem (https://github.com/nabla-c0d3/ssl-kill-switch2/issues/13), with no resolution.

在查看项目问题时，我注意到其他人也遇到了相同的问题( https://github.com/nabla-c0d3/ssl-kill-switch2/issues/13 )，没有解决方案。

Pause.

暂停。

第二种方法：模拟应用程序内的触摸事件 (The second way: Simulate touch events within the application)

I realized that there are many game cheats that use a “human” approach: simulate touch events (one of the most popular games that many game cheats utilize this strategy on is Clash of Clans).

我意识到有许多使用“人类”方法的游戏作弊： 模拟触摸事件 (许多游戏作弊者都采用这种策略的最受欢迎的游戏之一就是《部落冲突》)。

Browsing the web for a tool that automates these operations, I found this awesome tweak - AutoTouch. It can record human touch events and store the data in a LUA script. You can then edit this produced script and simulate whatever you want anywhere on your device.

浏览网络以找到可以自动执行这些操作的工具，我发现了这一很棒的调整-AutoTouch 。 它可以记录人为触摸事件并将数据存储在LUA脚本中。 然后，您可以编辑此生成的脚本并模拟设备上任何位置的任何内容。

Once installed with Cydia, I saved a BMP screenshot of the Messenger application with the ball visible and obtained the coordinates of where to click.

与Cydia一起安装后 ，我保存了Messenger应用程序的BMP屏幕快照，并看到了球，并获得了单击位置的坐标。

What I thought is that, by clicking exactly in the center of X axis of the ball, I only had to simulate repetitive touch events in the same coordinates and then stop the script when I had a score that I was satisfied with.

我的想法是，通过精确地单击球的X轴中心，我只需要在相同的坐标中模拟重复的触摸事件，然后在获得满意分数时停止脚本。

Here’s what I wrote to accomplish this goal:

这是我为实现这一目标而写的：

adaptResolution(768, 1024);adaptOrientation(ORIENTATION_TYPE.PORTRAIT);

for i=1,2000 do

touchDown(1, 544, 954);  usleep(66000);  touchUp(1, 544, 954);

usleep(10000);

end

Nope, it didn’t work.

不，这没有用。

Probably, Facebook developers introduced a random error on touch coordinates to better simulate the game, or to prevent these type of scripts.

可能是Facebook开发人员在触摸坐标上引入了一个随机错误，以更好地模拟游戏或阻止此类脚本。

Or, maybe I just clicked at the wrong pixel.

或者，也许我只是点击了错误的像素。

So, for a second chance, I tried to simulate multiple clicks in a larger area, but without luck. Sometimes, I simulated so many touch events that the Springboard just crashed because of memory errors.

因此，我有第二次尝试在更大的范围内模拟多次点击，但是没有运气。 有时，我模拟了很多触摸事件，以至于Springboard由于内存错误而崩溃 。

Instead of clicking in the same coordinates every time, I tried a better approach.

我没有每次都单击相同的坐标，而是尝试了一种更好的方法。

Reading the AutoTouch documentation, I found the following two methods:

阅读AutoTouch 文档 ，我发现了以下两种方法：

• findColor (color, count, region) - Search the coordinates of the pixel points matching the specified color on the current screen.findColor(颜色，计数，区域)-在当前屏幕上搜索与指定颜色匹配的像素点的坐标。
• getColor (x, y) - Get the color value of the pixel point of the specified coordinate on the current screen.getColor(x，y)-获取当前屏幕上指定坐标的像素点的颜色值。

The idea was to find a unique color inside the ball, and use the findColor method to get the coordinates of the ball in that moment, to simulate a touch event.

这个想法是要在球内找到唯一的颜色，并使用findColor方法获取该时刻球的坐标，以模拟触摸事件。

adaptResolution(768, 1024);adaptOrientation(ORIENTATION_TYPE.PORTRAIT);

local c = getColor(544, 954);

for i=1,2000 do  local r = findColor(c, 0, {400, 500, 768, 1024});

for i, v in pairs(r) do    touchDown(1, v[1], v[2]);    usleep(66000);    touchUp(1, v[1], v[2]);    usleep(10000);  end

end

I don’t know why, but it simply didn’t work. Maybe the findColor is too slow to intercept the ball, which then makes the script useless.

我不知道为什么，但是那根本没有用。 也许findColor太慢而无法拦截球，这会使脚本无用。

第三种方式：对应用程序进行反向工程 (The third way: Reverse engineer the app)

I don’t have good native skills in Objective C, but I remember (when I played with the jailbreak ~4 years ago) that there was a tool by Saurik that could inject itself into iOS processes.

我在Objective C中没有很好的本机技能，但是我记得(大约4年前当我玩越狱游戏时)， Saurik有一个工具可以将自己注入iOS流程。

It is released along with Cydia and was called Cycript. It allowed developers to explore and modify running applications on iOS, by injecting code at run time.

它与Cydia一起被释放，被称为Cycript 。 它允许开发人员通过在运行时注入代码来探索和修改iOS上正在运行的应用程序。

I read some basic tutorials on how to use it, and after a few struggles, I decided to follow this (another) way.

我阅读了一些有关如何使用它的基本教程，经过一些努力，我决定采用这种(另一种)方法。

Once you login via SSH into your iOS device, you can easily attach to a process just by typing:

通过SSH登录到iOS设备后，您只需输入以下内容即可轻松附加到进程：

cycript -p Messenger

I tried to inspect some basic UI classes like UIApp, but didn’t find anything interesting. Then I made a complete class dump, filtering it for the keyword soccer.

我试图检查一些基本的UI类，例如UIApp ，但没有发现任何有趣的东西。 然后，我做了一个完整的类转储 ，将其过滤为关键字Soccer。

var C = Object.keys(ObjectiveC.classes);var soccer_classes = []; for (var i = 0; i < C.length; i++)  C[i].match(/soccer/i) && soccer_classes.push( C[i] );

It was a slow process.

这是一个缓慢的过程。

I discovered that Facebook Messenger has a very large number of classes.

我发现 Facebook Messenger具有很多类。

But, in the end, I got a small list.

但是，最后，我得到了一个小清单。

Once I obtained the class names, I used a script to print all methods of the class, and, by inspecting the MNSoccerGame class, the resulting methods were:

一旦获得了类名，便使用脚本打印了该类的所有方法，并且通过检查MNSoccerGame类，得到的方法是：

Note: I still don’t understand what is the method wasCheatDetected.

注意：我仍然不知道wasCheatDetected方法是什么。

Now that I had a complete list of the class methods, I decided to override the _setScore method, hoping that other methods didn’t notice that.

现在，我有了类方法的完整列表，我决定重写_setScore方法，希望其他方法不会注意到这一点。

To do this, I used the MobileSubstrate and its MS.hookMessage method.

为此，我使用了MobileSubstrate及其MS.hookMes​​sage方法。

@import com.saurik.substrate.MS;

var _setScore_pointer = {}; MS.hookMessage(MNSoccerGame, @selector(_setScore:), function(arg0) {  return _setScore_pointer->call(this, 9999); }, _setScore_pointer);

Now you can just play, lose, and anyway score a new record.

现在，您可以玩， 输 ，并且无论如何都要创下新纪录。

我学到的是 (What I learned)

Never stop yourself. Always try and discover new way to accomplish the same thing. I know, it’s just a game, but if you treat the problem you’re trying to solve like a challenge, you’ll get much more than the satisfaction of beating your friends.

永远不要停止自己。 始终尝试发现完成同一件事的新方法。 我知道，这只是一个游戏，但是如果您将要解决的问题像挑战一样对待，那么战胜朋友便会获得更多的满足感。

翻译自: https://www.freecodecamp.org/news/what-i-learned-hacking-facebook-messenger-soccer-game-3c882ea8537d/