There is new retro Steem game by @LimeSoda. Hodl the Coin is a tribute to Flappy Bird in the galaxies. Player try to hodl the Steem coin through downsides and upsides for as many days as he can. Mouse left click is the only controller there.

Game gathered many fans, especially in Deutschland community. Even the Challenges did happen for SBD's prizes!

So I tried to take part in this too

I took a shortcut of course :> Instead of spending much time clicking, tried to achieve high score through workaround. And it seems that game has not only one hole. Oh where was I during @limesoda challenges...

Hodl the Coin shares Phaser.io engine. Most of Phaser games are client-sided. This means all the game is downloaded to the web browser and kept all javascript code (engine) there during gameplay. I was surprised how easy it is to just modify code on my computer :O Javascript isn't even obfuscated and sended high scores are not verified by the server side. This makes perfect scenario to cheat a little.

Reverse engineering

TBH there is not much reverse engineering play if full source code is accessible. All the game is in single main.js file. All I had to do is modify few variables, depend on what I wanted to achieve. The bigger trouble was to inject modified code into the browser, but hey for what do we have local proxies ;)

I have set local proxy on my machine and intercept all HTTP responses via Burp Suite

I will present here 2 ways to set 5000 score instantly (it can be unlimited but who cares about the numbers).

1st example

One way is to set initial score to 4999. After 1-2 seconds play the coin will reach '5000 days' and can kill itself in glory.

...
this.currentScore=4999
...

Modify source code intercepted in Burp Suite (proxy)

Proof of work

2nd example

Very similar to above, let's just increase the incremental value every tick (1-2 seconds) to 5000. Player will start from 0 score as normal, but first tick will score him +5000 immediately.

...
this.currentScore+=5000
...

Modification

Proof

Weak points

Code obfuscation

First of all, if game has to be a challenge, its code should be obfuscated. It makes much harder to look into the code for cheater (or abuser). Minifying is not enough as it can be reversed easily.

Server side verification

I have read some author's publications of statistics eg. how long players play, how many times they went to leaderboard etc. I am wondering why uploaded player score is not verified even by simple timer on the server. I have made 5k points in just one second. It should be easy to catch ;)

File checksum

What would stop me from modifying source code is simple check of file checksum. It can be even CRC32, but pretty standard these days is MD5 or SHA256 fingerprint. Only if main.js file on my computer would be verified with server-share this would be perfect.

Thanks to authors

Thanks to @luschn [dev], @maybelater [pixelart / sound] and @berndpfeiffer [pseudorefactoring and bugcreation] for this nice yet another Steem game ;) I saw Your Roadmap and I believe it wil be a success.
Tip from me: make Hodl the Coin open source at Github and the game development will explode! You have my words ;)

Please take this article as a bug-hunting contribution towards improving the game :)

How to achieve unlimited score in 🎮 Hodl the Coin Steem game [Hack]