NickStallman.net

Cheat in Candy Crush Saga: Easier than you think

by on Feb.28, 2013, under club penguin

Well the other day I took a little peek at Candy Crush Saga’s security mechanisms and I found them somewhat lacking. It is trivial to skip levels and input arbitrary scores and their servers will accept it without too much trouble.

Candy Crush Level Map

First you need to get your session id. In Chrome you can do it by opening Facebook, right clicking on a blank bit of the page and in the Developer Tools menu clicking ‘Network’. Then open the game.

Chrome Developer Tools showing the gameInit request

You will see a lot of different hits that your browser is making, but you want to scroll down until you find the gameInit request. Copy and paste that url in to a new tab to load it and scroll right down to the bottom. There will be a chunk of text at the bottom like “currentUser”:{“userId”:10169xxxxx. 10169xxxxx is your user id so keep that for later. In the url you also see gameInit?_session=M-RzT9CNQfjM6xxxxxxx and the part after the = is your session id. You also need this.

Behind the scenes Candy Crush Saga uses a different naming scheme for the levels. You have an episode id and a level id. Episode id seems to be after every ‘break’ in the track in game and level id is the number of levels after the break starting from 1. For example level 39 is episode 4 level 4.

So you now have the following information:

Episode id: 4
Level id: 4
Session: M-RzT9CNQfjM6xxxxxxx
Facebook id: 10169xxxxx
Score: 123456 (Make something roughly plausible up for this)

You now need to make the security checksum. They simply hash a specific string and use the first 6 hex characters. Open a online MD5 tool such as this one which has a text box and a button and it outputs a string of gibberish when you press the button.

In the text box write this, filling in the values inside the square brackets as you go:
[episodeId]:[levelId]:[score]:-1:[userId]:1361826675157:BuFu6gBFv79BH9hk

The bit on the end is their ‘top secret’ verification string. You end up with something like this:
4:4:123456:-1:10169xxxxx:1361826675157:BuFu6gBFv79BH9hk

Pop that in to the MD5 box and hit hash. Make sure there are no spaces before or after your text as that changes the outcome. You should get 72a872f0399990657b6dd5fd2012691d for this example. You are only interested in the first 6 characters so keep 72a872 and ignore the rest.

Then you create the magical submit score request and load it in your browser. Fill in the blanks then open it. :)

https://candycrush.king.com/api/gameEnd?arg0={“score”:[score],”seed”:1361826675157,”cs”:”[6 character hash]“,”timeLeftPercent”:-1,”episodeId”:[episodeId],”reason”:0,”levelId”:[levelId]}&_session=[sessionId]

Remember the bits in [] brackets are the sections you replace. Don’t alter the rest.

Happy cheating.


16 Comments for this entry

1 Trackback or Pingback for this entry

  • Cheat Candy Crush Saga | TrungMC's Blog

    [...] This time, I can send the result to the server to get to the next level as well as to be at the top of the list among friends. The server doesn’t do a lot of validation to prevent this. Understandably, many people play the game on mobile and then later decide to connect to facebook, the server must allow them to upload results. The upload is a simple http get with the paramters in plain text and a checksum is the only protection. Nick Stallman documented this checksum calculation thoroughly and I think the method will last since there are many mobile users which you can’t ask them to upgrade to patched version. So now, we can skip a level and later replay it easily.http://nickstallman.net/2013/02/cheat-in-candy-crush-saga-easier-than-you-think/ [...]

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...