How I Won Facebook Games without Hard Work
“It pains me much when I hear that out of conscience many of you repent the deeds that have been done and that you wish to abstain from new deeds… if this is true, you are not the men I believed you to be, for neither conscience nor infamy should dismay you, because those who win, in whatever mode they win, never receive shame from it… We have no business to think about conscience…”
Introduction
It's midnight, nearly finals week at school, I have a pressing final project to do and present tomorrow, and a few assignments slightly overdue, but when my friends started playing these new games on Facebook Messenger, I couldn't resist giving them a shot. After all, I've got all night to do my schoolwork, but I can only tackle these high scores while my mind is still young and fresh.
(I never made it past this screen)
Unfortunately, after playing a few games of the "Endless Lake" (which was all the rage in the group chat), I quickly realized that I lacked the skill or coordination to even come close to the scores of my friends. Perhaps with some practice, I could develop the skills necessary, but these guys had been playing since the early afternoon, (and it was already late evening) so they held a considerable head start on me. And there was no promise that, even if I underwent training, I'd be able to topple their fine scores.
Besides, practice strikes me as a tiresome grind. Still, I wanted the glory of sitting on the top of that leaderboard.
So, I wondered if I could Beat the System. As Malcolm Gladwell might have said, it's the underdogs who win most often by seeking alternative routes to victory. So, like Lance Armstrong in the races (an underdog due to his limited physical strength) or Derrick Rose at the SATs (an underdog due to his limited education), I (an underdog due to my underwhelming gameplay) sought an alternative route to victory. And, lo and behold, after a few minutes of tinkering, I was at the top of the leaderboard - no work required - without having to play a stupid game.
Of course, like all crafty criminals and conmen (and conwomen), I ended up dissatisfied with the result. Gloating over my high score felt wrong... Something stirred inside me and I felt unsettled.
After some pondering, I discovered the issue. Sure, I'd achieved the high score, but no one recognized the brilliance of my scheme. Folks just thought I was pretty good at this game. So, like all great criminals and conmen (and conwomen), here I am: writing this tell-all - ready to be admired for my cleverness, my resourcefulness, and two years of computer science education.
The Tell-All Story of How I Did Hoodwink the Leaderboard and Got Away with It Too
Step 1.
I saw that the game was playable in my web browser, from messenger.com. Since high scores must be passing from my computer to Facebook's servers somehow, I needed to know how those scores were being transmitted. I hoped that the format of the scores would be extremely simple, human-comprehensible, and modifiable. To find out how the scores were being sent from my computer to Facebook, I opened Chrome Developer Tools (Options -> More Tools -> Developer Tools) and went to the Network tab.
I'm not really sure what this does, but I know that each row here represents some sort of network request happening in this tab. Every time the webpage on my computer communicates with the server, it gets recorded here. Some are for resources like javascript files or images, but the interesting things for us are probably the xhr (XMLHttpRequests).
Step 2. Science
To find out which request(s) send the scores of the game to the server, I had to have my computer send the score of the game to the server, so that it would get recorded in the Network tab and I could see it. My thought process was: if I could see it, I could hopefully copy it, change the score parameter, and "resend" that to the server, mimicking the real request that the game sends when it sends scores.
I played a game and lost. After losing, a bevy of requests showed up in the Network tab. By clicking on a request, I could see its details. The first one in chronological order was a POST request that had "game_id" in the URL query string, which was a promising sign. Scrolling down a bit, Chrome had the query string laid out in human-readable format, where I saw that one of the arguments was "score". Bingo! So the next step was find out how to copy it, change the score to something higher than 8, and resend it.
Step 3
Upon right-clicking the response, I saw some promising options for tampering with the request. There was "replay XHR" and "copy as cURL" and "evaluate in console". Unfortunately, clicking "replay XHR" seemed to resend the exact same request (without giving me a chance to change the score argument). "Evaluate in console" seemed to do jack shit. "Copy as cURL" looked good, but I wondered if there were an in-Chrome solution to changing some values of a preexisting HTTP request and sending it rather than using curl.
Step 4
I Googled "modify response header chrome tools resend" to see if this assumedly common task had an easy solution. This was the second result and sounded quite like what I needed. After installing it and its required components, I was ready to finally achieve my destined victory.
.jpg){kind=link}
Step 5
I started the Chrome Extension, went to its tab in the Developer Tools, and enabled "Block/Reroute Requests". Then, I played a game and quickly lost. The extension allows modification or blocking of every request before its sent off to its destination. So when the game wanted to send my score of 48 to www.messenger.com, I felt it was a little low and modified it to send a slightly higher score instead. All the other requests I let pass with no modifications, and a star was born.
Conclusion
Some may say I didn't truly earn my spot at the top of the scoreboard today. Some may think I don't deserve it because I didn't work hard or "play by the rules". At the end of the day, though, the bits representing my top score in the game "Endless Lake" on Facebook's servers have a higher value than all of yours, and no one can take that away from me.
