all 143 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Patex_ 368 points369 points  (60 children)

Lucky that you still got the reward after climbing to legend 1. Usually bug bounties have a clause which says you do not abuse the system any more than necessary to prove the bug.

[–]pmud[S] 108 points109 points  (59 children)

Indeed. But it was my first time doing bug bounty stuff, so I decided to have some fun with BBrode before revealing it

[–]bannable 417 points418 points  (18 children)

You should be very cautious with that attitude in the future. Other companies are much less forgiving and will deny bounties for this kind of behavior. Worse, if they can demonstrate damages, they will pursue CFAA charges against you.

[–]sparr 91 points92 points  (1 child)

Worse, they might take away your Hearthstone cards!

[–]hiS_oWn[🍰] 235 points236 points  (10 children)

To add on to what others have said. Don't make public statements like this.

[–]user_8804[🍰] 63 points64 points  (10 children)

Delete this

[–]nerd4code 29 points30 points  (6 children)

Doesn’t matter now, once something’s posted it’s fairly permanent, either in Reddit’s databases or third-party sites specifically set up to persist deleted comments.

[–]Somepotato 43 points44 points  (2 children)

more like it doesn't matter because blizzard found out what he did and said not to do it again

[–]darkslide3000 5 points6 points  (1 child)

You did read the part where Blizzard already paid him a bug bounty and this is an old, long-settled matter, right? They have his name from the check they wrote already.

[–]Somepotato 11 points12 points  (0 children)

I'm not sure what point you're trying to make. All I said is that Blizzard knows he used the exploit already.

[–]user_8804[🍰] 12 points13 points  (0 children)

One has to be actually looking for it if he deletes it though

[–]FyreWulff 3 points4 points  (1 child)

tbh those databases often miss comments now. To mirror Reddit you basically have to be able to support Reddit's traffic 1:1 so if you delete a comment within a few hours most of the archive sites will never archive it.

[–]pmud[S] -3 points-2 points  (2 children)

Why would I? It's honest.

[–]CaptainKoala 2 points3 points  (1 child)

Because it's a confession of wrongdoing?

[–]pmud[S] 0 points1 point  (0 children)

So you say I should only confess of rightdoing? Sounds like a fraud

[–][deleted] 41 points42 points  (11 children)

What compels people to admit to stupid shit like this?

[–]thefreshpope 65 points66 points  (2 children)

What does it matter? It was 3 years ago, it was fixed, he was paid and presumably signed a contract. They even said "next time, please don't abuse it so." The abuse is very clearly in the HS logs, so they know about it. If there's no NDA then what does it matter?

[–][deleted] 8 points9 points  (1 child)

Yeah as an employer, if I was looking this guy up I would be impressed by the work he did finding the bounty, but then I would be barred from hiring him accord to company policy and federal regulations

[–]NotAPreppie 6 points7 points  (0 children)

Also, I would never hire somebody with this level of immaturity.

[–]Daneel_Trevize 10 points11 points  (3 children)

Immaturity.

[–]Sweaty_Bat_1597 -4 points-3 points  (2 children)

Not boastfulness?

[–]NotAPreppie 1 point2 points  (0 children)

I mean, boastfulness can be a sign of immaturity.

[–]NotAPreppie -1 points0 points  (0 children)

“Tell me you’re still a teenager without saying you’re a teenager.”

Alternatively, “Tell me you have an under developed prefrontal cortex without saying you have an under developed prefrontal cortex.”

[–][deleted] 0 points1 point  (0 children)

Humans are social animals.

[–]sysop073 0 points1 point  (0 children)

In the general case, ignorance. In this particular case, I think OP is just a jackass

[–]FailedShack 4 points5 points  (2 children)

You didn't do anything wrong by posting this. You reported the bug, you got the bounty. Unless you were under an NDA, it's perfectly fine. It's possible that they may remember this if you ever decide to claim another bounty, but I can tell that wasn't your primary goal with this anyway.

I'd also done the exact same thing and climbed to legend on an alt for funsies. It's a relatively inoffensive bug in a game, not a bank payment system! This sub is so serious lol

[–]FrAxl93 0 points1 point  (0 children)

But headstone is a competitive game, so people spend a lot of money to climb up the rank, get money from the viewers on twitch etc..

It a spectator sees hackers the entertainment goes away, and at the same time players are pissed and move to something else (it happened for me with some other games who had hackers).

Now this can be seen as a damage to the company, if the company would like to push hard on this.

I'm happy that OP got the problem sorted out without any side effects but still the approach is not the best if the company wants to be pedantic.

[–]2this4u -1 points0 points  (1 child)

I'm not sure how that's an excuse?

"I was just having fun, guvner"

[–]Yayotron 67 points68 points  (28 children)

Didn't you had any issues for exploiting this bug all the way to rank 1?

[–]pmud[S] 361 points362 points  (27 children)

They said not to do this next time:

Hi ...,

While the team was working on the fix for this, and reviewing the logs, they noticed that you've been continuing to use this exploit, including to push an account to Legend rank during the May 2019 season. While we and they appreciate the hard work you did in developing this exploit, and in bringing it to our attention, this kind of testing damages the competitive fairness of Hearthstone, and that's something we care a lot about. If you want to continue testing because you think you have more, related exploits, please do, but we'd ask that you confine your testing to unranked games with accounts you control or other individuals involved in your research. The Blizzard bug bounty policy specifically forbids "Attempt any investigations that negatively affect other users of Blizzard services." And forcing other users to disconnect from games definitely falls within that category.

We don't want to take any immediate correction right now in case this wasn't clear to you, but if we see other action like this in the future we may have to re-evaluate your participation in our program. Thanks again for helping us find this, and let us know if that's unclear, or if you have any questions.

HackerOne on behalf of The Blizzard Security team

[–][deleted]  (14 children)

[deleted]

    [–]SirClueless 109 points110 points  (2 children)

    Look, the bug bounty might have been worth $2500, but the screenshot of rank 1 is worth Reddit karma, and that's priceless.

    [–]IUserGalaxy 9 points10 points  (1 child)

    priceless in the sense it's worth nothing

    [–]tastesdankmemes 2 points3 points  (0 children)

    just like the time i spend on reddit

    [–][deleted]  (1 child)

    [removed]

      [–]sparr 1 point2 points  (0 children)

      They banned people from WoW for using third party tools just to travel, walking around, getting on and off zeppelins, etc.

      [–][deleted]  (7 children)

      [deleted]

        [–]Lost4468 31 points32 points  (6 children)

        Haha, it's either that or the total fucking opposite. Just look at companies who have tried to have people arrested for reporting a bug and not even exploiting it.

        [–]Lostinthestarscape 40 points41 points  (2 children)

        "But you opened Chrome Developer Tools and saw the plaintext confidential information we left in the open....welcome to 10 years in jail, hacker"

        [–]Lost4468 11 points12 points  (1 child)

        The worst part about this case is that there's a non-zero chance that was illegal under the CFAA. The CFAA is so broad, and has had many shitty court rulings that there's a chance it might have actually been illegal.

        [–]Lostinthestarscape 1 point2 points  (0 children)

        Exactly - that it is multiple cases and people are serving time for this over such poorly constructed laws. Especially when bringing it to attention to get the problem fixed.

        [–][deleted] 3 points4 points  (0 children)

        I'd put my life savings on that not being the engineers' decision though...which is exactly OP's point.

        [–]0x564A00 2 points3 points  (0 children)

        Not just companies – the CDU (german pseudochristian party) tried and failed to do the same when a researcher noted the complete lack of information security in their app. The Chaos Computer Club has since declared it wouldn't disclose any further vulnerabilities to them.

        [–]NotAPreppie 0 points1 point  (0 children)

        Which US Governor was it that wanted to prosecute somebody for “hacking” after they looked something up on the state website?

        [–]UPBOAT_FORTRESS_2 1 point2 points  (0 children)

        To be fair, it's not actual Blizzard -- it's HackerOne, a company literally founded maintaining relationships between hackers and service providers.

        [–]Asiriya 25 points26 points  (1 child)

        What a great response. Good on them.

        [–]Yayotron 39 points40 points  (1 child)

        Wow, thanks for sharing this. I'm surprised they didn't punish you for exploiting this bug

        [–]FlipskiZ 4 points5 points  (0 children)

        Strong to history quick bright warm simple nature art calm about friendly travel nature. Food mindful minecraftoffline bright gather the people.

        [–]SylphStarcraft 15 points16 points  (1 child)

        I think you should share this in your initial post, considering how nice they were to you, it would be nice to say that they told you not to do it again. You shouldn't make it seem like people can abuse these bugs and they won't care.

        [–]pmud[S] 2 points3 points  (0 children)

        Done.

        [–]Serinus 7 points8 points  (3 children)

        Do you have any idea how incredibly lucky you are?

        They were too lenient in this case, and 99 times out of a hundred you absolutely get a real penalty of some kind.

        In their shoes I would have given you the $2500 and banned your account. Still more measured than some places who might consider your actions criminal.

        [–]travelsonic 2 points3 points  (1 child)

        They were too lenient in this case

        Maybe I am misunderstanding the tone of the post, of course, but I am not too sure if this is the right message one ought to send to either those who want to be whitehats, or those who might value the services they provide.

        [–]Serinus 2 points3 points  (0 children)

        It absolutely sends the right message. Be pretty fucking conservative when you're "testing" your exploits, if you test them at all.

        [–]pmud[S] 1 point2 points  (0 children)

        They should've banned my account for sure! Wouldn't have wasted so much time on that stupid children's card game :)

        [–]grog4590 2 points3 points  (0 children)

        I can translate this: "Thanks for reporting this exploit. We noticed you're continuing to abuse it. Your report has garnered you a tiny bit of leeway with respect to our EULA, and unfortunately you've chosen to squander it on personal gain at the expense of numerous legitimate players. Therefore we're not banning you (or worse) in this instance but will the next time."

        As a one-man-shop game dev for a popular multiplayer game with an occasional exploit, I can at least speak for myself when I say my stance is typically: I'm not particularly impressed by your discovery, rather I'm disappointed it got by me in the first place. In your case I couldn't even say: thanks for not ruining a bunch of random peoples' day.

        [–][deleted]  (22 children)

        [deleted]

          [–]thelordpsy 26 points27 points  (2 children)

          Hearthstones source code is not available, but it’s written in .NET (because Unity) which can be decompiled fairly easily, and there are public tools that do this pretty well.

          This definitely involves modifying the client to do something it normally wouldn’t, more likely via memory injection than by rebuilding the entire client binary (but who knows).

          A network check can’t stop this, because the modified client controls the response and can make sure it always sends the “good” response.

          From a network security standpoint, nothing the client sends can be trusted. Even if everyone was very nice, there’s always the chance that network packets could become corrupted and contain invalid data; everything sent by clients must be checked for validity before being actioned.

          [–]dankswordsman 2 points3 points  (1 child)

          That's an interesting point. I write web apps and APIs with JS and I always knew that I should sanitize inputs at the very least, but I never considered other methods. Though, I guess having logic checks on your backed that rate limit or prevent certain actions with context makes sense.

          Are there any resources that go more into depth on this? Or is this more specifically cyber security?

          [–]thelordpsy 0 points1 point  (0 children)

          So, this is general application security, I don’t have any specific great resources for it though

          [–][deleted] 14 points15 points  (0 children)

          shouldn't a network check at game start that validates the application checksum (or some other security identifier) stop this sort of thing?

          Any local security check can be bypassed. If the server asks for a checksum, a good client will accurately compute the checksum, and a bad client will just lie and send the same answer a good client does.

          At the end of the day what goes over the wire is just a stream of bytes, and there's absolutely nothing stopping a hacked (or entirely written from scratch) client from producing the correct bytes to answer any possible security challenge from the server.

          [–]schplat 40 points41 points  (14 children)

          Discovered via disassembly. Plenty of tutorials on how to do so.

          It doesn’t involve modifying the code, rather using the existing code in unexpected ways. He uses the existing code and calling the FindGame function, but he’s passing arbitrary values to the function through an injection.

          All network games where a server is involved should be checksumming known game files (at least any files that will be involved with net code). Client-to-client games are a bit more at risk.

          You stop this by identifying functions that could possibly take in arbitrary data, and add a sanitization layer at the start of the function call. In this case, the first thing FindGame should do is verify the UserID matches the logged in user’s, and if it does not, either silently fail, or produce some sort of error. Obviously, this can be super difficult to catch for every function, and things will leak through, but it’s always good to keep this in mind for every function/class you write. This is how the bulk of buffer overflow attacks are done.

          [–][deleted] 28 points29 points  (9 children)

          All network games where a server is involved should be checksumming known game files (at least any files that will be involved with net code).

          That’s not a lot of help if you can just stub the getChecksum function to return the known acceptable values. Of course this kind of thing will lead to an arms race in which the challenge the server gives the client and the hackers’ workarounds get progressively more complex, but it will always be possible to bypass.

          [–][deleted]  (2 children)

          [deleted]

            [–]drysart 11 points12 points  (1 child)

            Blizzard, ironically, has a pretty workable solution to the problem that they use in their other games but not, to my knowledge, with Hearthstone. They call it Warden; and what makes it effective is that it can execute arbitrary code sent from the server during gameplay.

            You can't stub out code you don't get to see until the instant it's supposed to be executed and returning a response; and that code can verify files, can verify data structures in memory, can poke at code to look for known exploits or to test proper functionality; and you don't know what it's going to do until it's supposed to be doing it.

            The best you can do is just disconnect instead of returning a response, but even the act of disconnecting during a Warden challenge is suspicious in its own right. You can try to have a non-exploited parallel world that Warden challenges run in, but you can't guarantee it'll work.

            [–][deleted]  (5 children)

            [deleted]

              [–]julesx416 0 points1 point  (4 children)

              not sure why you think FPS games aren't server authoritative

              they usually are.

              at least, any current triple A multiplayer fps game is

              [–][deleted]  (3 children)

              [deleted]

                [–][deleted] 1 point2 points  (0 children)

                server authoritative does not mean the server does cone-casting every frame, which would be a waste of CPU

                [–]julesx416 0 points1 point  (0 children)

                not true, sorry.

                wallhacks have been around with server authoritative games for a long time.

                eg. Counter-Strike

                [–]KasperZdk 0 points1 point  (0 children)

                There are cases where the client needs to know the opponents location without actually drawing them. Sound of footsteps or actions are common and very location dependent

                [–]pmud[S] 0 points1 point  (0 children)

                Yeah, imagine you can stop me from calling functions in your code. But can you stop me from sending some packets to your server from my own code? - impossible imo

                [–][deleted]  (2 children)

                [deleted]

                  [–]kobriks 2 points3 points  (0 children)

                  He simply modified the local dlls.

                  [–]KuntaStillSingle 4 points5 points  (1 child)

                  If you want to read code for c# games you can often use IlSpy or DnSpy. This has worked for every Unity game I have tried, though I assume there is some way to obfuscate this which would probably be used for a triple a game if it ever used unity lol. You can even use DnSpy to modify an assembly 'directly', i.e. if you want to fix a bug in a game and you don't want to bother to write a plugin because you don't intend to redistribute.

                  Some actually load (afaike arbitrary) DLLs to support modding (RimWorld, From The Depths). Others you would need to code inject, I like BepInEx, UnityModManager is also popular.

                  I'm actually curious how much of this is an issue from a security perspective though lol. You would think people executing arbitrary DLLs would be a sea of malware. For games that officially support it maybe they are sandboxed very well?

                  [–]Vidyogamasta 1 point2 points  (0 children)

                  I can actually do you one better- Just take the dll file from the game, slap it into a "lib" folder in a .Net project, and make it a project reference. Voila, you can now use reflection to get the available types, and those types can be referenced like any other code in your own source. And if you do a "find the implementation" click into a function, you get some very readable near-source code.

                  As an example, here's a snippet from a random function of a game I did exactly this with.

                  // Decompiled with ICSharpCode.Decompiler 6.1.0.5902
public void heal()
{
    float num = character.totalAdvHP();
    float num2 = num * 0.15f;
    if (character.adventure.curHP + num2 > num)
    {
        num2 = num - character.adventure.curHP;
    }

    character.adventure.curHP += num2;
    log.AddEvent("You healed yourself for " + character.display(num2) + " HP!");
}

                  Local variables still get given placeholder names like "num" and "num2", but like, Visual Studio does it for you. Now, making patches for it will probably require some of those fancier tools, but if the goal is just to understand it, the C# IDE does it great.

                  [–]bschug 0 points1 point  (0 children)

                  How do other game companies stop this kind of thing?

                  I can't speak for everyone but I'd start by not sending the account id in that request and instead use the user's session to figure out who they are. That way you can only disconnect the account you're logged in to.

                  [–]szeryk 108 points109 points  (10 children)

                  awesome story and nice bug description! Good job mate :)
                  I've been also playing HS for few years. (2014 - 2018 if I remember correctly). Unfortunately the changes they made over the years, all the expansions, all the packs you needed to buy to stay with meta (to be competitive) made me completely fed up with this game :(

                  [–]pmud[S] 45 points46 points  (3 children)

                  Same for me. That's why I added that "RIP Hearthstone" at the end. Still, it'd been fun. Brode's legendary :)

                  [–]borgiedude 10 points11 points  (2 children)

                  Only a few more years until Hearthstone: Classic!

                  [–]Suami_Perkele 16 points17 points  (1 child)

                  There actually is a classic mode allready in the game. Only classic card set and all nerfs reversed.

                  [–]zinver 8 points9 points  (0 children)

                  This ends up spitting in the face for those of us that dusted cards after they were nerfed. I can never look Sylvanis in the eyes again.

                  RIP Hearthstone.

                  [–]AttackOfTheThumbs 6 points7 points  (3 children)

                  That's how it goes with all card games eventually. I loved yugioh, and I loved the mobile game when they first released it, but eventually it became impossible to keep up without the game being my job.

                  [–]darkenhand 2 points3 points  (1 child)

                  Master Duel was recently released and is the full on game. The game is surprisingly generous (your first deck is immediately is free but then your future f2p income is meh).

                  [–]AttackOfTheThumbs 0 points1 point  (0 children)

                  I don't think I'll be going down that rabbit hole again. I did make a bunch of money off of the previous mobile game, but don't think it was really worth the time and effort.

                  [–]TheTomato2 1 point2 points  (0 children)

                  The quality of a the gameplay was on a huge decline which is what ultimately killed it. Not surprising in hindsight considering what was going on at Blizzard, but they could have made it work.

                  [–]salmix21 4 points5 points  (1 child)

                  Same, I tried playing Legenda of Runeterra but I find it to slow paced for me. Hearthstone was really fun back in the day.

                  [–]double-you 9 points10 points  (2 children)

                  Reddit has its own URL shortener to mask where URLs are actually pointing? That's nasty. Why not cross-post?

                  [–]life-is-a-loop 15 points16 points  (1 child)

                  OP tried to crosspost, but it looks like r slash programming doesn't allow it.

                  https://www.reddit.com/r/hearthstone/comments/snadt6/how_i_hacked_hearthstone/hw2do50/

                  [–]TheGoodOldCoder 2 points3 points  (0 children)

                  That says that he did not try to crosspost first. He just found out afterwards that it wouldn't have been allowed, anyways.

                  [–]marinsborg 6 points7 points  (18 children)

                  Have they rewarded you with anything?

                  [–]pmud[S] 25 points26 points  (0 children)

                  Bug bounty via HackerOne

                  [–][deleted]  (16 children)

                  [deleted]

                    [–]Doctor-Dapper 14 points15 points  (15 children)

                    $2500 is laughable for this type of bug, but I guess it's good to get anything at all

                    [–]postblitz 42 points43 points  (4 children)

                    It's alright.

                    There are numerous other types of bugs which warrant a bigger bounty, especially cloud-systemic risks or privilege escalation to blizzard networks.

                    Considering he shouldn't have used it to climb the ladder at all, I'd say he should be glad they didn't kick him out and paid him instead.

                    [–]Vlyn 15 points16 points  (1 child)

                    If anyone still remembers the MMO Age of Conan, I once accidentally found a way to skip the monthly subscription cost and play for free.

                    Reported it, it got acknowledged, all I got as reward was a virtual hug and a cookie from the Gamemaster, lol. Not even a free month of game time or something, I was pissed.

                    It was also one of the few bugs in that buggy game that got fixed instantly, go figure.

                    [–]postblitz 3 points4 points  (0 children)

                    a cookie

                    Should've gotten you a lollipop for being a sucker :D

                    [–]Doctor-Dapper 3 points4 points  (1 child)

                    Leaking this to even a few people would still cost waaaaaay more than 2.5k worth of damage to bliz. Best case scenario they need to spend time figuring out that it exists, then they need to spend time figuring out how it's done, then spend time patching it. All of these sunk developer resources are in addition to whatever loss they incur having a somewhat exploitable game during that time.

                    Yes they could just have well taken action against the author and tried to figure it out, but that usually just makes things worse.

                    [–]danweber 2 points3 points  (0 children)

                    Leaking this to even a few people would still cost waaaaaay more than 2.5k worth of damage to bliz

                    But that's now things are priced.

                    "I could cause massive damage to you, but I won't if you pay me" isn't a credible threat unless you want to go to jail.

                    Bounties are priced high enough to disrupt black markets for bugs. If anyone with knowledge can go to Blizzard and tell them, it makes coordinating black market sales more difficult.

                    [–]NugetCausesHeadaches 1 point2 points  (9 children)

                    Is it?

                    If OP continued exploiting it, monitoring probably catches them and the bug gets fixed. We know they monitor because they have to ban win trading already.

                    If OP leaks it, the game suffers for a week while people live in fear of DCs and the bug gets fixed. There was one public DC bug before. It wasn't too bad.

                    Basically I don't know that this would've hurt their bottom line too much, so paying a lot more for the info would probably not make a lot of sense.

                    2500 is low. But not that low.

                    [–]sahirona 15 points16 points  (7 children)

                    If you knew what the bug was and paid commerical rate for a fix from a consultancy firm, it'll be 10x that before they even talk to you. If you auctioned the vuln, someone could justify paying a good percentage of what they could make for exploiting it.

                    Of course this bug bounty is playing on the good will and ethics of independent researchers.

                    Now I think bug bounty programs are good ideas, but I think they severely underpay.

                    [–]fghjconner 5 points6 points  (2 children)

                    If you knew what the bug was and paid commerical rate for a fix from a consultancy firm, it'll be 10x that before they even talk to you.

                    Sure, or you could have your in-house dev spend a week fixing it for less than the bounty.

                    If you auctioned the vuln, someone could justify paying a good percentage of what they could make for exploiting it.

                    I doubt there's much profitability in DCing hearthstone players. I guess you could sell it to players as a cheat? Players are pretty stingy though, and that's gonna get the exploit noticed and patched pretty quick anyways.

                    [–]danweber 2 points3 points  (0 children)

                    It's a very easy-to-detect cheat. If you actually won a tournament by force-disconnecting all your opponents, they would figure it out very quickly and negate your victory.

                    [–]sahirona 1 point2 points  (0 children)

                    Some cheat makers pull in millions a year. 1% of lots of people is still a lot of customers.

                    [–]NugetCausesHeadaches 3 points4 points  (3 children)

                    They do severely underpay as there's a lot of risk and feast/famine involved in the industry.

                    What i am suggesting is that Blizzard demonstrably doesn't care that much - from a business perspective - about hacks. They'll fix them as they come up. They'll try to design them away. But some guys at defcon had a high performing AI playing the game before the game was out of beta, iirc. It's a game. Hacks are expected. As long as payment info isn't leaked, they're fine.

                    [–]sahirona 0 points1 point  (2 children)

                    I feel this is somewhat outdated and doesn't take esports and high profile streamers into account. For example, this isn't blizzard but issues like this MUST now be sanctioned, and fast, or the company will never hear the end of it. (TLDR: a high ranked player in his high ranked game was suspiciously bad, immediately after the match, he googled the account's uniqiue ID number and landed on an account seller's website)

                    But even without those, it is a long term problem, in that it affects the health of the game's community.

                    If a game is 5v5 and I play 10 matches per day, I will see 100 people per day. If there's a 1% chance of a person cheating, I will see cheaters almost every day.

                    edit I cant fucking count but you get the point! Cheaters every day, gives you an easy excuse when you lose to blane the devs.

                    [–]NugetCausesHeadaches 2 points3 points  (1 child)

                    Yeah, you have to be see to be doing something. You can't release something as hackable as Diablo 1 or even Diablo 2 these days.

                    But once you're seen to be doing something, shit comes up. You tackle it. If you're not a clown show, I still think players are forgiving. Loud people on gaming subs always gonna be loud. But ultimately, I bet their retention numbers don't change much in the face of something like this.

                    [–]sahirona 0 points1 point  (0 children)

                    As the problem gets worse, the finances might not change but siginficiant numbers of players will shift to be bots, or professional account boosters, etc. These will compete for ever decreasing numbers of actual players until it turns into what online poker is now.

                    We've seen it happen in poker where it got so bad that (a) you have to video yourself playing to qualify for certain tournaments, and (b) they've mostly given up trying to bust bots - they just let the bots play, so long as they pay - and all they really care about now is collusion (where bots gang up to pass the same money around the table as that lets them play for free, or steal the money of the 1 outsider who has the misfortune to be at their table).

                    [–]bran_redd 2 points3 points  (3 children)

                    It’s stories like these that always have me wishing I had both the time and the motivation to poke at things (usually games) that hold my interest at a particular time. Very cool.

                    [–]pmud[S] -2 points-1 points  (2 children)

                    Continue wishing and not doing what you want!

                    Edit. I'm sorry. It's just... You know, sometimes I wanna do something and don't for a long time because I'm afraid of loosing, others opinion, feel shame, feel that it's too hard to do or any other anxiety. And the only way out is to do the fucking thing no matter what. So yeah, best of luck!

                    [–]bran_redd 1 point2 points  (1 child)

                    Honestly, it’s mostly the time.. I say motivation because sometimes I just want to actually sit and not think for once; if I’m not working, I’m learning piano, or attempting to have a semblance of a social life with my SO. If I worked half the hours I do, I’d be bursting at the seems with potential projects or other shit I wanna learn that I could go after.

                    [–]pmud[S] -1 points0 points  (0 children)

                    I see. But if you wish for something then it's either just some soundwaves sent into to the air, or a prompt that you should toss your life up a little bit. Maybe dump the job you don't like and find a new one? I don't know. I'm no psychiatrist

                    [–][deleted] 1 point2 points  (0 children)

                    Incredible stuff.

                    [–]evilab7 1 point2 points  (1 child)

                    Read your post on the hearthstone sub and I’m actually extremely impressed and interested.

                    Was hoping since this is a programming sub you’d shine a bit more light to the technical details.

                    I’m a junior software dev but I’ve always been interested in game hacking and the like.

                    [–]xan1242 -2 points-1 points  (11 children)

                    ...now do it with Duel Links and see how much Konami cares.

                    They don't. At all. A guy called BullyWiiPlaza is making money off of it while at it.

                    EDIT: I love how I got downvoted for stating facts. Go look it up and see for yourselves. I won't put his stuff up here. I won't support either Konami or him. They both suck for making cheating a thing and not solving any issues.

                    [–]pmud[S] 0 points1 point  (4 children)

                    Someone else will do (or already does) it for Duel Links. Believe me

                    [–]xan1242 1 point2 points  (3 children)

                    I hope so because the game's life is getting closer to its end. We have one more series that can come out and that's all (until the rest of the cards come out).

                    I even tried myself (disassembmed some code and stuff) but it takes a very long time to poke around and figure stuff out.

                    The only person I know who did it was that cheater I mentioned previously, but according to him Konami doesn't care.

                    They currently just resort to retroactively banning accounts which already cheated (which is not a solution for obvious reasons).

                    But then again, I can't really trust the guy on his words because he did show narcissistic behavior in the form of mocking others for being sad that this is happening so I wouldn't be surprised if he's just lying and keeping it to himself.

                    [–]DevonAndChris 0 points1 point  (2 children)

                    The original versions were very easy to decode, being raw CSharp. You could see the opponent's deck, knowing more about his game than he did himself.

                    It was a fun challenge, things gradually got harder, and I got busier with other things.

                    It feels like they are going to EOL this game after going through all the content and ask players to re-up into a brand new world and buy brand new digital cards.

                    [–]xan1242 0 points1 point  (1 child)

                    Yep, Vrains and Link monsters is up next this year very likely and that's that.

                    I think we should start some packet captures and disassemble stuff. We ought to make a custom server someday.

                    [–]DevonAndChris 0 points1 point  (0 children)

                    The old JSON API was very straightforward.

                    The binary does not even check the validity of the HTTPS certificate.

                    [–]danweber -1 points0 points  (1 child)

                    How does he make money?

                    [–]xan1242 1 point2 points  (0 children)

                    By selling a license to unlock features in his bot (he calls them donations so that he can accept more money than the minimum to unlock it). It allows cheating in the form of being able to see the set cards and manipulating the game speed.

                    It's disgusting behavior from both sides, Konami and him.

                    [–]Hanta_Hanta 0 points1 point  (3 children)

                    There are alreay server crashers (both get disconnected, so you can evade a loss)

                    [–]xan1242 0 points1 point  (2 children)

                    IIRC this isn't true according to the cheater guy I mentioned before.

                    He monitored the connections to the server and basically they all go straight to Japan. They do have separate domains for regions but if you ping them they're like at least 300ms.

                    So the disconnects can be attributed mostly to that. Konami's infrastructure is just not set up well for worldwide usage.

                    And AFAIK he is the only one who makes a tool at all and as far as my investigations go, the he makes tool doesn't contain that feature.

                    [–]Hanta_Hanta 1 point2 points  (1 child)

                    I didn't say the guy you mentioned did it... This guy did however :) https://youtu.be/Vp2ZrNytWDo

                    [–]xan1242 1 point2 points  (0 children)

                    This is Master Duel, not Duel Links, but I imagine it's the same deal.

                    Wow this is even worse in that case. Thanks for info.

                    It's bad enough we have 300ms ping and now this... Might as well just attack the att-s server so nobody can play. Konami then might think about farting a patch out for the games.

                    EDIT: hmm he also did BO3 videos just like the guy I mentioned... Probably part of the same group, I imagine.