Dragons of Atlantis is a facebook game developed by KABAM. This is a massively multiplayer game which is similar to Travian or Evony, featuring a lively warfare with the wild and other players. The game runs on nginx, which is a high-performance web server, an reverse proxy server as well as email server. With a flash interface, the game interacts with the web server frequently to execute attacks, building structures, retrieving landscapes, chatting with other players and also dozens of other actions. Post data was used to send parameters as JSON, also JSON data was returned from the server for the Flash to process.
I have tried to intercept the information sent to the web server repeatedly by using Firefox and Firebug to look for a possible cheat into the game. However, like previously mentioned game of Zuma Blitz, which is also a facebook game, the HTTP request were not too vulnerable to tampering. Each HTTP request were secured by a security token called X-S3-AWS. Even google gave me no results on this name. I had to look through the nginx documentation and plugins to find that, this header is actually a part of ngx_aws_auth, which is an authentication plugins for Amazon Storage. Each HTTP request requires a valid token for the server to authenticate. If the post data was tampered, you must provide a correct token for the request to be valid. Like previous post, I could only repeat the same request, but not able to send new post data to the server without a valid token as this would result in 500 internal server error.
Although I looked in vain for a cheat, I did learn something about nginx and the authentication plugin. Always something to learn from a failure.
Some updates were made while I was studying for hacks to the game. I looked at the DOA Power Tools for Greasemonkey
header was programmatically generated. I believe the author of this tool has actually decompiled the Flash interface in order to find out the calculation mechanism of this header. It is actually the SHA1 hash of the parameters post data that is sent to the server. Thus each action will gives you a different hash as the X-S3-AWS field in the HTTP header. For details, you can search for this line: ajax.setRequestHeader (‘X-S3-AWS’, SHA1(“playerId” + url + parmStr + “WaterDragon5555”));
in the DOA Power Tools. Cheers to the tools author!