Discover more from tactical_retreat’s stuff
Part 6: The epilogue
TUS is still technically not at zero!
This is part 6 of a 5 part series; the index with links to other sections is here.
I started thinking about what I would write in this post over two months ago.
There were all kinds of things I wanted to include. Jokes about Crab devs, the Crabada Discord, the ongoing high jinks of Cynical Hate DAO. I planned to start collecting memes and screenshots to add to this post.
Well, this is all I found in that folder:
Was this funny at some point? Maybe. Anyway, I lost a lot of motivation to do basically anything between seeing Avax drop down to $14 and having to go back to my job at McDonalds full time. But we’re now obviously in the middle of a bull run so no better way to celebrate than by squeezing out one last article to wrap things up.
As the price of TUS began to approach its third zero, for the first time in their lives the Crab Devs finally realized they couldn’t just literally ignore the economy. Although they had originally said they wouldn’t touch the idle game rewards, they moved to quickly slash rewards down to a fraction of their former amount. Which, to be fair, I think was a smart move; ultimately they wanted everyone on Battle Game anyway, and Idle Game was just filled with filthy botters.
I was thinking about just dumping everything at this point because it would be annoying to write a whole new bot. But seeing people post about how “botters are out of business” and “battle game can’t be botted” honestly kind of annoyed me. So I set out to write a battle game bot.
Investigating the game client
The BG is a thick client written in Unity, cross compiled to iOS / Android / Mac / Windows (no Linux because they’re jerks). But fortunately it was easy enough to get running on Wine, and I set up my trusty Charles web proxy and configured the Wine container to use it as a system proxy.
The game itself is just a REST client over a backend API. It was actually reasonably well organized compared to the stuff I saw in the Idle game. Very straightforward to bot, with one caveat. Any mutating request (e.g. Mine, Loot, Feed) required a checksum, and it wasn’t obvious how to produce it.
Fortunately, you could actually get away without knowing how to produce it and still produce a pretty good bot! They neglected to put anything nondeterministic in the request, like a timestamp, so the checksum is basically always the same for various types of actions, including opening mines.
But I didn’t want a half ass mining bot, I wanted a full looting bot. Partially because its more profitable, and partially because people annoyed me by saying it couldn’t be done. So I set out to figure out how that checksum worked.
Reverse engineering the client
Originally I was going to write a step by step guide on how to reproduce this. But I’ve completely lost interest, so I’ll just give you a quick summary.
The game is written in C#, then cross-compiled to C++, then compiled to assembly. You can use a tool like ILSpy to peek into the installation and view a list of all the classes/methods/members in the app. But you won’t get method bodies.
Peeking at the data, its relatively easy to spot their ‘Encryption’ class, and glancing at the naming / fields you can determine that they’re doing some kind of AES encryption + MD5. All you really need is the AES IV / Key, and technically also some details about how they’re using it (but they use it the obvious way).
I tried to use Ghidra and successfully decompiled the app. It worked pretty well, but I couldn’t figure out how to get the data stored in the static fields, and was unable to get the app to launch in debug mode.
I downloaded a cracked version of IDA Pro and used that to disassemble it. I didn’t have the decompiler plugin though, which was a pain in the ass. I manged to figure out where I needed to be in the disassembly by cross-referencing against the Ghidra decompiled code.
Although I managed to relatively quickly locate the right spot where the static fields were loaded, embarrassingly I couldn’t figure out how to dereference the pointers correctly to get at them. I ended up setting a conditional breakpoint and stepping into the array initialization code to find the values.
Building a bot
Now that I had the IV/Key and details about how they were using them, it was pretty easy to hack up some code and compare against known values to confirm I was building the right output.
I played through a bunch of actions in the game and recorded all the requests/responses. I built a simple action loop and added features one by one until I had automated literally everything; I no longer had to touch anything, and once a day my Avax balance would magically bump up a few notches higher. My bot could:
Send low-level crabs to mine, and close them when finished.
Send high-level crabs to loot, and close. Targeting mines that have the materials we need the most to keep stocks low.
Automatically convert materials into food (enough to feed all crabs) and TUS (all excess materials).
Feed any crab with efficiency lower than max.
Automatically level crabs when enough shells are available.
Once a day, withdraw all TUS, bridge to mainnet, and swap to Avax / USDC / USDT (operator’s choice).
It turns out that if you have enough of a level gap (about 10 levels, against 1/1/1 teams), even a simple and stupid computer algorithm can create a team that will loot and win 95% of the time. Very rarely I would lose and when I watched the replay, I would be astounded at the randomness of the loss. That was good enough for me.
I naturally shared this bot with all the previous users of my idle game bot. Since profits went down so enormously I just gave it away; later on I added the option to tip after withdrawal, and people generously donated more than enough to keep the lights on for the central server.
I made a little poll on Twitter to see if anyone else was interested in using it:
And they were, so I released a stripped down mining-only bot on GitHub. A bunch of people contacted me to thank me for freeing them from the monotony of playing this ridiculous game. A few devs were annoyed that I leaked the private keys they worked so hard to extract. Other devs contacted me to say that they managed to implement looting on top of my bot and wanted to know if I would merge it (no).
Well, someone did not like me doing that. I found myself banned shortly after, even though I did not say or do anything in the crab server.
This was probably a good thing, because it helped me detach and just enjoy the free money. I suddenly no longer cared much about this game. A few weeks later I had moved on to a new project. Details to follow in an upcoming post?
But anyway, I recently found out my ban had expired or something and rejoined the server. It’s as hilarious as always. I especially enjoyed all the talk about lawsuits and legal threats.
The legal talk in general is fucking hilarious.
These guys larping as legal experts crack me up. Hey, did you know that CHD is actually heavily overweight with lawyers?
My legal council is advising me to tell you that you’re full of shit.
CHD actually sold all its crabs back when they were still $35/crab and donated the proceeds to charity, helping over 100 families in need.
Want to help? Donate to needy families here: https://donatenow.networkforgood.org/bali-covid19
I sold about half of mine off in July when it became obvious that TUS was going literally to zero. I sold the rest a few weeks ago to focus on my new project.
The crab botting may be over, but the friends I made while crab botting are forever.
So long, and thanks for all the TUS.