This is the second in the series of tutorials I'm writing for mitmproxy. You can find the first one - a 30 second tutorial on client replay - here. There will be more to come in the next few days.

The setup

In this tutorial, I'm going to show you how simple it is to creatively interfere with Apple Game Center traffic using mitmproxy. To set things up, I registered my mitmproxy CA certificate with my iPhone - there's a step by step set of instructions for doing this in the mitmproxy docs. I then started mitmproxy on my desktop, and configured the iPhone to use it as a proxy.

Taking a look at the Game Center traffic

Lets take a first look at the Game Center traffic. The game I'll use in this tutorial is Super Mega Worm - a great little retro-apocalyptic sidescroller for the iPhone:

After finishing a game (take your time), watch the traffic flowing through mitmproxy:

We see a bunch of things we might expect - initialisation, the retrieval of leaderboards and so forth. Then, right at the end, there's a POST to this tantalising URL:

https://service.gc.apple.com/WebObjects/GKGameStatsService.woa/wa/submitScore

The contents of the submission are particularly interesting:

<plist version="1.0">
<dict>
    <key>category</key>
    <string>SMW_Adv_USA1</string>
    <key>score-value</key>
    <integer>55</integer>
    <key>timestamp</key>
    <integer>1301553284461</integer>
</dict>
</plist>

This is a property list, containing an identifier for the game, a score (55, in this case), and a timestamp. Looks pretty simple to mess with.

Modifying and replaying the score submission

Lets edit the score submission. First, select it in mitmproxy, then press enter to view it. Make sure you're viewing the request, not the response - you can use tab to flick between the two. Now press e for edit. You'll be prompted for the part of the request you want to change - press b for body. Your preferred editor (taken from the EDITOR environment variable) will now fire up. Lets bump the score up to something a bit more ambitious:

<plist version="1.0">
<dict>
    <key>category</key>
    <string>SMW_Adv_USA1</string>
    <key>score-value</key>
    <integer>2200272667</integer>
    <key>timestamp</key>
    <integer>1301553284461</integer>
</dict>
</plist>

Save the file and exit your editor.

The final step is to replay this modified request. Simply press r for replay.

The glorious result and some intrigue

And that's it - according to the records, I am the greatest Super Mega Worm player of all time.

Curiously, the top competitors' scores are all the same: 2,147,483,647. If you think that number seems familiar, you're right: it's 2^31-1, the maximum value you can fit into a signed 32-bit int. Now let me tell you another peculiar thing about Super Mega Worm - at the end of every game, it submits your highest previous score to the Game Center, not your current score. This means that it stores your highscore somewhere, and I'm guessing that it reads that stored score back into a signed integer. So, if you were to cheat by the relatively pedestrian means of modifying the saved score on your jailbroken phone, then 2^31-1 might well be the maximum score you could get. Then again, if the game itself stores its score in a signed 32-bit int, you could get the same score through perfect play, effectively beating the game. So, which is it in this case? I'll leave that for you to decide.