Chess.com: Hacking the High Score
In the gif above, the player gets a rating boost after the computer makes a move. The user doesn't have to make a single move to "solve" the puzzle -- and this is automated to run thousands of times per day!
Chess.com's iOS app has a section for rated puzzles — these are chess puzzles that affect a player's puzzle rating.
In the last post, I shared how to patch the chess app to trick their servers into thinking a puzzle was solved correctly: Hacking Rated Puzzles
In this post I will share how I used the patch from the last article and combined it with a script using Frida to get the 2nd highest rank on Chess.com's Puzzle Leaderboard.
Scripting an Automated Agent
The last post made it possible to get the correct answer by playing any move for any puzzle, but it still required that someone physically use the app.
In order to climb the global leaderboard, I needed a way to use the patch from the last post and combine it with an automated agent.
Below is a snippet of JavaScript that repeatedly asks the app to process the player's move (even though a move was not made) and proceed to the next puzzle.
The agent uses Frida to control the app by instrumenting a jailbroken iOS device over an SSH connection.
Frida is a tool that enables many ways to tamper with an app.
The script above looks for the UI element that is presenting the current puzzle, and then uses it to automate submitting answers.
By analyzing the static binary (described in the previous post) we can determine that CHRatedPuzzleViewController is responsible for presenting the current puzzle and the agent can use it to invoke the nextButtonTapped, and processMoveMadeByUser methods.
The patch from the previous post tricked the app to think the player always solved the current puzzle. As a result, the script above does not need to make moves for the app to tell the server the puzzle was solved; which ultimately applies a rating boost.
In addition, the script bounces between processing the user's move and continuing to the next puzzle. With just a 3 second delay to load puzzles the agent can solve thousands of problems in a day without any user input.
Conclusion
This post shares a short and simple JavaScript agent that was able process thousands of puzzles a day in the Chess.com iOS app. By using the patch from the previous post, all of the agent's submissions were marked "correct" and caused the server to boost my puzzle rating to the second highest global rating.
The servers were somehow able to stop my rating from growing right before the #1 rank was reached. I find it suspicious that the server knew to block my account when it was only 5 points away from the #1 spot, but all is fair in this game.
This work was done without access to any of the Chess.com app's source code. Since that static binary does not have stripped symbols, the names: CHRatedPuzzleViewController, nextButtonTapped and processMoveMadeByUser can be found by inspecting the static binary of the app. In a future post I will show what it is like to deal with an app that has stripped symbols.
Special thanks to @CodeColorist for helping me learn enough Frida to pull this off. Out of all the hackers and reverse engineers I message, CodeColorist is the only person who ever responds to me. I appreciate it! (please don't spam them with questions)
I anticipate that my Chess.com account will be banned soon. Before they ban me, below is a screenshot of my account reaching second place on the global leaderboard.
