Hacking High Scores in iOS GameCenter
https://kingofdkingz99.blogspot.com/2013/03/hacking-high-scores-in-ios-gamecenter.html
Karl Fosaaen recently wrote a blog post about cracking email hashes from the iOS GameCenter
application. During research on the issue, he noticed that there were
a number of games where users had insanely high scores. Lots of the
users also had the exact same score (9,223,372,036,844,775,807) for each
of the games that they played. Coincidentally this number is the
largest possible signed integer value that you can have. It turns out
that getting these high scores isn’t that hard to do.
At this point, you will want your Burp listener to be on the same wireless network as your iOS device. You also need to have your Burp listener set to listen on all interfaces to allow your iOS device to proxy through it.
The iOS proxy settings are fairly easy to set up. Just enter your Wi-Fi settings, tap on the blue and white arrow-in-a-circle (to the right of your SSID), and scroll down to your HTTP Proxy settings. Set the server IP to your Burp listener and set your port to the Burp listener port. Visit an https website on your iOS device to see if the Portswigger certificate is properly installed. If you don’t have any issues (or SSL warnings), you should be ready to go.
If you are seeing other requests come through, just forward them and keep your eye out for the request for the “submitScores” page.
Before forwarding the score on to Apple, you will want to modify the
score. The highest possible value that you can submit is
9,223,372,036,844,775,807. Replace the “score-value” stored in the
Setup
In order to modify our scores, we will need to proxy our iOS traffic through Burp. In order to properly intercept the encrypted iOS traffic, you will also need to install the Portswigger certificate on your iOS deviceAt this point, you will want your Burp listener to be on the same wireless network as your iOS device. You also need to have your Burp listener set to listen on all interfaces to allow your iOS device to proxy through it.
The iOS proxy settings are fairly easy to set up. Just enter your Wi-Fi settings, tap on the blue and white arrow-in-a-circle (to the right of your SSID), and scroll down to your HTTP Proxy settings. Set the server IP to your Burp listener and set your port to the Burp listener port. Visit an https website on your iOS device to see if the Portswigger certificate is properly installed. If you don’t have any issues (or SSL warnings), you should be ready to go.
Modifying Scores
Once your iOS device is properly proxying traffic through your Burp listener, you will want to generate a score to post to GameCenter. For most games, this is not very hard to do. We will be using “Cut the Rope”as our example. Open up the first level, set Burp to intercept traffic, and complete the level (you cut one rope, it’s really easy). At this point you will see the “Level Complete” screen on your iOS device and the following request will come through Burp.If you are seeing other requests come through, just forward them and keep your eye out for the request for the “submitScores” page.
Source:Netsapi