Cheating, episode 2 – Gamebreaking exploit

Hi all, New year, old exploits:) I have noticed a gamebreaking exploit that I would like to shed some light on. First off, please remove my name from the ladder, right now position 5 with 161.565 seconds. And mad respect to those above me, I have no idea how you guys did it, but your understanding of the game surpasses mine with a mile and I think that I am rather good . I cannot write code or hack .apk. This exploit is such that it can be abused by anyone who has time and rooted device. Here are some screenshots of my carries, used shadow and Biofeld: http://imgur.com/a/O1ONU Alright so lets get into it, what can this exploit do? • Swap heroes, skills, elements and difficulty whenever you want. (MINOR EXPLOIT) • Clear creep-wave (only on pre-bonus rounds). (MINOR EXPLOIT) o Bonus, gives an empty wave = unlimited delay. (MAJOR EXPLOIT) • Unlimited amount of pre-bonusround waves. (GAMEBREAKING EXPLOIT) All of these exploits were found when I began to store savegames so that I could try different strategies without going through large portions of the game. This allowed me to swap items on carries to see which performed better and which performed worse in the long run. What you have to do is basically to save the round.json (savegame) on another location and then start new game with the hero/skills/elements/difficulty you’d like to have and then you replace the new savegame with the one you stored elsewhere. This does the first two things on my exploit list. On an exploitrun, I for example, start by getting the bonus gold from Loan Shark and then I change to a hero that is good earlygame. Later on I swap to a endgame hero and when time comes to combine items/towers I swap to horadic and then back again. This swaping of savegames makes it so that the creepwave clears, which can be used if a creep somehow gets past your towers. The other thing this does is that I stay on the same round for an indefinite amount of time. Making heroes like Mulli being able to grow without stop. It can also be used to get all your towers to lvl 99 by placing some keys of wisdom in the towers. This is a big help, but it’s not gamebreaking. Tested a Mulli and he got 1 M crit, but the bonusround only lasted about 70 K seconds. Now to the GAMEBREAKING EXPLOIT, the unlimited rounds. Unlimited rounds means unlimited drops of pots and unlimited seelen, knusp and abyss-growth. ALSO it means unlimited amount of gold. In my round that lasted 160 k seconds I got 4 B gold before I went to bonusround to see how long I would last. The funny thing is that this can be accomplished in the same way as the other exploits I mentioned, all you have to do is that you, before clearing wave 500, move your savegame elsewhere, start a new game that only last for 200 waves, replace the new savegame with the old one. It will state that you are now on round 200! Be aware, you are not done yet. For the game to edit the savegame you have to click on the “next wave”-button. This makes the game edit the savegame. Now you move the savegame elsewhere, start a new 500 round game and put your savegame back again and so you are ready to play wave 201 again. On my 160k run I did this probably 15 times. Got 4 B coins, 35 k Abyss, 30 k seelen. I also used holgar as a carry to maximize the potion-production. With all this, I still only placed 5th, and it was on easy too. The top-players on ladder play on hard. I really don’t know how they do it… Best of luck you’ll! Hoid

Oh my god, that's what I call reverse engineering! That's pretty impressive, Hoid. Also, I won't delete your bonus round ladder scores, without you sharing this, I would've never been able to fix this :-D Plus, with the next bonus round ladder all go back to zero anyway. My first thought how to fix it: I recently introduced a unique game ID that is generated when a new game starts. Write this ID to both the round.json and game.json and verify both match when loading the game. I think that should cover all cases. Please correct me if I miss something here :-) Thanks again for sharing!

Hi Andy, Thanks for the kind words :). That should actually do it. Nice to know that there is a simple, and hopefully not all too time consuming, way to fix the problem. The only thing I can think of is that if this “game-ID” is written in both the game.json and round.json it can be identified by comparing the two files and finding the similar string of text. I know next to nothing about coding, and encryption (the signature) so I don’t know if this even is a problem. Just telling you what I would test after the patch goes live :). I have now revealed all the exploits I know of, we will see if there will be an “episode 3” on this series, but somehow I don’t think there will be, unless I find some intuitive way to crack the signature or something of the sort (but that really isn’t my type of cheating, it’s too intrusive). PS. is the creep-health growth formula made public? Would like to see how much dmg you have to dish out at 400.000 seconds and how far off I was. The armor is +1 per wave, right? Wishing you all the best for the coming year, and if you ever need legal advice in Sweden, give me a shout! Hoid

Great work there hoid. I think the problem in bonus rounds is that you dont really know which wave you have at the moment I think it can vary depending on deployment time but thats just a guess. So life and armor would be a hard call to make without a "wave counter" which I would like to see.

Thanks! That is only half true though, there is a wavecount in the savegame and even if it's not 100 % correct it should give a decent estimation if you take the wavecount and subtract the initial 500-normal waves and then multiplies this with the timefactor you are after (if you are at 10 k bonusround, you multiply with 40 to see the round nr. on 400 k seconds. It is true though that the spawntime of a new wave only happens after the entire current wave has spawned, meaning that a slow mass-wave round will take longer than a fast Boss-wave.

Ok i just feel that i have to say that i feel very upset about this savegame exploit, not just for actual cheating but as it is not an option in the game to save, then in my opinion it is even cheating to save and use different savegame files, to explain what i mean is that i have a bit of a gaming OCD, my games have to be(in my mind) perfect, so to even get a perfect start i have to spend about an hour just to meet all the various conditions for my "perfect game", while you that uses savegame files just need 1 perfect start and then just "reload" if something didn't go as planned, and as you said in another thread that you had a savegame with already 12k+ secs and you had made over 90k sec on several occations from the same savegame, it is so truly unfair as you get massive increase in Wizard EXP and levels(78k*8 sec worth of EXP) just from 1 savegame. I mean how many does this? Is it only me that doesn't exploit this? I have spend hours of hours just to get the perfect game, and i haven't made it past even 150 waves in may 1-2 weeks because i leaked and my OCD says NO!=) Then again I am grateful to you Hoid that you are honest enough to admit it and reveal these exploits so that it can be prevented in the future! :) My suggestion is that Andy makes some sort of lock or uniqe ID on the savegames so you can't play the same save over and over again or that if you do then you won't get EXP from it the next time. I think this is one of the reasons that Andy took the game of from computer platfrom as it must have been way easier to cheat with an actual cpu than with a phone ________________________________________________________________________________________________________________ also a really big cheat you could make with a savefile is to have 1 save file on wave 199/200 then the metro,dark and nature quests are useless, same with 800 sec then you just wait 1 wave and 800 sec, have a save when you just built a balu for hug quest, another save for knusper quest etc. this would make all quests useless and you most likley have an instant win every time you get a new quest, all cards as golden and you don't even need to make an effort.. ________________________________________________________________________________________________________________

Well normally you dont See the wavecounter because you dont read the save file