Some time ago, I automated a mobile game until I received a C&D. Before this occurred, they had introduced puzzle captchas using Capy. Initially, it involved only a single puzzle piece, which was much easier to get around. However, when they made two puzzle pieces mandatory, I created a Python program to solve these puzzles for me.
This program used Selenium with action chains and cv2 for image processing and brute force matching, along with a few other libraries that didn't play much of a role in the logic.
After approximately two weeks of work and collecting sample completed puzzles, I was able to automatically solve these puzzles with about a 90% success rate.
Instead of creating a new post, I'd prefer to hijack this thread to add the following:
A while back, I managed to create a workaround for the Google Play Integrity/Device Check. These services aim to prevent botting/automation and ensure that only legitimate devices access their services. Instead of seeking a bypass, which I felt would have been a complete waste of time, I decided to create a workaround using legitimate devices and generating valid tokens from real devices for one-time authentication.
This was achieved using Frida and a bit of reverse engineering to discover how the tokens were generated. Once that was understood, I created two small scripts for Frida, tailored for either Android or iOS, allowing me to generate valid tokens using real devices whenever needed. For this, the app for which I needed tokens was always running in the background of the device, enabling me to use these scripts to generate a token for automation, effectively creating a workaround for these security measures.
Interestingly, I found that iOS tokens are generated on the device without any server communication and can be endlessly created without a network connection. In contrast, Android tokens depend on direct communication with Google to verify if the device is authorized to receive the token from the start. The most challenging aspect for Android tokens was circumventing Play Integrity to have the device recognized as valid, passing both basic and device integrity checks, which I eventually achieved by using a non-rooted device's fingerprints.
In theory, this method should work for any games or apps that have similar security measures, as long as the process of nonce generation is understood. Generally, it seems that nonces are first generated on a server, which can often be intercepted to use in token generation. This is typically the case for Android devices. On the other hand, iOS devices don't seem to require the nonce to be passed into the scripts for token generation, at least not for now.
Posting Permissions
Reply With Quote