Cat-In-The-Middle

Battle Cats MITM Mailbox Hack

"Playing it like a fiddle."

This mailbox hack allows players to acquire items and/or cats of their choice.

Disclaimer

This repository was made only for research and educational purposes. I am not personally responsible in any way for any unethical malpractices because of this tool. If PONOS were to approach me to take down, archive or privatise this repository, I will be obliged to follow their will.

Please support the developers of Battle Cats so that they can add more content for the players of Battle Cats! ヾ(°∇°*)

As part of responsible disclosure, on 9 Jan 2020, I contacted PONOS Games through email, contact/inquiry page, and in-game inquiry to check with them and update them regarding this MitM vulnerability issue. I have also suggested encrypting the data being transmitted, but they just simply banned my savegame file/account, so... ¯_(ツ)_/¯_

As of Battle Cats version 11.1.0, it seems that Certificate Pinning and nonces were implemented. That said, PONOS had never informed me formally/officially about this patch, even after I had responsibly disclosed this issue to them. They might have figured it out internally by themselves and decided to not inform me about it at all (or forgot to inform me).

Features

1. This hack follows a Man-in-the-Middle (MITM) network approach instead of the usual save data modification (using transfer code and confirmation code). The latter would be more easily detected by the corresponding servers if playing online.

2. As far as I know, this method is also region-insensitive since it just utilizes the main Internet connection to ponosgames.com, instead of taking advantage of region-specific package names and hash salts.

3. This method allows users to specifically curate the list of items or/and cats (including expendables like Rare Tickets, Treasure Radars, EXP and Cat Food) that they desire to obtain (such as retrieving cat units locked based on story progress or past limited-edition cat units).

4. Unfortunately, as of version 11.1.0, this method would require rooting/jailbreaking (as mentioned here) due to Certificate Pinning and nonces. Otherwise, versions of Battle Cats lower than v11.1.0 would not require any jailbreaking, rooting or any game cheating/hacking software, except for cases of usage with Android versions beyond Nougat (>= 7.0).

Setup

For the following methods, rooting is required on Android and jailbreaking is required on iOS. While the instructions will be for Android, most of the steps would also be similar for iOS. Feel free to raise a Pull Request to make this section more complete!

Note that we do not need to worry about the nonces since nonces can only prevent replay attacks, not MITM attacks.

Remove Certificate Pinning from APK

On Android, it should be possible to use this tool to patch the APK accordingly and remove the Certificate Pinning. This comment might also be useful since the okhttp3 function code is obfuscated in the APK.

Downloading the appropriate APK version can be done by using APKCombo's APK Downloader. The ID for the Battle Cats APK is jp.co.ponos.battlecatsen.

Install MITM Software's CA Certificate as Trusted Root CA Certificate

Additionally, more effort might be needed to install the CA certificate of the MITM software of choice into the system certificate store for Android versions beyond Q (>= 10.0). Simply follow the instructions on this website to properly install the CA certificate.

Because of this, if you use an emulator and/or have a choice on the Android version, then it is recommended to select Android 9.0 (Pie) with Google APIs (API Level 28, x86 CPU/ABI).

Usage

I will develop the autohack.sh script further (with maybe a Python script add-on) and maybe add some clearer .gif tutorial video recordings when I am less busy and have more time.

We will be using Fiddler from Telerik since it is free, so download and install Fiddler on your computer. Of course, you could use Burp Suite, mitmproxy, Wireshark, Charles Proxy, etc. and I would assume that the steps would be similar. Feel free to raise a Pull Request to add instructions for other MITM software as well! At the time of this writing, I was using Fiddler v5.0 (and it was working for Battle Cats v9.7).

Fiddler

Firstly, connect your mobile device (or emulator) to your computer's Internet connection (possibly through the Mobile Hotspot feature).

Next, setup your Fiddler to decrypt HTTPS traffic through SSL proxying (follow this tutorial).

After that, configure your mobile device to pass their HTTPS traffic to Fiddler (follow this tutorial for iOS devices or this tutorial for Android devices). Do take note that without rooting, this method will only work with Android versions before Nougat (< 7.0). Beyond Android Nougat, root access would be required.

You can Google how to root an Android device. After rooting, you can refer to this page to check how to install System-Trusted Certificate Authorities (maybe can use Magisk?).

Once the traffic is re-routed through your computer, set a filter in Fiddler's Filters tab to show only the host nyanko-items.ponosgames.com and tick the options Break request on POST and Break request on GET with query string. After the filter setup is done, go to Actions and press Run Filterset now.

On your mobile device (or emulator), open up your Battle Cats and go to the Mailbox (in the bottom-right corner of the Main Menu). Fiddler should show a red-colored GET Web Session to https://nyanko-items.ponosgames.com/messages.php?action=list&accountId=<your-account-id> so select that and click Break on Response.

NOTE: If Fiddler indicates another red-colored GET Web Session to https://nyanko-items.ponosgames.com/api/v2/count.php?accountCode=<your-account-id>, just let that Run to Completion and ignore it as it is not relevant to our objective.

Through TextView on Fiddler's Inspectors tab, you would be able to edit the response by following this JSON format:

[
  {
    "id": 1,
    "accountId": "<your-account-id>",
    "title": "Items",
    "body": "",
    "clientVersion": 90700,
    "country": "en",
    "accepted": null,
    "created": <unix-timestamp>,
    "items": <item-list>
  },
  {
    "id": 2,
    "accountId": "<your-account-id>",
    "title": "Cats",
    "body": "",
    "clientVersion": 90700,
    "country": "en",
    "accepted": null,
    "created": <unix-timestamp>,
    "items": <cat-list>
  },
  {
    "id": 3,
    "accountId": "<your-account-id>",
    "title": "True Form Cats",
    "body": "",
    "clientVersion": 90700,
    "country": "en",
    "accepted": null,
    "created": <unix-timestamp>,
    "items": <true-form-cat-list>
  },
  {
    "id": 4,
    "accountId": "<your-account-id>",
    "title": "Talent Orbs",
    "body": "",
    "clientVersion": 90700,
    "country": "en",
    "accepted": null,
    "created": <unix-timestamp>,
    "items": <talent-orb-list>
  }
]

You should modify the value of country to your respective region defined by PONOS. Possible values include (but might not be limited to): en, jp and tw.

Also, just to clarify, the value of itemCategory indicates the type of item that the user will receive (0 is Items, 1 is Cats, 3 is True Form Cats and 4 is Talent Orbs).

Edit the values of <your-account-id>, <unix-timestamp>, <item-list>, <cat-list>, <true-form-cat-list> and <talent-orb-list> accordingly to valid values. Pick your item, cat, true form cat or/and talent orb choices from the lists provided (cat_list.json, true_form_cat_list.json, item_list.json and talent_orb_list.json) and feel free to edit the "amount". "title" can also be changed to whatever you like.

For True Form Cats, ensure that the specified Cat actually has a True Form (since not all Cats have True Forms). You can verify against the list on the Battle Cats Wikia on Fandom here.

Forward the response to Battle Cats by clicking Run to Completion and it will show the items in the Mailbox.

Take note that if you take too long to do the previous steps, Battle Cats might respond with a timeout (Cannot display due to connection error) and you might need to redo the whole process again.

Click the Accept button and it will send a POST request to `https://nyanko-items.p