I stumbled across this Reddit post about 30 minutes ago. I’m a Starset fan, and I didn’t know that there was a dark things game, so I decided to go play it. It was so simple that I assumed that the other top scoring players must have written bots. After dying, I took a look at the network tab in my browser’s debug panel. I noticed that when I died, 2 HTTP requests triggered. The first one was an analytics event.

The second one, however, was posting a Base64 string to an API endpoint located at https://dmi.umgapps.com/starset/fallgame/api/jshgdsdffiwi82737894. This second one practically screamed for investigation, because it’s using Base64 when there’s no apparent reason. The URL also seems to have been chosen to be hard to guess. It’s not randomly generated or a checksum (like many of the JavaScript files), instead it seems to have been chosen by key mashing.

So, I copied the payload and decoded into plaintext. The first time I copied it I missed the last character, turning it into nonsense, so for about 10 minutes where I thought it was some kind of custom binary format. After realizing my mistake, I discovered that it decoded into this:

{"nickname":"bmi","score":0,"userID":"f8c92771-84c6-41fd-930d-e1038ebd4353"}

Woah! There we go! To test what would happen, I right clicked on the request and copied it’s cURL command, but swapped out the payload for the following (translated to Base64, of course):

{"nickname":"bmi","score":12999,"userID":"f8c92771-84c6-41fd-930d-e1038ebd4353"}

Which put me in number 9 on the leader board! I tried several times to become #1, and I did discover some interesting things about the API:

  • The server seems to return null when your session times out, otherwise it will return a JSON value telling you that you have an invalid request.
  • The server does enforce the 3 character limit, I did try to set my name to Aceius.
  • I would guess that the top 2 scores have some kind of meaning, because the API doesn’t let you overwrite them, and also because 2047 is the year from which the transmissions originated.

I then bumped myself up to number 3, with an obviously cheated score of 100000 more than the person right below me.

Was this a waste of my time? Yeah, definitely. But I had fun doing it.

Also, if anyone from Starset ends up reading this, you guys are pretty awesome!