Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Do you have any kind of docs on doing this. I want to get some stats from a game I'm playing and think that the server fudges the number to keep whales happy.

Any quality documentation on how to do this would be great.



https://httptoolkit.com/blog/frida-certificate-pinning/ has a detailed blog on it. Frida receives updates all the time, so the exact commands and scripts don't always work with the latest version, but you can start there.

As a concept, Frida works by running a gadget on the phone (as root, or as part of an app) and a client on another device (or the same device, I suppose, if you're using a terminal emulator on Android).

To install the gadget, you either download the right binary and execute it on the phone as root, or use a tool like https://github.com/ksg97031/frida-gadget to inject the gadget into an APK.

Then, use Frida (https://frida.re/docs/Android) to connect to the gadget and load any script you want. There are a bunch of scripts that can be used to patch out certificate validation, or to exclusively use a certificate authority of your choice, or you can write your own.

You can download scripts and run them directly, or you can run Frida with a command line flag to open up a remote debugging port; you can connect to that port from the Chrome dev tools and get an interactive code execution prompt. From there, you can patch out Java methods, load native binaries, patch memory, whatever you want. It's a really powerful tool for debugging and reversing applications you don't have the source for.


I've now confirmed that if you pay money for the game, you -automatically- get exactly 12% more damage than someone who hasn't, and it appears to drop 1% a day over time.

Not much I can do with that data, other than sleep in comfort knowing that its the case.


Perhaps it's worth writing a quick blog about it? If this system wasn't documented before you purchase anything, you may even be able to get the attention of certain game review websites.

There are plenty of pay2win games out there, but if the game doesn't tell you that paying will give you an unfair advantage /or what advantage you're getting, exactly) I'd consider that worth reporting on, especially if the game has a decently large following!


Thank you for taking the time to reply. This has put me on the right path.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: