Run 3 is an addictive 3D runner with gameplay that is smooth and refined. Currently it is in a state of not finished but development is not continuing, most likely just maintaining.
In my recent stint of being hooked, I finished all the levels and only had infinite mode, however, it seemed like the points for unlocking everything seemed impossibly hard! For example this angel character costed 12000 points and each shape you collect in endless mode gave 2-3 points. This mean I had to collect 4000 dots just to unlock this character assuming I was lucky every time! Since the grinding part of this takes hold and the endless runs become repetitive despite being "procedurally generated" according to the author (although I suspect it's pre-generated and handpicked); I decided to cheat.
On first thought I thought it wasn't possible since it would communicate profile to the server, but then I realized I didn't have to sign in so it probably wasn't the case. I then cracked open the network tab to double check. What was returned was just sound and other assets corresponding to the game. No settings. Then I headed to the application tab hoping the points would just be one entry in local storage or cookies. 0 cookies but 3 Entries in local storage.
- /run/3/beta/:last - just the username
- /run/3/beta/:error - some long error string?
- /run/3/beta/:Run3 - another random string?
Did I miss something I asked myself since these strings did not look important. Looked around some more, even searched up run 3 cheat, and found some websites with cheated in points so I know that something could have changed it locally. After much headbanging I found that the values in local storage where colon separated items but it started off with oy13:firstPlayTimey24:2022-09-12T21%3A41%3A07Zy15:lastBuildNumberi25606y23:explorewormholeCrossingi1y11:currentPathy7... so I thought it was level data. I then looked further in the value and ground several achievement values. Achievements in this game gave points, so I knew I was on to something but what? I tried ctrl + f the total new of points I had, nothing. Then I thought maybe it was sum of achievements from points - points spent but there was no way I could get that number off the top of my head. After much looking I had found something ahead of the first achievement called softEarnedi4050y20. I immediately thought of them as points even tho the points I collected in the infinite mode would very solid looking tetrahedrons. Nevertheless, I changes the value to softEarnedi9050y20 just to see if anything would change. Upon reload, it did change. Now I can buy things and cheat the system 😀! (Also note softSpent value so that is probably how much you spend and the number of points is softEarned - softSpent)
Now this got me wondering about could have been done to stop this. Obviously if points and purchased characters could have been stored on the server and checked but then you would have to set up a server to do that and probably do use accounts. Instead I was thinking of ways to secure it locally by obfuscation the data. Obviously one can just run a base64 encode on it and decode it when reading but it would still be easy to modify. Then I was wondering if you can secure a secret cookie locally but as far as I can tell you can't. Since this data isn't really important and doesn't need securing, just a way to stop those who want to cheat in points, it just needs to be annoying enough for someone who is technical to get annoyed, I think I have found an awesome solution.
My proposed solution is to generate a secret hash at the start and store that. Then do a base64 encode of the /run/3/beta/:Run3 store followed by encrypting with the generated hash. Then store this encrypted string in /run/3/beta/:Run3 + add the hash key at the end. For extra points add salt based on the date or something that way when you build the app, the bundled js will most likely be obfuscated and unreadable. Now it will be very difficult for someone to reverse engineer this unless they excute line by line. This will filter out a lot of potential would be cheaters like me.
You can play Run 3 here: https://player03.com/run/3/beta/
🛑Warning: This game is very addictive (P0 level)
TLDR to cheat in Run 3,
/run/3/beta/:Run3softEarnedi4050y20in the value and change 4050 to 9999999 or whatever your desired number points is (your number will probably be different to mine)