Note: I have notified the owner and the vulnerability has been fixed, and the algorithm has been changed.
Physics is one of my favorite areas of interest in mathematics (other than Computer Science of course). I’ve elected to take a high school physics course, and I’ve taken more of an interest in mathematical concepts, such as trigonometry, since then. There is one thing that intrigued the Computer Science nerd in me, a website called Minds on Physics; an online interactive quiz that asks physics-related questions. After each question missed, a significant percentage of the user’s health decreases and the student may end up retrying that specific module many times.
This is a good method to ensure that students get the concept of certain topics related to physics, but I have heard tales of students retrying modules multiple times (without even looking at the hints and help); thus encouraging many students to give up. To top it off, Minds on Physics runs on the Shockwave player, an outdated browser add-on that I’d like to see disappear from the Internet.
Don’t get me wrong, I think that MOPs are an excellent way to learn physics. I just think that they should be implemented a tiny bit better (see end of post).
Each time a student completes a specified assignment, they receive a success code. The code may be either categorized as gold or silver, depending on whether or not they answered the last question correctly. The Minds on Physics website claims that the code is encrypted (which we will later find as false) and that no two students can have the same success code.
When a student completes a MOP assignment, a success code is rewarded. The success code is an encrypted 8-letter code that is unique to the student, the teacher and the assignment. No two students will ever have the same success code.
In the beginning of Physics class, I vowed to my peers that I will figure out how gold codes are generated. And after months of procrastination, I finally got around to doing it after a friend of mine told me that there was a MOP Android app.
You may be wondering what the significance of it being an Android app is. Well, for starters, Android apps are much simpler to decompile because there are more resources out there to do so. I don’t know a single resource available to decompile Shockwave applications, so I resorted to using the Android APK. The only downfall to this is that the Android version costs a dollar. However, cracking the algorithm is worth much more than a measly dollar to me.
As my first step, I simply downloaded the Minds on Physics app from the Google Play Store after purchasing it. Then, I extracted the APK bundle from my phone and sent the file to my computer. The tool I used to extract APKs is on the play store, and is called APK Extractor.
Once I have downloaded the APK file from my phone, I then extracted the APK archive to view the contents of it. On Windows, one can simply use the 7-zip archive manager to extract the APK. Because I am on a Mac, I used the command line to extract the archive.
After a quick search throughout the directories of the APK, I noticed something strange. In the assets directory, there is a bundle of files with the extension .livecode. Using a text editor, I assessed that the files contained very readable code and that I probably will not need to decompile the MOP app!
By Googling LiveCode, I assessed that the scripting language is used for developers to easily make apps cross-platform. There is also a way to view LiveCode files in an interactive environment, but I decided not to download it until later.
With the files at hand, I am now able to figure out the algorithm involved in generating MOP codes. In the assets directory, I found a file called asstScriptLibrary.livecode which contains the algorithms needed to generate codes. Fortunately, the algorithm was quite easy to find by searching GoldCode within the file, which yielded a function called createGoldCode.
Now, I won’t be posting the exact algorithm that generates the gold code because of copyright reasons, but I will give a few pointers in creating your own decryption function.
- Learn the LiveCode API. LiveCode is very different from any other scripting language that I’ve seen. For one, it reads like English. Also, indices start at 1, which is different from conventional programming languages.
- Don’t get frustrated at all of the code for the code generation. Although the code is easy to read, it may get a bit repetitive at times.
- Try out the LiveCode debugger. The LiveCode environment comes with a code editor which lets you step through the LiveCode functions. After being frustrated that my code generator only worked for a few student IDs, I figured out the problem by stepping through the LiveCode debugger.
Also, I mentioned that the algorithm was actually not an encryption algorithm. Encryption algorithms are reversible, but this one isn’t. Instead, I’d call this algorithm a hashing algorithm, though I could be wrong. Feel free to correct me!
Here is my final product after writing the Java code to generate success codes.
And sure enough, when we complete the assignment KC1, we are presented with the same exact gold success code. Take that, physics classroom!
Here are some improvements that I will suggest to physics classroom.
- Don’t store the algorithm on the client side. This makes it easily reversible, and easier to generate codes. Instead, I would track the progress of each question on the server side, and only generate success codes when the server knows for a fact that the client has been through all of the questions.
- Don’t store your code in plain text on the client. This makes it laughably easy to view the original, uncompiled, code that is used during runtime. Please make sure to use a language that can compile your source code, or make it so that your code isn’t easily viewable by the client.
- Stop using Shockwave Player. Please. You’ll regret it in the future when browsers won’t support it. Instead, take a server-side approach and use some sleep HTML5 and CSS to make it look pretty. You’ll thank me later.
- Just ditch success codes entirely. If you follow the first bullet point, and track progress on the server, why not simply make it so that teachers can log into their account and monitor the progress of each student? That way, reverse engineers like me can’t exploit the algorithm.
The lesson I learned after making this program is that there are flaws in every computer program. It just takes a little patience to find them. I also learned that generating these codes will ultimately lead me to failing physics, so I won’t be doing that.