How I Cracked Trivia Crack

Trivia Crack is a highly popular game for both web and mobile platforms which is somewhat modeled after Trivial Pursuit. It’s the latest craze in social gaming, allowing users to compete against their friends and strangers in answering questions from an array of categories. Though I’ve never been very interested in gaming, my wife has recently become a huge fan of Trivia Crack. After watching her play for a while, I decided to download it and take a closer look into how it was implemented.

I began by monitoring the web API requests made over the network while using the Android app. Very quickly, I noticed something interesting during the game’s operation. It seemed that the app was receiving the category, question, and answer from the Trivia Crack servers before the user even began spinning the “category” wheel.

Below is an example response that the app fetches prior to showing this screen:

Note the category, question, answer options, and correct answer keys are all included in the response. This means it would be straightforward to identify the answer when asked within the app to cheat the game. While not exactly ethical or fair for gaming use, I thought it would be interesting research.

My initial plan was to reverse engineer the Android app and provide the user with a Toast notification of the answer. I started by decompiling the app and reviewing the source code. I used grep to search the source for some keywords that I hoped would help me track down the questions/answers activity. While searching through some of the potential results, a few lines caught my attention.

Following the code, “ANSWERS_CHEAT” alluded to a hidden cheat mode in the game. Rather than reinvent the wheel, I decided on finding out how it worked. Using grep, I found all references to the “ANSWERS_CHEAT” string and quickly discovered reference to a hidden menu on the main dashboard activity.

This code appeared to handle setting the cheat mode option, but I still wasn’t able to access the menu itself. Within the same activity, I reviewed the OnCreateOptionsMenu method below:

Most of the cheat mode functionality, including the hidden menu, looked like it depended on the returned value of  com.etermax.tools.f.a.a() . The code for that class is below:

This seemed to be the decision point that I was looking for. Changing the assignment a = false;  to  true  should’ve enabled the hidden menu. I opened the smali representation of the class and found the assignment of the boolean member.

I changed line 29 (snippet line #7 above) to  const/4 v0, 1 , which set the value to true. I then recompiled the app and installed it. The menu button then successfully exposed the hidden options below:

“Answer Cheat” now seemed enabled by default, so I started up a new game to test. As expected, the games now appended a number after the questions, indicating the zero-based index of the correct answer.

Download the patched APK here. Note this is for research purposes only; I am not responsible for any immoral gameplay!

EDIT: APK Mirror

This should serve as a good example that client application privacy cannot be guaranteed and developers should be careful about what’s included in their compiled releases.

Share this: Facebooktwittergoogle_pluslinkedin
  • Jeremy

    Awesome lol. I made a version of this a few months ago that simply uses FiddlerCore and a C# Console app to show me the answers. I never released it though, but if you want I can shoot you the source.

    • macbook

      Post the source here for all of us to use and fork please.

    • Big Meech

      Did you ever get a chance to post the source for this?
      Are you on Git Hub?

      • Jeremy

        My drive ended up crashing before I could ever post it. I should be easy to reproduce it though. Maybe i’ll do that tomorrow.

  • Andy

    is this for just android?

    • iMossy

      iPhone (Cydia) had a Trivia Crack cheat tweak for a very long time

  • Nate

    Great work. Mediafire is down right now. Any chance there’s a mirror?

    • Randy Westergren
      • Julian Evans

        I know you’ve said a particular question and answer is pre-supplied. But if I get the Crown option, then hit Airport mode, TriviaCrack already knows the question and answer for all my available crowns. if that is so, is there a part of the code that checks if it’s a Crown spin THEN checks which are available THEN grabs all the answers before you pick which one you’re going for?

  • Darnell Royal

    Lol so how do I know the right answer?

    • Clusten

      You could start reading the post…

      • Darnell Royal

        Or you could just point me in the right direction considering I read the post and obviously didn’t see it i

        • MaLaCoiD

          After the question, it has a number in parenthesis. 0=A 1=B 2=C and so on.

          • Darnell Royal

            Thanks!!

          • Darnell Royal

            Anyway to get this working on the ad free version. Just wondering since I had already paid for it

  • Edgar Arroyo

    I’d love to give this a try but the new mirror just point to a file with 0 kb, so it never downloads, and the original one I can download and install but it simply doesn’t login using my Facebook account, like I do in the regular one.

  • James Dean

    It seems the cracked app is having a problem signing in through faccebook for me, any reccomendations

    • olydrh

      Same here. Just has the Debug button at top of main screen. But I couldn’t login via Facebook.

      • Anna Bella

        Actually I ran into that also but you can just sign in through the “email address” that you use for FB and it will recgonize it as your FB one and log you in that way. Works great now

        • olydrh

          Gotcha – put in my FB email address and then I got the popup that I’m not connected via FB so I can’t play with friends… hit the connect with FB there and it took me into my current games from before.

          • David

            Use Lucky Patcher + Xposed to disable the check. FB signin works fine.

          • jashenberner

            i downloaded Lucky Patcher and tried removing License Verification but I still cannot link to my Facebook account. Any other ideas on how to sign in with Facebook?

      • qb

        Most likely because the APK is no longer signed/validated. I doubt Facebook lets unregistered apps use their API.

  • spiros

    Hello my friend,

    Very nice topic! Fortunately I know php,python,c,c++ etc and I can easily understand Java witch I never study.

    I would like very much to ask you though, how to you capture traffic from the android device? I was thinking of using my laptop as “gateway” to the router, capturing packets with wireshark. What do you suggest doing?

    -Spiros

    • John Doezer

      Depends whats on your edge. You may be able to capture traffic from a specific IP as it traverses your firewall. You could also plug your WiFi router and your laptop into ports on a switch, and mirror the WiFi router port to the port that the laptop is plugged into.

    • Matt Street

      If you rooted your phone I think you could just put wireshark or tcpdump on it.

    • twaddington

      Use a tool like Charles Proxy to capture web traffic: http://www.charlesproxy.com/

    • cybergibbons
  • Nice article! It was very easy to follow. It reminds me of back in the day when people would reverse engineer games to make a key generator.

  • unkindman

    Can you elaborate a little more on how you decompiled the app as well as recompiling the decompiled/modified code?

    Also, what exactly am I looking at in the last code snippet? It certainly isn’t Java 😀
    How did you know to change that particular const value?

    Good read. Thanks.

    • kuschku

      You can decompile Apps into smali code (the representation shown at the end) using apktool. If you want to decompile it to Java, I’d suggest using dex2jar combined with JD-GUI.

  • Extreme

    Getting an “App not installed” error when attempting to install, any ideas as to why?

    • Neil Mathias

      Same here. Needed some help on that.

    • Make sure you uninstalled the original app. first.

  • Mycahp

    What did you use to monitor the requests?

  • jerdog76

    Good job Randy. I play this game with my parents and siblings, and have noticed a lot of crazy issues. One of those issues is that you could win all crowns in one round without the other person playing. This has happened on numerous occasions. Example: If you spin and get the crown option, a successful answer gets you a crown but doesn’t count as a successful answer, thus enabling this lopsided scoring.

    I also noticed the randomization of the spins being suspect – and your article here explains that. They’re already determining before you spin. Talk about being predestinated… =)

  • Curious Dev

    So I’m curious. Are you not worried about getting into legal trouble with trivia crack? Do you think they would have a case against you for accessing their API via something that isn’t the official client? Do you think you are safe since you aren’t making money? Thanks and good work.

  • JDM

    Or you could actually just, like, you know … learn things. You know, the fun way.

  • Alejandro Espinoza

    Where can i find the code that you found?

  • Bryan Geerds (GHOSTOFBENCERX)

    The numbers aren’t the right answers.

    • Randy Westergren

      Correct. As I wrote in the post, the number represents the zero-based index of the answer.

  • Saqlain Shajahan

    Hi Randy just wondering if you can release a new apk that not only shows the correct answer but also has endless lives. Please help

    Thanks

  • Eli Petrizzi

    can you post the most recent update with this code please?

  • Mathias Schjødt-Pedersen

    I for a q. Why aren’t it working any longer

  • GizmoCodes

    Hey, there has been a few major updates that require the app to update, and it says this one isn’t. Think you could update it?

  • Awesome, thanks

  • Tanya

    Awww…getting an “invalid key hash” error! I wanted to check this out!