Clash Royale Documentation

[ghost]

Are there any plans in the future for writing some documentation for Clash Royale?

[123456abcdef]

Checkout @clugh. He worked out the encryption for the latest Supercell games. He made a proxy which does what you want I guess (python version, c# version). The proxy is for CoC, but you can edit it easily to make it work with CR (check out my comment for the changes you have to make). The message structures are similar to the ones CoC uses (structures). I started working on them, if I got a bunch I maybe create a repo for them.

[ghost]

Thank you very much! I was trying my best to use wireshark and forward the packets from my phone to my computer and got as far as the handshake, this however will be of great use, thanks! My end goal is to write a private server for clash royale.

[ghost]

Quick question, I used your key as the server key inside of coc-proxy, then I changed the host to game.clashroyalegame.com inside of coc-proxy, but when I try to run it and connect to it after patching my libg.so, the server can't decrypt the packets. How can I fix this?

[ghost]

Also, I've patched my libg.so using the arm offset that you gave me, with echo 72f1a4a4c48e44da0c42310f800e96624e6dc6a641a9d41c3b5039d8dfadc27e | xxd -r -p > key-new.bin set as echo ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 | xxd -r -p > key-new.bin. Why am I doing wrong?

[clugh]

You don't change the key used to patch libg.so, you change the one used to connect to Supercell's servers here.

[ghost]

I did change that to @123456abcdef's key, and it failed to decrypt the packets. I also tried changing the server key too.

[clugh]

I haven't attempted to use the proxy with CR, so I don't have first-hand experience, so I'll have to defer to @123456abcdef, but assuming it works the same way as CoC, even if the server key is wrong, the proxy should still decrypt the Login packet. If that isn't working either, then there is an issue with the patched libg.so.

[ghost]

I reinstalled the game, making a clean libg.so, but the problem isn't the client, it's the proxy saying:

ClientHandshake: {
  "unknown_0": 1,
  "unknown_1": 2,
  "majorVersion": 2,
  "unknown_3": 0,
  "minorVersion": 1507,
  "masterHash": "312f8701d02df604c8f083b84285241b5cd5745b",
  "unknown_6": 2,
  "unknown_7": 2
}
ServerHandshake: {
  "sessionKey": "2b4884c871fc5e65305521201a626281fd047180ccd83a67"
}
Failed to decrypt the message (server, 10101).

[clugh]

In the patching instructions here, there is this line:

xxd -p -c 32 key-backup.bin

The output of that line should match @123456abcdef's key. If not, something either went wrong or you're using a different version.

[123456abcdef]

Yeah test that command it should print ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 otherwise I messed up the arm offset.

[ghost]

xxd -p -c 32 key-backup.bin returns ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39

[ghost]

What else could I possibly be doing wrong? I am sure that I am on version 1.2.3 (it is the latest) and I have changed this line: https://github.com/clugh/coc-proxy/blob/master/coc/client/crypto.py#L10 to @123456abcdef's key, then I changed this: https://github.com/clugh/coc-proxy/blob/master/proxy.py#L12 to "game.clashroyaleapp.com", 9339

[ghost]

I have edited my hosts file on my android device to connect to my laptop running the proxy and I can see the client connects, but the server just can't decrypt the packets.

[123456abcdef]

Mhhh I tested it with my own proxy and can try it with @clugh's python proxy, if we are missing something. 5min.

[clugh]

What is the specific error message you are getting? Is it Failed to decrypt the message (server, 10101).?

[ghost]

Yes, it is

[clugh]

After you pushed libg.so to your device, did you kill and reopen the app? It will keep the original in memory as long as it is open.

[ghost]

I thought I wasn't supposed to have my APK patched... so I deleted and reinstalled the app. Is that the problem? I need to re-patch my libg.so?

[clugh]

Ah, it appears there was some miscommunication. When you said you changed the key in the patch procedure, I said not to change the key used to patch libg.so. I didn't intend that to mean not to patch the file at all.

[123456abcdef]

You have to replace ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 with 72f1a4a4c48e44da0c42310f800e96624e6dc6a641a9d41c3b5039d8dfadc27e and then push it to your device. The command above was just to validate my offset.

[ghost]

Ah, Ok. Will do, then I'll let you know.

[ghost]

It is now working! Thank you very much. It looks like I have some packets I need to define!

[123456abcdef]

Cool! I spend it little bit time on those message structures. It seems like they are not that straight forward as the ones from CoC. Maybe you can make better progress than I did today :D.

[ghost]

Yeah, I think the first thing that I'll do is maybe try to intercept the contents of the packet that sets the values of the gems and coins, although it functionally won't do anything, It will give me an idea of how some of the packets work and how to make an injector ;)

[ghost]

Also, I just want to ask, does your phone randomly crash while playing Clash Royale sometimes? I experience it rarely on my Nexus 5 (marshmallow) just curious.

[123456abcdef]

I'm running the patched version on Genymotion emulator and it works fine. Changing values in the packet will most likely result in an out of sync error.

[ghost]

Hmm, yeah now that I think of it, it could cause problems. I'll just try defining all of the packets, then I'll try writing my own server and then I can try to modify my coins, gems, chests etc.

[ghost]

Hi! I'm trying to do the same thing but it's a bit weird about the keys. What's the key I have to put in the proxy ? What's the one I have to patch on the .so file ?

[ghost]

You have to replace ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 with 72f1a4a4c48e44da0c42310f800e96624e6dc6a641a9d41c3b5039d8dfadc27e and then push it to your device. The command above was just to validate my offset.

and

ba105f0d3a099414d154046f41d80cf122b49902eab03b78a912f3c66dba2c39 needs to be entered into the client on the proxy

[ghost]

Okay thank you very much, I use the c# version and it works well !

PS: if someone has already started to write the definitions, please share.

EDIT: In fact, I just get "false" hexadecimal data, the JSON decoder doesn't work.. It's because the definitions are wrong ?

[123456abcdef]

The definitions in this repo are for Clash of Clans and don't work for Clash Royale. Most messages are different. As I wrote above, you can't extract the values of the fields directly from the decrypted messages, because they are "obfuscated", at least most fields I looked at. So I think without debugging the libg.so it is not possible to understand how the message reader works/how to extract the real values. I'm still working on it, but I'm not that experienced with debugging such libraries, so it I will need some time :P. We are thankful for every help :)

Edit: I was talking about this discussion link.

[ctfhacker]

Just jumping in here.. Just downloaded the game today and wanted to get going. Have we gotten any further with definitions?

[ghost]

Most of the fun stuff is now happening over here: https://github.com/royale-proxy not a lot of work has been done lately mostly because of other projects... I was planning to restructure the messages (https://github.com/royale-proxy/cr-messages) into a different easier to serialize format, and then rewrite the proxy (https://github.com/royale-proxy/cr-proxy) in node.js, after we get that done, it's just a matter of continuing to define 'all teh packetz'. If you express interest in this project and want to get your hands dirty with node, let me know, and I'll be happy to add you as a contributor and find time to help out.

[ghost]

Also, it is worth noting the risks, supercell has started to ban users for partaking in reverse-engineering the protocol, and running proxies, using them, running private servers etc. more info is available here: http://supercell.com/en/safe-and-fair-play/ however, not sure how exactly this will work for private servers as they technically can't ban you if you're not on their servers, but I don't really want to find out ;)

[ctfhacker]

​yeah, I'd love to look into this. I don't really enjoy the game much, but always curious about reverse engineering.

Tbh, I'm more of a binary exploitation kinda guy (see www.ctfhacker.com), so I wanted to try something different and this looks awesome.​ Any recommendation on initial steps? And would the proxy work with something like Genymotion?

On Thu, May 12, 2016 at 4:28 PM, mhsjlw notifications@github.com wrote:

Also, it is worth noting the risks, supercell has started to ban users for partaking in reverse-engineering the protocol, and running proxies, using them, running private servers etc. more info is available here: http://supercell.com/en/safe-and-fair-play/ however, not sure how exactly this will work for private servers as they technically can't ban you if you're not on their servers, but I don't really want to find out ;)

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/clanner/cocdp/issues/19#issuecomment-218891334

[ghost]

The development process will be mostly:

• Run proxy
• Un-descripted packets will appear as buffers
• Stare at the buffers until your eyes bleed
• Find out all fields of the packet
• Describe the packet as a single file
• Now move onto the next packet

Once we have most packets defined, we will start development a standalone server. Currently, I need to rewrite that proxy to make it more modular, then we can start to define more packets.

[ghost]

However, if you're into binary reverse engineering, it wouldn't hurt if you could decompile the libg.so file that is stored in the lib/ folder in the decompressed apk. That could contain important info

[ctfhacker]

could we move this to #clashroyale on freenode?

[Cerise1]

Hi evry one i know its kind of an old conversation but i d Also like to work on defining thoose cr packets and i see that you guys already started so that would be Nice if you accept to share your work on thoose packets and fields ! That would be a huge gain of Time ;)

[akirarat]

Is anyone still working on this? I got most of Login (client) and LoginOk (server) deserialized. It's not yet checked in. I also figured out the key for CR 1.4.1.

[BerkanYildiz]

@akirarat @mhsjlw @ctfhacker http://imgur.com/a/g3SPE

[zzVertigo]

TRIGGERED @BerkanYildiz

[ghost]

@BerkanYildiz flaunting your closed-source server is really just counter-productive for a discussion like this

[BerkanYildiz]

@mhsjlw Of course.

[BerkanYildiz]

Any news ?

[coolnickname]

Is this stuff still accurate or did it get outdated?

[BerkanYildiz]

@coolnickname Outdated

[ghost]

@mhsjlw Is there any chance you could provide the general protocol for CR post-1.7.0 update? I am trying to make a server... shop.csv.decode.csv "Name","Category","TID","Rarity","Disabled","Resource","Cost","Count","CycleDuration","CycleDeadzoneStart","CycleDeadzoneEnd","TopSection","SpecialOffer","DurationSecs","AvailabilitySecs","SyncToShopCycle","Chest","TrophyLimit","IAP","StarterPack_Item0_Type","StarterPack_Item0_ID","StarterPack_Item0_Param1","StarterPack_Item1_Type","StarterPack_Item1_ID","StarterPack_Item1_Param1","StarterPack_Item2_Type","StarterPack_Item2_ID","StarterPack_Item2_Param1","ValueMultiplier","ActivatedFromEvent","AppendArenaToChestName","TiedToArenaUnlock","RepeatPurchaseGemPackOverride","EventName","CostAdjustBasedOnChestContents" "String","String","String","String","boolean","String","int","int","int","int","int","boolean","boolean","int","int","boolean","String","int","String","String","String","int","String","String","int","String","String","int","int","String","boolean","String","String","String","boolean" "SecretLegendary","SecretLegendary","TID_SHOP_SECRET_LEGENDARY",,,"Diamonds",500,,21,7,,,"TRUE",,,,"Legendary",1400,,,,,,,,,,,,,,,,, "SecretEpic","SecretEpic","TID_SHOP_SECRET_EPIC",,,"Gold",10000,,14,,3,,"TRUE",,,,"Epic",1000,,,,,,,,,,,,,"TRUE",,,,"TRUE" "Spell","Spell",,,,,,,,,,"TRUE",,,,,,,,,,,,,,,,,,,,,,, "Chest","Chest",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, "ResourceGold","Gold",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, "ResourceDiamond","Diamond",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, "SpellReleaseOfferCommon","SpellStack",,"Common",,"Diamonds",100,400,,,,"TRUE",,259200,86400,"TRUE",,,,,,,,,,,,,,,,,,, "SpellReleaseOfferRare","SpellStack",,"Rare",,"Diamonds",150,100,,,,"TRUE",,259200,86400,"TRUE",,,,,,,,,,,,,,,,,,, "SpellReleaseOfferEpic","SpellStack",,"Epic",,"Diamonds",400,10,,,,"TRUE",,259200,86400,"TRUE",,,,,,,,,,,,,,,,,,, "StarterPackArena3","StarterPack","TID_SHOP_STARTER_PACK_ARENA_3",,,"IAP",,,10,3,2,,"TRUE",,,,,800,"com.supercell.scroll.consumablestarterpack0","Chest","Giant_Arena3",,"ResourceDiamond","com.supercell.scroll.gempack5",,"ResourceGold","Gold1",,5,,,,,, "StarterPackArena4","StarterPack","TID_SHOP_STARTER_PACK_ARENA_4",,,"IAP",,,10,3,2,,"TRUE",,,,,1100,"com.supercell.scroll.consumablestarterpack1","Chest","Magic_Arena4",,"ResourceDiamond","com.supercell.scroll.gempack5",,"ResourceGold","Gold1",,8,,,,,, "StarterPackArena5","StarterPack","TID_SHOP_STARTER_PACK_ARENA_5",,,"IAP",,,10,3,2,,"TRUE",,,,,1400,"com.supercell.scroll.consumablestarterpack2","Chest","Super_Arena5",,"ResourceDiamond","com.supercell.scroll.gempack0",,"ResourceGold","Gold1",,7,,,,,, "StarterPackArena6","StarterPack","TID_SHOP_STARTER_PACK_ARENA_6",,,"IAP",,,10,3,2,,"TRUE",,,,,1700,"com.supercell.scroll.consumablestarterpack3","Chest","Magic_Arena6",,"ResourceDiamond","com.supercell.scroll.gempack0",,"ResourceGold","Gold2",,3,,,,,, "StarterPackArena7","StarterPack","TID_SHOP_STARTER_PACK_ARENA_7",,,"IAP",,,10,3,2,,"TRUE",,,,,2000,"com.supercell.scroll.consumablestarterpack4","Chest","Super_Arena7",,"ResourceDiamond","com.supercell.scroll.gempack1",,"ResourceGold","Gold2",,4,,,,,, "StarterPackArena8","StarterPack","TID_SHOP_STARTER_PACK_ARENA_8",,,"IAP",,,10,3,2,,"TRUE",,,,,2300,"com.supercell.scroll.consumablestarterpack5","Chest","Magic_Arena8",,"ResourceDiamond","com.supercell.scroll.gempack1",,"ResourceGold","Gold3",,5,,,,,, "StarterPackArenaL","StarterPack","TID_SHOP_STARTER_PACK_ARENA_L",,,"IAP",,,10,3,2,,"TRUE",,,,,3000,"com.supercell.scroll.consumablestarterpack6","Chest","Legendary",,"ResourceDiamond","com.supercell.scroll.gempack1",,"ResourceGold","Gold3",,5,,,,,, "Red","Red",,,,,,,,,,,,,,,,,"com.supercell.scroll.red","ResourceDiamond","com.supercell.scroll.gempack0",,,,,,,,,,,,,, "RumbleBundle0","Rumble","TID_SHOP_RUMBLE_0",,,,,,,,,,,,,,,,"com.supercell.scroll.rumblebundle0","ResourceDiamond","com.supercell.scroll.gempack5",,"Chest","Magic_",,,,,,,,,,"RumbleShop", "RumbleBundle1","Rumble","TID_SHOP_RUMBLE_1",,,,,,,,,,,,,,,,"com.supercell.scroll.rumblebundle1","ResourceDiamond","com.supercell.scroll.gempack0",,"ResourceGold","Gold2",,,,,,,,,,"RumbleShop", "RumbleBundle2","Rumble","TID_SHOP_RUMBLE_2",,,,,,,,,,,,,,,,"com.supercell.scroll.rumblebundle2","ResourceDiamond","com.supercell.scroll.gempack1",,"Chest","Super_",,,,,,,,,,"RumbleShop", "SuperMagicalOffer","EventChest",,,,"Diamonds",1000,,,,,,"TRUE",,,,"Super",,,,,,,,,,,,,"SuperMagicalOffer","TRUE",,,, "LegendaryOffer","EventChest",,,,"Diamonds",500,,,,,,"TRUE",,,,"Legendary",1400,,,,,,,,,,,,"LegendaryOffer","TRUE",,,, "GiantOffer","EventChest",,,,"Diamonds",100,,,,,,"TRUE",,,,"Giant",1100,,,,,,,,,,,,"GiantOffer","TRUE",,,, "MagicalOffer","EventChest",,,,"Diamonds",200,,,,,,"TRUE",,,,"Magic",1100,,,,,,,,,,,,"MagicalOffer","TRUE",,,, "EpicOffer","EventChest",,,,"Gold",10000,,,,,,"TRUE",,,,"Epic",1100,,,,,,,,,,,,"EpicOffer","TRUE",,,, "SpellStackOfferCommon","SpellStack",,"Common",,"Gold",1000,100,,,,"TRUE",,86400,86400,"TRUE",,1100,,,,,,,,,,,,,,,,, "SpellStackOfferRare","SpellStack",,"Rare",,"Gold",3000,30,,,,"TRUE",,86400,86400,"TRUE",,1100,,,,,,,,,,,,,,,,, "SpellStackOfferEpic","SpellStack",,"Epic",,"Gold",5000,5,,,,"TRUE",,86400,86400,"TRUE",,1100,,,,,,,,,,,,,,,,, "StarterPackArena9","StarterPack","TID_SHOP_STARTER_PACK_ARENA_9",,,"IAP",,,10,3,2,,"TRUE",,,,,2600,"com.supercell.scroll.consumablestarterpack7","Chest","Super_Arena9",,"ResourceDiamond","com.supercell.scroll.gempack1",,"ResourceGold","Gold2",,4,,,"Arena9",,, "HolidayBundle0","Rumble","TID_SHOP_HOLIDAY_0",,,,,,,,,,,,,,,,"com.supercell.scroll.consumableholidaypack0","ResourceDiamond","com.supercell.scroll.gempack1",,"Chest","Giant_",,,,,2,,,,"com.supercell.scroll.gempack0","HolidayBundle", "HolidayBundle1","Rumble","TID_SHOP_HOLIDAY_1",,,,,,,,,,,,,,,,"com.supercell.scroll.consumableholidaypack1","ResourceDiamond","com.supercell.scroll.gempack2",,"Chest","Magic_",,,,,3,,,,"com.supercell.scroll.gempack1","HolidayBundle", "HolidayBundle2","Rumble","TID_SHOP_HOLIDAY_2",,,,,,,,,,,,,,,,"com.supercell.scroll.consumableholidaypack2","ResourceDiamond","com.supercell.scroll.gempack3",,"Chest","Super_",,,,,4,,,,"com.supercell.scroll.gempack2","HolidayBundle", "ChineseNewYearBundle0","Rumble","TID_SHOP_RUMBLE_1",,,,,,,,,,,,,,,,"com.supercell.scroll.consumablechinesenewyear0","ResourceDiamond","com.supercell.scroll.gempack5",,"ResourceGold","Gold1",,,,,,,,,"com.supercell.scroll.gempack5","ChineseNewYearBundle", "ChineseNewYearBundle1","Rumble","TID_SHOP_RUMBLE_0",,,,,,,,,,,,,,,,"com.supercell.scroll.consumablechinesenewyear1","ResourceDiamond","com.supercell.scroll.gempack0",,"Chest","Magic_",,,,,,,,,"com.supercell.scroll.gempack0","ChineseNewYearBundle", "ChineseNewYearBundle2","Rumble","TID_SHOP_RUMBLE_2",,,,,,,,,,,,,,,,"com.supercell.scroll.consumablechinesenewyear2","ResourceDiamond","com.supercell.scroll.gempack1",,"Chest","Super_",,,,,,,,,"com.supercell.scroll.gempack1","ChineseNewYearBundle",

I found that in a decoded .csv file inside the clash royale apk. btw.