Hacking Google Doodles



So today is Google 15th anniversary and they released a mini game in HTML5 to celebrate it. This kind of games uses canvas, audio and some other fancy HTML5 features to display flash-like games (good old times using flasm to decompile them…) plus some obfuscation and JavaScript tricks to avoid easy hacks.

This is a post about how I dissect the JavaScript code and tweaked my Firefox with some plugins in order to smash some high scores.

First of all we need to go to the Doodle page. This is not the Google home page as there the code is more complex and we want to focus in the relevant files. The URL is http://www.google.com/logos/2013/bday13/bday13.html

There we can see they are loading a file, bday13.js which is obfuscated and minimised. This makes the analysis a bit harder but we can try some tricks in order to make our job more easy.

First of all is to format the file again. We can use online services such as http://jsbeautifier.org/ to do the job but today we are going to use a small Firefox extension that is going to do the same on-the-fly, so we can later use Firebug to debug the JavaScript code. After installing JavaScript Deminifier you should check your Addons Bar to ensure the extension is active. To check everything is working, press Control+F5 and reload the .js file.

Now that we have the JavaScript in a more friendly format, we can start digging the code looking for the variable that controls our score or how many attempts we have remaining to hit the piñata. I went for the second one (double the attempts, double the fun!)

We start with 10 “hits”, so we can do a assumption and do a search for “= 10;”. Go, do it now… you will be pointed to just one occurrence of this pattern inside the code.

OK, so now we know variable name is bd but how do we change it to get more tries on the game? If you go to the very first line of the .js file, you will see they are using an anonymous function (“(function () {“) to contain all code within the application. Doing so ensures no one can access game’s variables using javascript: URL handler in her browser.

But wait! We still have Firebug and Firefox’s built-in Web Developer tools. So we can set up a breakpoint when bd is set to 10, increase it to 50 and start a new game. It will be difficult not to get a high score!