Hacking 'Dad Simulator'

Sometimes you fall down a GitHub rabbit hole, clicking through profiles, and find something like Dad Simulator.

Then you’re bonding with a virtual dad instead of closing issues.

Dad Simulator screenshot 1

Dad Simulator is a browser game, written in the Phaser framework. My understanding is it’s hackathon code from one Liam Gensel.

It’s basically a dad Tamagotchi. You have depleting stat bars, if they bottom out you die, and to keep that from happening you buy stuff to bump stats.

I acknowledge it as a novel concept, and I want to play but also have work to do. What’s a virtual son to do?

The game is written in JavaScript so… we’ll hack our way out of this.

i.e. type stuff in the Dev Tools console to speed this thing along

Dad Simulator’s a one-page app so we don’t need to recon here. No nmap or Burp spiders. Let’s just see what we’ve got for source.

Higher up in the HTML we see something about the dad dying. Morbid! 💀

Dad Simulator screenshot 2

Then towards the bottom we see what we need.

Dad Simulator screenshot 3

Let’s start with variables.js …

const GAME_PRODUCTS = {
    beer: {
        description: "A nice, ice cold beer will keep your Dad's thirst quenched and happiness up.",
        price: 2,
        stat: {
            health: 0,
            happiness: 5,
            hunger: 0,
            thirst: 15,
        },
    },
    burger: {
        description: "That's some good fucking meat.",
        price: 5,
        stat: {
            health: 0,
            happiness: 6,
            hunger: 10,
            thirst: 0,
        },
    },

So in the console we can change the price of anything like this.

GAME_PRODUCTS.beer.price = 1;

Or we can make stuff more beneficial.

GAME_PRODUCTS.beer.stat.health = 100;
GAME_PRODUCTS.beer.stat.happiness = 100;
GAME_PRODUCTS.beer.stat.hunger = 100;
GAME_PRODUCTS.beer.stat.thirst = 100;

The most desirable item in this game is a car. It’s so expensive I think it was put in there to cheat for. Or maybe I’m justifying our actions.

car: {
        description: "A badass new car for your pops.",
        price: 25000,
        stat: {
            health: 100,
            happiness: 100,
            hunger: 0,
            thirst: 0,
        },
    },
}

In fact, if you buy this car, the dad turns into the car. If we transition from variables.js to main.js we can see this in code.

function itemRecieved(item) {
    if (hasItem && item != "DRILL" && item != "HAMMER") {
        killAllItems();
    } else {
        drill.visible = false;
        hammer.visible = false;
    }

    if (item == "CAR") {
        dad.kill();
        dad = game.add.sprite(100, 250, 'car');
    }

What does that look like?

Dad Simulator screenshot 4

That code snippet above also lets on another route for cheating.

itemRecieved("CAR");

Now, let’s look further into main.js 🤔

function makeJoke() {
    fetch("https://icanhazdadjoke.com/", {
        headers: {
            'Accept': 'text/plain'
        }

    }).then(function (response) {
        return response.text();
    }).then(function (text) {
        speak(text);
    });
}

function killAllItems() {
    beer.visible = false;
    burger.visible = false;
    chicken.visible = false;
}

function payday() {
    Cookies.set("totalMoney", Cookies.getJSON("totalMoney") + Cookies.getJSON("allowance"));
    updateInventory();
}

function addAllowance() {
    Cookies.set("allowance", Cookies.getJSON("allowance") + (2 * Cookies.getJSON("allowance")));
    updateAllowance();
}

More console tricks. Don’t want to wait (30 seconds) for Dad to make another joke?

makeJoke();

Don’t want to wait (60 seconds) for an allowance bump?

addAllowance();

Don’t want to wait (30 seconds) for allowance?

payday();

Maybe you also caught this file’s references to a Cookies class. What’s the deal with that?

Before we find out, let me just call out another snippet, this time from stats.js 📈

function updateStat(statType, value) {
    let stats = Cookies.getJSON("dad");
    switch (statType) {
        case 'HEALTH':
            stats.health += value;
            break;
        case 'HUNGER':
            stats.hunger += value;
            break;
        case 'THIRST':
            stats.thirst += value;
            break;
        case 'HAPPINESS':
            stats.happiness += value;
            break;
    }

    stats = validateStats(stats);
    Cookies.set("dad", stats);
}

Hence we can modifying items and jump right to the following console cheats too.

updateStat('HEALTH',100);
updateStat('HUNGER',100);
updateStat('THIRST',100);
updateStat('HAPPINESS',100);

Anyway. What’s the deal with those cookies? 🍪🍪🍪

Dad Simulator screenshot 5

Aha. The cookies, they are so sweet. We don’t have to touch a line of JavaScript. With the excellent EditThisCookie plugin for Chrome you can edit away…

Dad Simulator screenshot 6

Of course, if you insist on JavaScript…

Cookies.set("totalMoney",200000);
updateInventory();

That’s right, remember to update the state after changing the game any which way.

To close out this post, Dad Simulator is fun as a game and as an appsec exercise. I understand there weren’t security requirements around it. This was hackathon code.

The question remains — are all Phaser games written this way? Is there more code out there to exploit? That’s up to you.

Keep hacking. 🐱 💻

Randy Gingeleski - GitHub - gingeleski.com - LinkedIn

Hacking ‘Dad Simulator’