A reverse engineer's review of a gambling app that thousands play daily.
Recently, I had an interaction with my cousin who showed me a set of gambling apps that are rampant in Pakistan. I saw him make Rs. 5500 out of mere Rs. 10 that we later used to order food.
Like a raven seeing a glittering diamond, I decided to hop on this easy money train. I made Rs. 2000 out of Rs. 200 one day but I was generally noticing a trend of losing in the long-term. That's when I decided to take a look at the app's source code.
The app in question, known as Pak Arcade, serves an apk that is associated with the user who referred the individual to the application. This referral code is used for bonuses and builds repertoire for the referrer and they receive bonuses upon any loss of money that the person they referred experienced.
To reverse engineer the application, I had to get the source code. For this application specifically, it was made with the Cocos2D framework, notorious for utilizing the XXTEA algorithm. This results in all standard .js files to be converted to an encrypted format: .jsc which is essentially garbled text for unauthorized users.
The decryption key however, is stored natively inside the libcocos2djs.so file associated with the framework and upon loading the shared object file, I prompted Claude 4.6 Opus (Thinking) with IDA Pro MCP server and it was able to find the decryption key in 2 minutes which came out to be: b32a2160-0c63-41.
Using a python script that was also generated by Claude, I was able to convert the .jsc files to decrypted .js format. What I discovered was simply stupendous!
Now the game has several different slot machines type games and they all essentially follow the same formula, the games are just dumb video players. The client dictates nothing as the fate is sealed the moment the button is pressed and a bet was made! This was true for all the general "slot" games.
To top things off, their backend engineers had perfectly secured everything and implemented strict server-authoritative validation. I tried but failed at:
On top of the server-sided protections, the game's logic itself did not reveal much about a specific game. This is due to the fact that the game dynamically fetched manifest for a game as it was loaded. In order to obtain the code for a game, I used a Frida Script to intercept the network traffic and save the manifest.js file as it was sent to me. Upon reversing the logic code for several games, the moment that absolutely confirmed to me but the manifest.js file had nothing but assets and positioning logic for elements and all decision was made on the server. There was no way to tamper with what the server had decided for someone at any given time. Any client modification would be useless since there is nothing to achieve or exploit.
One game however, a fishing game where you play simultaneously with other players, shooting at fishes with each bullet costing money and the fish having some chance to give money. The interception of network traffic revealed that the requests being sent via the WebSocket generates a bullet id: c: 2402 for each bullet shot and then the server responds with exactly what was hit: c: 2403. Passing an array of fish ids: fids: [2202] proved that the server was blindly trusting the fish I hit, a valid client injection! By sending array with a great number of fishes, I had a "shotgun exploit" at hand since I was using one bullet to target several but to my surprise, the server was never allowing me to win big.
The network traffic inspection revealed the app's FOMO strategy where a global publish/subscribe system was subscribed to upon logging in and utilizing the broadcast command, it would silently drop the millions of losing spins happening across the platform but aggressively push high-multiplier jackpot wins to every connected socket. This creates the artificial illusion that the casino is hot, manipulating the players into chasing wins.
The app also utilizes a number of animations and sound effects that get linked with dopamine release, ensuring that the user becomes dependent.
In conclusion, their server is secure and they are not stupid enough to leave any fruit hanging so low when they are all about giving and taking money.
Stay away from gambling, the house always wins and this is proof.