This application was created as a proof-of-concept and is intended for educational use only. I contacted KONAMI on Feburary 21, 2017 and I have not received a reply, so I am releasing the source code of the tool.

I am not reponsible for accounts being banned or any other consequences of misusing this tool.

This application is a proof-of-concept application that allows users to intercept and modify server responses from the YuGiOh! Duel Links mobile game by acting as a intercepting HTTPS proxy.

This allows you to view and modify the decks of NPCs (non-playing characters) and view the decks of other players in multiplayer.

It does not require you to jailbreak or root your device.

cardmap.js maps the card ID to the corresponding card. It contains a few cards to show that the application works.

responses.txt contains a log of server responses to assist with debugging of the application.

npm install
node duel-proxy.js

You also have to trust the generated SSL certificate (.http-mitm-proxy/certs/ca.pem) on the target device and forward traffic to the HTTPS proxy server (port 8000 by default).

Modify theirReplacementDeck in duel-proxy.js to an array of the card IDs you want the other player to have and myReplacementDeck to the card IDs you want yourself to have. Note that replacement of their deck and your deck only occurs if REPLACE_THEIR_DECK and REPLACE_MY_DECK are true.

One way to fix this vulnerbility is to use a HMAC to verify the contents of the server response (it seems like client requests already use some sort of MAC, but not server responses).

Another, easier way to fix the vulnerbility on a majority of devices would be to use HPKG, which would stop the application from trusting other public keys. However, this could be circumvented on jailbroken or root devices with applications that disable certificate pinning.