Hacking Candy Crush 2: No need for tickets

Hi everyone,

As you may have noticed, you need a few tickets in order to access to a new world in Candy Crush. That can be very annoying if there's nobody online to give you tickets and you want to keep playing and of course you don't want to pay for them. In this post I will show you how to avoid getting asked for tickets.

If you have not seen my previous post you should take a look at it first since the initial steps are described there: hacking Candy Crush in 10 minutes.

Once you have access to your device file system, open this file for edition:

candycrushsaga.app/res/worlds.xml, it should look similar to the following image:

1. For this example let's assume you are stuck in level 230 and you need 3 tickets to get to level 231. Open the previous file and find the following text:
   

   <world imagepath="tex/menu/level_completed_train.png" 

   startswithlevel="231" 

   ticketpath="tex/menu/world/ticket_train_icon.png"></world>

2. Modify the previous text to:
   

   <world imagepath="tex/menu/level_completed_train.png" 

   startswithlevel="230" 

   ticketpath="tex/menu/world/ticket_train_icon.png"></world>

3. Terminate the Candy Crush application and open it again. If you try to play at this point you won't be able to select any level, but don't be scared as this can be fixed. Go back to edit the worlds.xml file and restore it to it's original value, like this:
   

   <world imagepath="tex/menu/level_completed_train.png" 

   startswithlevel="231" 

   ticketpath="tex/menu/world/ticket_train_icon.png"></world>

4. Save the file, terminate the application and open it again. Voila! The game will not ask for tickets and you will advance to the next world, just like that!

This technique can be used to move from any world to the next one by modifying the "startsWithLevel" value. Good crushing!

Notes:

1) Again, this is not a complete assessment of the application's security. I just keep digging as I get stuck and keep finding useful things.

2) The communications from the device have not been analyzed at this point, I can imagine lots of fun stuff can be found there as well.