Martial Arts Brutality: A Case Study in Why Clients Should Never be Trusted

Martial Arts Brutality: A Case Study in Why Clients Should Never be Trusted


Martial Arts Brutality is an online PvP multi-platform CCG in which the players' turns are asynchronous. Although the turns only take a few seconds to complete, each player does not need to play their turns instantly, instead, they can wait up to two days before playing their turn. After two days, the player who's turn it is to play is marked as inactive, and can be attacked by the opposing player for free as many times as it takes to KO them. The combat involves clicking and holding the mouse button while performing certain patterns, or clicking on certain parts of the screen (or tapping/swiping in the case of phones or tablets). The patterns must be completed in a specific time frame, and the players only have a limited amount of time for each turn. Blocking works similarly to attacking.

In this article, I will be discussing a few topics, all relating to the idea of client trust. Offline turn resolution, offline in-app purchase authorization, and an attempt at preventing cross-play gone wrong.

Part 1: Client Trust in PvP Combat

Some History

Many years ago, most online games used some form of client-sided calculation for combat. Some examples of these are player locations, hitboxes, and in extreme cases, the server even relies on the clients to report damage taken or damage given. The reasons for this, as far as I am aware, were as follows:

  • Servers we not very powerful back in the day, and so it was very cost-effective to offload some of the CPU cycles to the clients connected to the server. Today, this is not so much of an issue.
  • Latency. Connecting to a server on the other side of the planet (even today) ruins the player experience by essentially taking control away from the player, and putting them in a situation where they are at the mercy of 0.4s. This is resolved today by regional servers and global server clusters.


Martial Arts Brutality has managed to avoid both of these issues by the virtue of asynchronous gameplay. If the servers get overloaded, nobody gets punished in-game for it. I really like this aspect of the game.

The design of the game is great, and I can't fault it, but as we will soon see, the game is built on top of a house of cards, and so no matter how good the the design, it flies out the window.

So What?

Martial Arts Brutality has the perfect design for server-trusted PvP. For one reason or another, the developer decided to trust the client. This means there are one million attack vectors for bad guys to perfect every single round. Speed hacks to slow down the game 100x to perfect every combo, client modification to skip long attack animations (giving the player more time to execute their combos), editing packets mid-flight or generating perfect combo packets and sending them across the wire, etc.

Part 2: Client Trust in In-App Purchases


In-app purchases started off fairly rudimentary. They were a way for app makers to monetize their apps. Then bad actors got smart, they realised they could spoof the apps into thinking that the transaction was successful without any funds being transferred. These days, almost every online game with in-app purchases uses a server to confirm with the provider (Google Play, Apple App Store, Steam) that the transaction went through successfully, before granting the purchased goods.


Martial Arts Brutality is available on Google Play, Apple App Store, and Steam. All three platforms have the same in-app purchases, and there is no way to transfer or share your account across platforms. The in-app purchases in the game are Pay-2-Win, meaning that if you had infinite currency to spend on them, you would never lose. Although I mentioned that there is no way to transfer or share your account across playforms, if you proxy the connection that the game client has to the server, you can substitute your login credentials with other login credentials, and get in using other accounts just fine, assuming you have the correct credentials. This means that if you are able to spoof the in-app purchase authority on one platform, you can proxy your connection on that platform, substitute in the authentication credentials from your preferred platform, and effectively "transfer" illegitimate purchases from one platform to another.

Part 3: The Bad Actor

Combining part 1 with part 2 you effectively unlock god-mode in this game.

It was pretty fun.