Whiteout Survival — API & Protocol Investigation Report V2

Version: 1.30.28 (Client 1.31.20) • Date: 2026-06-03 • Report Version: 2.1

Key Findings

1. Verified Player Data Extraction

Using the new wos_player_lookup.py tool, we can now extract real player data from PCAP captures. Below is the verified output for player "Pano":

Player: Pano (ID: 288,979,040)

Name
Pano
Power
762,043,293
Alliance
POL
Kingdom
2007
Language
pl
Avatar CDN
gof-formal-avatar.akamaized.net

✓ Power value EXACTLY matches in-game leaderboard screenshot

Usage Example

# Search for a specific player by ID
python3 wos_player_lookup.py --pcap capture.pcap --pid 288979040

# List all players found in capture
python3 wos_player_lookup.py --pcap capture.pcap --list

# Get JSON output
python3 wos_player_lookup.py --pcap capture.pcap --pid 288979040 --json

# Live server connection (requires session token)
python3 wos_player_lookup.py --token "YOUR_TOKEN" --pid 77754601

2. Power Leaderboard Correlation

Cross-referencing the live power leaderboard screenshot with PCAP binary data confirms our extraction methodology:

RankPlayerAlliancePower (Screenshot)Power (PCAP LE4)Match
1VISHENAEBAIRS973,248,215973,248,215EXACT
2BandiMadmanIRS858,363,844858,363,844EXACT
4PanoPOL762,043,293762,043,293EXACT
8PioIRS713,174,620713,174,620EXACT

3. Sproto Binary Protocol (TCP:30101)

3.1 Confirmed Player Profile Structure

The player profile in sproto type 0x5502 messages follows this binary layout in the packed stream:

[04 1f] [Player Name]    - 04=field tag, 1f=string marker
[04 04 1f] [Power LE4]   - 04 04=field tags, 1f=value marker, 4-byte LE power
[f1 04] [Kingdom LE4]    - f1 04=kingdom tag, LE4 kingdom composite ID
[f1 03] [Alliance Abbr]  - f1 03=alliance tag, 2-5 uppercase ASCII
[0d f8] [Alliance Full]  - full alliance name with sproto packing
[71 02] [Language]        - 2-char language code
[04 7c] [Player ID LE4]  - 04 7c=PID tag, 4-byte LE player ID
[20 fc] [Avatar Path]    - avatar URL path on CDN

3.2 Binary Verification: Pano's Profile

Hex dump of Pano's profile in the raw sproto S->C stream:

58842: 11 0b 04 1f 50 61 6e 6f          - "Pano" (04 1f prefix)
58850: 04 1f 1f 18 4e 04 04 1f
58858: 9d db 6b 2d                       - Power: 762,043,293 (LE4)
58862: 28 01 03 f1 04 ed 64 a0 77        - Kingdom: 2,007,000,301
58871: f1 03 50 4f 4c                    - "POL" alliance
58876: 0d f8 50 6f 6c 73 6b ff 00 61 48 75 73 61 72 69 61  - "PolskaHusaria"
58889: 71 02 70 6c                       - "pl" language
58893: 04 7c 60 78 39 11                 - Player ID: 288,979,040 (LE4)
58899: 20 fc 32 30 32 36...              - Avatar: /2026/04/15/lVMJMM_1776289540.png

3.3 Algorithm for Player Data Extraction

The extraction algorithm uses validated sproto tag patterns:

  1. Find alliance tag f1 03 [ALLIANCE] in the raw S->C stream
  2. Search BACKWARDS from alliance for power value: 1f [LE4 power] within 60 bytes
  3. Search BACKWARDS from power for player name: 04 1f [NAME] within 60 bytes
  4. Search FORWARD from alliance for kingdom: f1 04 [LE4 kingdom]
  5. Search FORWARD from alliance for PID: 04 7c [LE4 pid] or direct LE4 search
  6. Extract language code (2 lowercase chars) and avatar path

4. Network Architecture

4.1 Server Infrastructure

ServiceDomainPortProtocolPurpose
Game Servergof-login-formal-ga.centurygame.com30101sproto/TCPCore game state, POWER data
Chat Serverrtm-intl-frontgate.ilivedata.com13321FPNN/TCPChat, VIP/Kingdom/Alliance
Login APIgof-login-formal-ga.centurygame.com443HTTPSSession creation
GM APIgof-gm-api-formal-ga.centurygame.com443HTTPSGift code redemption
Passportpassport-apa.centurygame.com443HTTPSAccount auth
Giftcode APIwos-giftcode-api.centurygame.com443HTTPSPlayer info (limited)
Avatar CDNgof-formal-avatar.akamaized.net443HTTPSPlayer avatars
Platform Configplatform-config-prod.centurygame.com443HTTPSServer list, config

4.2 Connection Flow

1. App Launch
   -> platform-config-prod.centurygame.com (server list)
   -> passport-apa.centurygame.com (authenticate)
   -> gof-login-formal-ga.centurygame.com (session token)

2. Game Session
   -> TCP :30101 (sproto - ALL game data INCLUDING POWER)
   -> TCP :13321 (FPNN chat - VIP, alliance, kingdom)

3. Background
   -> logagent-rum.centurygame.com (analytics)
   -> gof-formal-avatar.akamaized.net (avatars)

5. Chat Protocol (FPNN over TCP:13321)

5.1 Chat Message Player Data

Chat messages contain JSON payloads with player metadata - the easiest way to get VIP, kingdom, and alliance info:

{
  "nickName": "Mr. Lonely",
  "vip": 9,
  "show_vip": 1,
  "kid": 2007,
  "abbr": "ONE",
  "uid": 78773088,
  "rank": 3,
  "torank": 1,
  "point": {"x": 770, "y": 698}
}

5.2 Fields Available from Chat

FieldTypeExampleDescription
nickNamestring"Mr. Lonely"Display name
vipint9VIP level
show_vip0/11VIP badge visibility
kidint2007Kingdom ID
abbrstring"ONE"Alliance abbreviation
uidint78773088Player UID
rank / torankint3 / 1Alliance rank change
pointobject{"x":770,"y":698}City coordinates

6. Player Data Fields Summary

FieldProtocolEncodingExampleDifficulty
Player Powersproto TCP:30101LE4 uint32762,043,293Medium (PCAP)
VIP LevelFPNN TCP:13321JSON int9Easy (chat)
Kingdom IDBothJSON int / LE42007Easy
AllianceBothString / JSON"POL"Easy
Player IDBothLE4 / JSON int288,979,040Easy
NameBothString / JSON"Pano"Easy
Languagesproto TCP:301012-char ASCII"pl"Medium
Avatarsproto TCP:30101String"/2026/04/15/..."Medium
CoordinatesFPNN TCP:13321JSON object{"x":770,"y":698}Easy

7. Security Observations

Critical Vulnerabilities

  1. Unencrypted game traffic - TCP:30101 uses plain TCP, not TLS. All game data including session tokens and power values transmitted in cleartext.
  2. Sensitive metadata in chat - VIP levels, kingdom IDs, alliance affiliations, UIDs, city coordinates in plain JSON.
  3. MD5-based signing (broken) - Request signatures use truncated MD5 (31 chars), which is cryptographically broken.
  4. Leaked GitLab token - glpat-ni86rqoefyhoTkMsNYiR embedded in APK config, could access private repositories.
  5. Interceptable player power - Any network observer can extract power rankings from unencrypted sproto protocol.

Anti-Cheat Measures

8. How to Get Player Data

Method 1: PCAP Analysis (Most Reliable)

  1. Install PCAPdroid on Android
  2. Start capture -> Open WOS -> Navigate to Power Leaderboard
  3. Stop capture -> Export PCAP
  4. Run: python3 wos_player_lookup.py --pcap capture.pcap --pid PLAYER_ID

Method 2: Live Server (Requires Token)

  1. Capture HTTPS login to get session token
  2. Run: python3 wos_player_lookup.py --token TOKEN --pid PLAYER_ID

Method 3: Chat Server (VIP/Kingdom Only - No Power)

Listen to chat messages for vip, kid, abbr fields. Power is NOT available via chat.

9. Credentials & Keys

CredentialValueSource
App Keyc37aba497f0fc9e6357a4b0d32b45e2fCGSettings in APK
Signing SalttB87#kPtkxqOS2Previous investigation (encrypted in current APK)
GitLab Tokenglpat-ni86rqoefyhoTkMsNYiRCGSettings in APK (LEAKED)
Game CodegomCGSettings
Client VersionUnity-gof-2.7.27 hashcode:913973874FPNN auth packet
Build Number20121CGSettings

10. File Inventory

FileDescription
wos_player_lookup.pyV4 Player Data Lookup tool - returns ACTUAL data from PCAP/server/API
wos_player_data.pyV3 Player Data Extractor (older version)
wos_get_player_power_v2.pyV2 Player Power script (older version)
wos-investigation/PCAPdroid_new_capture.pcapNetwork capture (663 KB)
wos-investigation/leaderboard_screenshot.jpgPower leaderboard screenshot
wos-investigation/extracted/Extracted APK files

11. Recommendations

  1. Extended PCAP capture - Capture while viewing leaderboard, alliance info, VIP benefits, and kingdom map
  2. Runtime Frida hooking - Hook sproto_decode() and luaL_loadbuffer() to extract schemas
  3. IL2CPP decryption - Hook HTProtect decryption on rooted device to get class/method names
  4. Test GitLab token - glpat-ni86rqoefyhoTkMsNYiR may access source code with protocol schemas