🔍 White Out Survival — sproto Protocol Analysis

Live traffic capture analysis | v1.31.20 | June 2026 | Century Game

🚨 CRITICAL DISCOVERY: sproto Protocol is UNENCRYPTED

The game's binary sproto protocol on port 30101 is transmitted in plaintext. All game data — including player names, alliance info, battle reports, shop items, and event schedules — can be captured and decoded from network traffic using a simple PCAP capture tool (like PCAPdroid on Android, no root required).

SECURITY ISSUE NO ROOT REQUIRED UNENCRYPTED BINARY PROTOCOL

362
Total Messages Captured
211 KB
Game Data Captured
2,402
Unique Strings Found
0
Encryption Layers

📡 Capture Information

ParameterValue
Game Server35.71.149.13:30101
Protocolsproto binary over raw TCP (port 30101)
EncryptionNONE — Plaintext sproto binary
Wire Format[2-byte BE length][sproto payload]
Game Version1.31.20 (Build 829)
Player ID5579754
DeviceXiaomi M2010J19SG
PlatformAndroid 10
LanguageArabic (arab)
Capture ToolPCAPdroid (no root)
Capture Duration~2 minutes of gameplay

🔐 Login Packet Decoded

The first C2S packet (270 bytes) is the login/authentication message containing:

FieldValueDescription
Session Token1C7nVYkXk4PbK5IqGAn4Ha4OMJGAWvvqElbWcMaPMl1nD9pP48-char base64 auth token
Player ID5579754Numeric player identifier
Version1.31.20Game client version
DeviceXiaomi M2010J19SGDevice model
Platformandroid 10OS version
OS Build5.190.11Android build number
App Version2.46Internal app version
ChannelMA ccDistribution channel
Device ID 1a6582219de75da476fa47557c33ac8Device fingerprint (30 chars)
Device ID 2b675f9dece5c883614587ca2Device fingerprint (24 chars)
Device ID 30fa6a4af6db385905b62736f618badDevice fingerprint (30 chars)
LanguagearabArabic language setting

⚙️ Protocol Structure

Wire Format

+--------+------------------+
| Length | sproto Payload   |
| 2 bytes| N bytes          |
| BE u16 | Binary sproto    |
+--------+------------------+

Message Type Classification (First Byte of Payload)

Type ByteNameDescriptionC2S CountS2C Count
0x55AUTH/PUSHAuthentication, push notifications, and late-bound game data158
0x15HEARTBEATKeep-alive ping/pong51
0x1dRESPONSEServer response to client request6167
0x5dREQUESTClient request to server4660
0x0dDISCONNECTConnection teardown02
0xd9BATTLE_NOTIFYBattle notification push09
0xddUNKNOWN_PUSHUnknown push type06

⚔️ Battle Report Protocol

The battle report data contains detailed attack/defense information with these protocol fields:

Field NameOccurrencesDescription
atk_abbr101Attacker alliance abbreviation
result101Battle result (win/lose)
atk_uid101Attacker player UID
atk_uids101Attacker player UIDs (rally)
def_kid100Defender kingdom/server ID
side100Side identifier
def_uid98Defender player UID
def_abbr97Defender alliance abbreviation
def_nickName96Defender nickname
atk_nickName89Attacker nickname
battle_type87Type of battle
atk_kid82Attacker kingdom/server ID
def_uids79Defender player UIDs (rally)
battlefield_id71Battlefield identifier
target_type36Target type
def_hero_gen23Defender hero generation
atk_hero_gen22Attacker hero generation
is_awb40Alliance war boolean
is_bwb11Battle war boolean
is_ffwz11Unknown flag
targetid8Target identifier
boss_idBoss identifier
is_rewaReward flag (truncated)
from_uid15Source player UID
countBattle count

👤 Player Names Discovered

NameOccurrencesContext
Aldoss69Most referenced player
MAHA53Alliance member
CRYPTD / megaCRYPisolaTD46Alliance member
LEGEND31Alliance member
3grams / 3grams2/7/815Multiple variants
Butter16Player name
Heart16Player name
Little11Player name (Lady prefix)
Lady11Player name prefix
King9Player name
Saladin8Player name
DodiPlayer name
MagdalenaPlayer name
Eleonora0Player name
CHICOG238 / HICO238Player name
StrokerAce / StrokerAce2Player name
Spell1257Player name
theshark#41Player name
POU38Frequently mentioned
TYPHONAlliance/member name

🏰 Alliance Data

AllianceAbbreviationNotes
NEXUSIRSPrimary alliance in capture — player's alliance
PolskaHusariaPOLPolish alliance
ROGReferenced in favorites
OWLReferenced in favorites
FUNReferenced in favorites
ZRXReferenced in favorites
S10State 10 alliance

Server: 172-2007-3 (State 2007)

🛒 Shop & Event Data

Shop Items

  • childrensday2026_single_giftbag_001
  • gem_shop_ui_07
  • small_stronghold_ui_46
  • slg_mail_ui_08
  • favorites_ui_18
  • alliance_building_name_8_1
  • alliance_building_name_8_2

Event Schedule (State 2007)

  • 🕐 Events WP/CC: 14 UTC / 19 UTC
  • 🕐 BT1: 18:30 UTC
  • 🕐 BT2: 13:30 UTC
  • 🕐 CJ: 19 UTC
  • 🎮 BATTLE RIB
  • 🎮 SNAP2
  • 🎮 LEADERS
  • 🧸 TEDDY? BEAR
  • ⚔️ Operative Enforcer
  • 🏆 KAMATCHO

🌐 Server Infrastructure

ServiceEndpointPurpose
Game Server35.71.149.13:30101Main sproto game server (AWS)
Match Maker 1specproxy16_match_maker_4_1778441937_3Battle matchmaking proxy
Match Maker 2specproxy20_match_maker_4_1778442615_3Battle matchmaking proxy
Content Moderationm-intl-frontgate.ilivedata.com:13325Chat content filtering (iLiveData)
Content Moderationm-intl-frontgate.ilivedata.com:13321Chat content filtering (iLiveData)
Facebook157.240.5.12:443Facebook SDK (TLS)
Google34.128.136.177:443Google Services (TLS)
Adjust197.230.210.16-17:443Adjust Analytics (TLS)
Tencent170.106.34.73:443Tencent Services (TLS)

🛡️ Content Moderation System

The game uses iLiveData content moderation service for chat filtering. The connection includes an authentication key:

Service: m-intl-frontgate.ilivedata.com
Port 1: 13325 (primary)
Port 2: 13321 (secondary)
Auth Key (hex): 17B72EA2BE099B521E3E18B5797CE8D71B2952347A38B75EEAEF1925C4CD3FB20F2A162E7444BD3FB01ADA0E

🖼️ Avatar/Image CDN URLs

Player avatars are served from a CDN with date-based paths:

URL PatternNotes
2026/06/01/wl9Y9z_1780329465.pngPlayer avatar
2026/05/09/Xqwvm5_1778332770.pngAlliance notice image
2026/05/22/JK7yJD_1779477177.pngAlliance notice image
2026/05/31/zQlpQ2_1780212545.pngAlliance notice image
2026/03/29/7w42E8_1774795211.pngAlliance notice image

Format: YYYY/MM/DD/{random}_{unix_timestamp}.png

📋 Previous Investigation Findings

FindingValue
Web Signing SecretUxXkyv4g9nmvK8gP (MD5 web sign)
Gift Code SalttB87#kPtkxqOS2
AES-192 KeyJm93LUl9xqWd/1Ar+7QXeApCZw== (base64)
Web API Basehttps://wos-giftcode.centurygame.com
FPCS Gatewaywss://fpsc*.centurygame.com
sproto Messages209 total (77 NOTIFY + 132 REQ)
Test PlayerID 250893802 → "FADL2", State 2007, Furnace Lv31
APK Versionv1.31.20 (XAPK, 1008MB)

🎯 Attack Surface Summary

Unencrypted sproto Protocol (Port 30101)

Severity: HIGH — All game data transmitted in plaintext over raw TCP. No TLS, no application-level encryption. Any network observer can capture and decode:

Additional Security Notes

🔬 Methodology

  1. APK reverse engineering — extracted signing secrets, AES key, sproto message names from libtolua.so
  2. PCAPdroid traffic capture on non-rooted Android device
  3. PCAP analysis using Scapy — identified game server IP and port
  4. Binary protocol identification — 2-byte BE length prefix + sproto payload
  5. String extraction from all game packets — 2,402 unique strings
  6. Message type classification by first byte pattern
  7. Field name extraction from battle report structures

White Out Survival sproto Protocol Analysis Report | June 2026