Hacking agar.io

If you remember from previous posts on here, I managed to successfully hack the popular agar.io game to remove the advertisements. I thought I would follow-up with some pertinent information about the company Miniclip who makes the game. Please read on, you’ll be glad you did.

Over the months since then, those posts on my site have been quite popular. They’re quite possibly the 3rd-highest content for organic search engine hits here on WordPress for my blog. At some point, I would guess that my posts became known by the game makers themselves at Miniclip who have actually invested time and effort to try to block me from their game.

The first level of pushback from them came when they tried to prevent me from entering my name ūüĎĀ‚Äćūüó®‚öô¬†in the interface by messing with the character kerning between both characters, making it look stupid, basically (something like this ūüĎĀ‚Äćūü󮬆 ¬† ¬† ¬† ¬†¬†‚öô). So of course, I just changed my name to ‚öôūüĎĀ‚Äćūü󮬆instead and played on.

This worked for some time (a year?) After this and for some unremembered reason, I wanted to temporarily change my name. When I went to change it back, I found that Miniclip now blocked me from entering either character‚ÄĒthey actively prevent the use of these two characters in the game simply for the purpose of spiting me!

So I changed my name and played on. But perhaps three days ago, my iPad was bricked. I actually had to stay on the phone with Apple support since it wouldn’t get past the initial registration screen. So I had to restore the iPad and then apply a previous backup. After all that things seemed to be back to normal.

And then I played the agar.io game and it bricked itself during game play. You guessed it: Miniclip has added this evil code to their game for taking out users they don’t like.

From the wiki page on Miniclip:

On 1 September 2005, the United States Computer Emergency Readiness Team issued an advisory concerning Miniclip:

The Retro64 / Miniclip CR64 Loader ActiveX control contains a buffer overflow vulnerability. This may allow a remote, unauthenticated attacker to execute an arbitrary code on a vulnerable system…. Although the ActiveX control is no longer in use by either retro64.com or miniclip.com, any system that has used certain pages of these web sites in the past (prior to September, 2005) may be vulnerable.[7]

In 2006, several security firms reported that some Miniclip users had installed a “miniclipgameloader.dll” which contained the hostile code identified as “Trojan DownLoader 3069”.[8] In the same year, another download related to Miniclip installed “High Risk” malware called “Trojan-Downloader.CR64Loader”.[9]

So Miniclip already has a history of installing malware in their games for the purpose of hacking their users.

I would strongly suggest boycotting Miniclip and uninstalling any of their apps as a result of these findings. I will be reporting them to Apple iTunes as a result of this.

hacking agar.io, part 5

I guess now anyone who’s been following will also want to a chance to play Agar.io without ads. Here are the step-by-step instructions.

Note: Throughout, I’ll use as the IP address of the DNS server you’ll be creating. Assume that every time you see this, you’ll be substituting your own server’s private IP address. Any other IP address you see should be typed in exactly as I’ve shown.

I’ll be including instructions for two different DNS servers. Choose the one that makes more sense for you based upon your experience.

Node.js DNS server version

Since I like JavaScript, here’s a Node.js implementation which may be augmented to include a nice HTML administrative interface if you’d like. I haven’t gotten quite that far yet but you can see what it takes to host a DNS server and a webserver all in one application.

  1. I assume that you already have Node.js installed, as well as npm and the express-generator. If not, you’ll need to install each first.
  2. Open a terminal
  3. Change to your home directory and optionally, change into a subfolder like ~/Sites like I did. Create one if necessary with: mkdir ~/Sites
  4. Run the express command to generate a new project:  express one-trick-pony
  5. If that ran correctly, change into the newly-created folder:  cd one-trick-pony
  6. Run the npm command to install the dependencies:  npm install
  7. Determine the IP address of your server and save this information for later: ifconfig | grep en1
  8. Run the npm command to install dnsd into your project (those are two hyphens without a space between them): ¬†npm install¬†dense –-save
  9. Edit the www file:  vi ./bin/www
    1. After this line var http = require(‘http’); add the indicated text seen in the block quote below
    2. After this line server.on(‘listening’, onListening);, optionally add the line: ¬†console.log(‘Webserver running at *:3000’);
  10. Determine the path of the node command you usually use and save this information for later:  which node
    1. Run the su command to elevate into superuser (root) mode:  su
    2. Change to the working folder from before: cd /Users/yourname/Sites/one-trick-pony
    3. Run the node command giving a full path to the executable, which you found in the earlier step: ../../local/node/bin/node ./bin/www
    4. At this point, you should see that the server is running, indicating that it’s listening to two different ports: ¬†53 (DNS) and 3000 (HTTP).
  11. From a workstation you can verify that the DNS server is running with the indicated command, noting that the server should still be logging requests:  dig @ www.agar.io
  12. Now from the iPad, for example, go to Settings -> Wi-Fi -> select the i logo next to your connected local wi-fi zone -> DHCP -> DNS -> (write down everything here and save it), overwrite it with (your server’s private IP address)
  13. Press the Home button twice and if Agar.io is running, swipe up to remove it from memory
  14. Start up the Agar.io app and verify that it logs in (even with Facebook), it works AND it no longer displays advertisements.
  15. When you’re finished, in Settings -> Wi-Fi, either “Forget This Network” your existing local wi-fi profile (re-entering your password) or manually re-enter the earlier DNS information that you wrote down from an earlier step. ¬†Your iPad is now ready to behave like before.
  16. When you’re completely finished, go back to the server’s terminal session and press Ctrl-C to end Node and then enter the¬†exit¬†command to leave the su session.

Code to add into the ./bin/www file:

var dnsd = require(‘dnsd’);

function dns_handler(req, res) {
console.log(‘%s:%s/%s %j’,

var question =
hostname = question.name,
length = hostname.length,
ttl = Math.floor(Math.random() * 3600);

if (question.type == ‘A’) {
// Agar.io website
if (hostname == ‘agar.io’ || hostname == ‘www.agar.io’ || hostname == ‘m.agar.io’) {
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
// Facebook.com authentication
if (hostname == ‘facebook.com’) {
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
if (hostname == ‘www.facebook.com’) {
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
if (hostname == ‘graph.facebook.com’) {
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
// AmazonAWS
if (hostname == ‘prod-miniclip-v3-881814867.us-west-2.elb.amazonaws.com’) {
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
// Miniclippt.com
if (hostname == ‘mobile-live-v5-0.agario.miniclippt.com’) {
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});
res.answer.push({name:hostname, type:’A’, data:”″, ‘ttl’:ttl});

var dnsServer = dnsd.createServer(dns_handler);
‘ns1.agar.io’, ‘root@agar.io’, ‘now’, ‘2h’, ’30m’, ‘2w’, ’10m’);
‘ns1.facebook.com’, ‘root@facebook.com’, ‘now’, ‘2h’, ’30m’, ‘2w’, ’10m’);
‘ns1.amazonaws.com’, ‘root@amazonaws.com’, ‘now’, ‘2h’, ’30m’, ‘2w’, ’10m’);
‘ns1.miniclippt.com’, ‘root@miniclippt.com’, ‘now’, ‘2h’, ’30m’, ‘2w’, ’10m’);
dnsServer.listen(53, ‘’);
console.log(‘DNS server running at’);

Bind DNS server version

This version will assume that you have a Linux (Ubuntu, in this case) server or workstation that can run the bind9 service.

Here, I assume that you’re comfortable with commands in a terminal, know what sudo does and can use the vi editor to edit and save a file. You know what touch does. If any of these don’t sound familiar, then this probably isn’t the option for you.

On a Linux (Ubuntu) server, do the following:

  1. Make sure that your system is up-to-date:
    1. sudo apt-get update
    2. sudo apt-get upgrade
    3. sudo apt-get dist-upgrade
  2. Install the DNS service, noting that it will take a fair amount of configuration work
    1. sudo apt-get install bind9 bind9utils bind9-doc
  3. cd /etc/bind
  4. Create four empty files, one per “forward” zone. In the next steps you’ll be editing each, making sure to substitute your own server’s private IP address in each case.
    1. sudo touch for.agar.io
    2. sudo touch for.facebook.com
    3. sudo touch for.miniclippt.com
    4. sudo touch for.amazonaws.com
  5. sudo vi for.agar.io
    1. $TTL 86400

      @   IN  SOA     pri.agar.io. root.agar.io. (

      2011071001  ;Serial

      3600        ;Refresh

      1800        ;Retry

      604800      ;Expire

      86400       ;Minimum TTL


      @       IN  NS          pri.agar.io.

      @       IN  A 

      @       IN  A 

      pri     IN  A 

      www     IN  A 

      www     IN  A 

      m       IN  A 

      m       IN  A 

  6. sudo vi for.facebook.com
    1. $TTL 86400

      @   IN  SOA     pri.facebook.com. root.facebook.com. (

      2011071001  ;Serial

      3600        ;Refresh

      1800        ;Retry

      604800      ;Expire

      86400       ;Minimum TTL


      @       IN  NS          pri.facebook.com.

      @       IN  A 

      pri     IN  A 

      www     IN  A 

      graph   IN  A 

  7. sudo vi for.miniclippt.com
    1. $TTL 86400

      @   IN  SOA     pri.miniclippt.com. root.miniclippt.com. (

      2011071001  ;Serial

      3600        ;Refresh

      1800        ;Retry

      604800      ;Expire

      86400       ;Minimum TTL


      @       IN  NS          pri.miniclippt.com.

      pri     IN  A 

      mobile-live-v5-0.agario     IN  A

      mobile-live-v5-0.agario     IN  A

      mobile-live-v5-0.agario     IN  A

      mobile-live-v5-0.agario     IN  A

  8. sudo vi for.amazonaws.com
    1. $TTL 86400

      @   IN  SOA     pri.amazonaws.com. root.amazonaws.com. (

      2011071001  ;Serial

      3600        ;Refresh

      1800        ;Retry

      604800      ;Expire

      86400       ;Minimum TTL


      @       IN  NS          pri.amazonaws.com.

      pri     IN  A 

      prod-miniclip-v3-881814867.us-west-2.elb  IN  A

      prod-miniclip-v3-881814867.us-west-2.elb  IN  A

      prod-miniclip-v3-881814867.us-west-2.elb  IN  A

  9. sudo vi named.conf.local
    1. # Append this to the file:

      zone “agar.io” {

      type master;

      file “/etc/bind/for.agar.io”;


      zone “facebook.com” {

      type master;

      file “/etc/bind/for.facebook.com”;


      zone “amazonaws.com” {

      type master;

      file “/etc/bind/for.amazonaws.com”;


      zone “miniclippt.com” {

      type master;

      file “/etc/bind/for.miniclippt.com”;


  10. sudo vi named.conf
    1. # Append this to file:

      logging {

      channel query.log {

      file “/var/log/query.log”;

      severity debug 3;


      category queries { query.log; };


  11. Make sure that the service can read/control its configuration files:
    1. sudo chmod -R 755 /etc/bind
    2. sudo chown -R bind:bind /etc/bind
  12. sudo vi /etc/apparmor.d/usr.sbin.named
    1. # Insert this line inside the “/usr/sbin/named {” section

      /var/log/query.log w,

  13. Create an empty log file, change ownership and make sure that the service can write to it
    1. sudo touch /var/log/query.log
    2. sudo chown bind /var/log/query.log
    3. cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r
  14. Verify that the configuration files will parse correctly:
    1. sudo named-checkconf /etc/bind/named.conf
    2. sudo named-checkconf /etc/bind/named.conf.local
    3. sudo named-checkzone agar.io /etc/bind/for.agar.io (repeat for other zone files)
  15. Stop/start the DNS service:
    1. sudo systemctl restart bind9
  16. Follow the instructions from step 11 in the Node.js section to verify that the DNS server is running, substituting the IP address of the Ubuntu server.
  17. As before, configure the iPad to use your server’s IP address and test the Agar.io app
  18. You can watch what the app is querying from your server, giving you insight into how many ad servers are actually involved: tail -f /var/log/query.log
  19. When you are completely finished, you may stop the DNS server:  sudo systemctl stop bind9

That’s it. I’ve described how to setup two different DNS servers which should effectively cheat the ads you’d normally see during Agar.io game play.

And now, I think I’ll settle into some uninterrupted Agar.io and all without having to unnecessarily stop the game to shutdown some long-running/buggy ad attempt (losing my earned XP points).

hacking agar.io, part 4!

Eureka! I’ve managed to totally cheat the ads and still play Agar.io on my iPad! Yesh.

For those of you following along, here are the entries that I had to create in my surrogate DNS server:

  • agar.io (with A records @, www and m)
  • facebook.com (with A records @, www and graph)
  • amazonaws.com (with A record prod-miniclip-v3-881814867.us-west-2.elb)
  • miniclippt.com (with A record¬†mobile-live-v5-0.agario)

This allows the game to startup, authenticate via Facebook’s mechanism and to start the game. Gone are the ads in their entirety.

hacking agar.io, part 3

This would be the third post in a series. You might want to read the¬†first in the series¬†if you haven’t already done so. Here, I continue with the work related to rendering the game server’s ads so that they don’t display at all.

DNS server

It struck me that if I could build a relatively-ignorant DNS server of my own and point my iPad to it then I could control which servers my computer talks to. Remove everything but the minimum and this should work for killing the Agar.io advertisements.

So I would need to use nslookup to find the IP addresses of the servers the game talks to. And since I’m authenticating via Facebook’s mechanism I’d need to educate the DNS server to this as well.

I happen to have an Ubuntu server which is under-utilized at the moment since I’m using it to develop WordPress plugins. So I¬†installed bind9 (the DNS service) to this server and then configured it with some entries and zones:

  • agar.io @, www and m
  • facebook.com @ and www

For each of the entries above, I just used the nslookup command to determine what the normal IP address(es) would be and used those values.

The next step would be to make sure that this bind service does not do recursive lookups, in other words, it won’t ask for help if it doesn’t know the zone in question. So in theory, it will only give answers to the entries I’ve made; anything else will fail a lookup.

Next, on the iPad -> Settings -> Wi-fi -> my zone area, I manually set the only DNS server to be the IP address of my private server. I then confirmed that in a browser I could not resolve Google.com but could see the webpage for Agar.io.

Did it work? Not yet. Upon startup it either is missing a critical server it needs to talk to and the app now can’t do the DNS lookup to find that server. It’s okay. I’ll keep hacking away at this to find out what server that is. I should be able to get this approach to work, I just need to go to school on the application some more to find out.

hacking agar.io, part 2

This would be the second post in a series. You might want to read the¬†first in the series¬†if you haven’t already done so. Here, I continue with the work related to redirecting the game’s server traffic to my own website so that I can discover the interface.

DNS server

I first install¬†Dnsmasq¬†on my MacBook, add a single entry to its /etc/hosts file to redirect traffic for m.agar.io to my MacBook’s private IP address. Starting up Dnsmasq I then have a DNS server which will redirect game traffic to my own website. Make sure that the program is running by entering ps aux|grep dnsmasq|grep -v grep. You should see an entry for this program.

It’s probably a good idea to test your DNS server to verify that it returns the expected information.

> server myip
> m.agar.io.
> exit

After entering the third line above you should see a DNS lookup which returns your server’s private IP address.

Our website

In my ~/sites folder, I run the following command to use Express to generate a generic website: express agar. As is usual for Express, I change into the newly-created agar directory and then run npm install to bring in the dependencies. Since the default installation binds to an upper TCP port and we want the standard port 80 instead, I then edit the bin/www file in this folder and replace the port number 3000 with 80 on a single line.

Note that Node.js, the underlying program that serves up an Express website, will not be able to bind to port 80 since it’s reserved unless I’m running as the root user. If your own user is setup to run the su command then you should be able to start this website with the command su npm start in the agar folder. Otherwise, you’ll have to run just su to become the root user, navigate back into your user folder area to find this folder and then just run npm start¬†instead.

It’s probably a good idea to test the website by bringing up Safari and entering the address http://myip/¬†(substituting my private IP address) to see if it works.

Configuring the iPad

At this step, I’ll need to tell the iPad’s Wi-Fi configuration to use my own DNS server first and then the existing set of DNS servers next. You’ll find this under Settings -> Wi-Fi -> select the i button next to your own connected Wi-Fi network -> DHCP -> DNS -> prepend your own server’s private IP address and a comma at the beginning of the list.

This is the initial preparation for redirecting the game traffic to your own website. Note that the Node.js website while running will write to its log file and this will be our method of discovering the interface for Agar.io.

Discovery phase

By now attempting to play the Agar.io game on the iPad, it makes requests to what it thinks is the server. Only these requests are now being sent to my website instead. As each attempt is logged as a failure on my own website, I then make this call manually in another computer to the actual Agar.io website to see what it’s supposed to return.

For example, the game makes a request to the game server’s interface with just /info as the URL.

/info returns:


As you can see, this is a fair bit of information. The format is known as json in case it’s not familiar to you. As of my writing this, there appear to be over 61,000 players in the game right now and well over 700 servers with almost half of those enabled. So this would be why it’s difficult to get a simultaneous FFA game with your friends‚ÄĒthe odds are against you.

Without further ado, here are the other queries which I discovered.

/ returns:

This appears to be your issued server and port on the first line and what is likely its instance alias from whichever cloud-based company they’re using.

/getLatestID returns:


I know, not very impressive. But it appears to be the highest user ID for your issued server.

/findServer returns:


Another json¬†response, this appears to also be issuing you a server and port. It’s possible that the first home query is asked at the beginning of the game and then /findServer is called each time your die in the game.

So far, this appears to be everything I’ve learned from this redirection technique.


At this point, I now have the game interface which the Agar.io app uses to communicate with the server. It likely makes more requests but that’s good for now. I could have enough to go on in order to work up something so that multiple iOS people could join the same FFA game, for example, since we know this issuing mechanism.

hacking agar.io

In an¬†earlier post I described an addictive game called Agar.io, an interactive eat-or-be-eaten game involving graphical dots. In this series of posts, I’ll be attempting to hack the game to see what I can get away with.


Define:  hacking

I suppose there are several ways of interpreting the term hack here. In the movies, some character will “hack the mainframe” or some other nonsense. And we’re also familiar with someone who attempts to use techniques to hack a website, perhaps injecting SQL code into an innocent-looking HTML form. Here, I refer to one of the original uses of the word, to hack away at a problem until it is solved. I’m interested in the game itself, how it talks to the server and I’d like to go to school on their efforts. As a coder of smartphones myself I’d call that part of the learning curve.


Ultimately, I would like to learn how the game works behind-the-scenes. I do have some secondary goals though. It would be interesting to see if it is in fact possible to edit an existing iOS app and have it still work and all without the original coder’s digital certificate. If successful, I think the first order of business would be to remove the ads you might see during game play. Another personal goal would be to allow multiple friends on iOS devices to play the FFA (free-for-all) mode of the game with each other; this could be made possible with a proxy server, I’d propose.

The platform

Currently, I play the Agar.io game on an iPad II since I prefer the interface over a browser-based version that’s available. So I will be attempting to hack the Apple store app ultimately.

This may turn out to be impossible since an app that runs on iOS is supposed to be digitally signed to prevent tampering. And yet this is what I intend to do, nonetheless. I’ll be testing that assertion to see if a hacked app will still work.


Here, I’ll discuss some of the concepts of the approaches I’ll take.

  • Patching: ¬†Patching is an old-school technique in which binary code, for example, is edited in place with a script. Individual characters or code is replaced in the original to create a new file. The patch program itself works together with another program called diff, used to calculate the differences between two files.
  • DNS: ¬†This service is responsible for looking up a name like m.agar.io and replacing it with an IP address.
  • Redirection: ¬†Using your own DNS server so that you can redirect requests to your own website instead of the intended one.
  • iOS app: ¬†An iOS app might seem a little daunting if you’re not a coder. It’s actually a collection or manifest of files all rolled up into one .ipa file. I think it’s safe to say that the app¬†was written in Apple’s Xcode¬†using a computer language like Objective-C or Swift.
  • Ad-based add-ons: ¬†It’s clear that Agar.io has many opportunities to display ads within the game itself. The programming interface to these (for the Agar.io developer) is almost always JavaScript-based.
  • Tethering: ¬†Connecting a smartphone‚ÄĒor the iPad in this case‚ÄĒto a computer to allow for interaction (like development testing) to occur.

Throughout this series of posts keep in mind that if I’m indicating a command, it’s often being done on a MacBook with OS X 10.11.5 El Capitan at a shell prompt. Otherwise, I could be referring to something I’m doing on an iPad II with iOS 9.3.2 installed.

DNS server

I’ll be using the Dnsmasq¬†easy-to-implement DNS server¬†for redirecting Agar.io’s server requests to my own website. I’ll then configure my iPad to use this server first when doing DNS lookups.

Discovery website

And since I’m familiar with Node.js¬†and Express¬†I’ll be using this to mockup a website for those redirected app requests. When the iPad makes a request to what it thinks is the Agar.io website, I will see that request in my website’s logs.

This could be technically called a man-in-the-middle technique since I could then have my own website forward the request to Agar.io’s actual server and then answer the iPad with that response, adjusting it if I wanted to. I guess technically you could also call this a proxy approach.

Binary editor

I’ll likely also use¬†Hex Fiend¬†at least minimally to find the location within the main program app where I’ll be patching the code.

Installing a modified app

Normally, you would download an app directly to our¬†iPad straight from the Apple iTunes store. Technically, I suppose, I could have taken advantage of the redirection concept from before to steer the iPad to my own website to deliver the edited content but it’s not that difficult. There appears to be a mechanism so that you can download iOS applications on an OS X computer and then, while tethered, install them remotely using iTunes. This actually allows us to use a MacBook in this case to snag the code package itself and to start all the fun. We’ll be taking advantage of this in order to then try to push a modified app package to the iPad.

If you’re on a standard OS X computer and you get the Agar.io app, it won’t seemingly do anything after the download; you’re not presented with the usual¬†Open button after it has downloaded. It does, however, get silently copied to your hard drive under your user folder in¬†/Users/username/Music/iTunes/iTunes Media/Mobile Applications. Having downloaded it, you should find a file called Agar.io 1.3.0.ipa which is the app (collection) itself.

Expanding the app

From here, you might not know that an .ipa file is little more than a .zip file. I’d suggest copying the Agar.io app file somewhere else (like creating a folder called AgarIO) and then open a shell so that you can decompress it.

MacBook:AgarIO$ unzip "Agar.io 1.3.0.ipa"

This command then will decompress the collection of files for you.

What’s inside the .ipa file

There¬†are¬†a lot of files inside this package, just like you’d find with most store apps. The first I’ll discuss is iTunesMetadata.plist which is perhaps the most aggravating of all. A .plist file is like a database for a coder, it usually stores configuration options. Opening it with TextEdit then shows me that this is the file responsible for knowing who downloaded it (myself) and how I’m then authorized to use it. I’m sure there’s a similar mechanism inside any music file you download from iTunes to prevent you from playing it on an unauthorized device. So in other words, I couldn’t just patch the Agar.io application and then make it available for download for others. Each person interested in this would need to go through the motions themselves.

Next, there is a¬†META-INF folder which contains two files. I haven’t fully investigated them yet but the first is com.apple.FixedZipMetadata.bin which appears to again be a compressed collection of files. And the second is com.apple.ZipMetadata.plist. It appears to have some indication of how the actual program was zipped up into an .ipa file.

The final folder is Payload which includes what appears to be a single file, Agar.io. Or, is it a single file? Knowing what I do about making iOS apps, it’s actually another compressed file. In Finder, you’ll want to rename this Agar.io file to Agar.zip, for example. Back in your shell, then unzip it as you did before to expand its contents.

What’s inside the Payload file

So now we’re getting down to the actual programming itself. Everything we have seen up until now is just a wrapper so that iTunes and Apple can provision an app to you and just your device(s).

Surprisingly, there are a total of 1,111 .png graphic files inside. Most seem to represent the many skins that you’ll see in the game. There are 153 .plist files which are used to store anything from advertisement configuration information, to promotions, to language localization information and collections of available skins by category. With respect to my goals, I’m not really interested in these.¬†And there is a single .db file for the Vundle advertising platform.

There is a folder called _CodeSignature which appears to include hashes of the collection of graphics, presumably to prevent them from being edited perhaps.

There are 65 .ccbi files which appear to be another form of .plist files. There are 15 .json files which appear to have different localized versions.

Finally, there is agar.io which is the actual program file itself. I’ll save the actual editing for a follow-up post to this one.


That’s a good start so far. We’ve downloaded the Agar.io app and performed two decompression steps to get at the actual executable itself. Next, I think I’ll switch gears and build the discovery website and DNS server so that I can get at the app’s server interface.


Skip to the final post in this six-part series if you’re looking for the code. Enjoy!

creative marketing

Beware the incredibly-addictive game agar.io that will turn you into a cannibal in the microbial sense. The goal of the game appears to be: eat or be eaten.

a‚ąôgar ¬†noun¬† gelatinous substance obtained from various kinds of red seaweed and used in biological culture media…

This stuff’s interesting if your day job is at a pharmaceutical company. I find the game enjoyable and yet maddening at the same time. You can’t believe how mean people can be until you’ve been at this for an hour… or a day. Did I mention that it’s addictive?

Gaming as marketing

And so I find that I need to market a new website that I’ve created, myJS.io. The game itself actually includes an advertising venue and yet those ads couldn’t be displayed at a worse time: your session’s game death. Seriously, your¬†game death is a time for mourning (and usually some well-deserved cursing) but decidedly not for marketing purposes. On that note, if you play the game you need to turn off your sound and be ready to just quit the game and restart it‚ÄĒit’s much faster than trying to endure the inserted advertisements.

It’s interesting to note that Arnold Schwarzenegger appears to be in one of the ads and he’s trying to sell something to me. I couldn’t tell you what it is because I never watch the ad. I say this as a cautionary tail to Arnold and anyone else who wants to get your attention in the wrong way: you’re wasting your money.

Changing up the advertising model

And so, I play the game as I normally would only I opt out of any skins I’ve earned (I’m level 30 because I’m cool like that) and I tag myself with my new website’s domain name. And then‚ÄĒnow this is important‚ÄĒI play in such a way that I’m hopefully not perceived to be a jerk.


Game play

The game incorporates features so that you can move your player in all directions plus two more options: 1) direct/shoot a small uncontrollable part of your mass away from you and 2) split and direct about half of your mass which you can control at someone else.

Your speed is determined inversely from your mass. You begin the game tiny and fast. As you progressively get larger, your speed is vastly diminished.

You increase mass by moving over (eating) small circles which represent nutrients, (possibly sugar), or by eating other smaller players or their parts which they’ve split off somehow.

Add to this a collection of green spiky viruses. If you run into a virus and you’re slightly larger than it is then you’re blown into smithereens and yet you still get to control the collection. And yet this is usually the trigger for a feeding frenzy as your neighbors eat you for lunch. If you’re the same size as the virus or smaller you can pass through safely.


A normal strategy for most appears to be to eat anything around them that they can. Some form alliances by sharing mass with another player then teaming up on others. Yet others hide behind viruses. Another strategy is to shoot enough of your mass into a virus so that it creates and shoots another virus at some larger player, causing them to blow up (with the subsequent feeding frenzy).

There are splitting attacks, multiple splitting attacks, baiting attacks, corner attacks and one that I really hate: a smaller player approaches you and at the last moment their team mate gives them enough mass to eat you.

But nowhere in all that did I describe the strategy of simply: eating the sugar and being nice to others. Apparently, that strategy doesn’t appear to exist, until now at least.

Enter the marketing strategy

So now, I visit agar.io and play the game with my website’s domain name as my tag. My strategy is to eat sugar, play nice, avoid eating the small/helpless and just survive as long as possible. The longer I survive, the more people will see my domain name.


Is it better than standard advertising? It’s certainly better than others I can think of. The only money it costs me is my time but it’s a fun game so I don’t mind. I’d bet that hundreds of the habitual players have even memorized my domain name by now and some of those have even visited the website. In fact, there have been many times when another player shows up and then rewards me out of the blue, seemingly, with mass. Presumably they remember me from some previous session. Think of this as karma-based game marketing.

Eventually, someone who sees my website might want their own website or app designed and all this will have paid off. And even if it doesn’t, what did I lose ultimately?