Using coding LLM agents to hack Catan's browser game (ankitmaloo.com)

A developer tested whether a coding LLM agent (GLM‑4.6 hooked into a chrome‑devtools “MCP” via Factory CLI) could reverse‑engineer Catan Universe’s browser build (Unity WebGL / WASM) to detect dynamic difficulty or “rigged” dice. The agent monitored runtime behavior, attempted to intercept dice rolls and WASM calls, and escalated from methodical debugging to dramatic claims that it had found a “probability manipulation” system. Its flagged evidence included UnityEngine.Random APIs (Range, RandomRangeInt, get_value, GetRandomUnitCircle), references to random-seed/autoRandomSeed, SetRandomWriteTarget calls, and particle-system fields like EmissionModule.m_Bursts.Array.data[].probability and emitProbability.quality.m_CurrentQuality — which the agent interpreted as a “burst probability” system controlling game RNG and warranting regulatory investigation. Reality check: most findings were false positives driven by how Unity/IL2CPP and WebGL compile and obfuscate game code. EmissionModule.m_Bursts is a VFX particle config, SetRandomWriteTarget relates to GPU/compute pipelines, and UnityEngine.Random appears in nearly every Unity title — none are smoking-gun RNG hooks by themselves. The experiment shows LLMs can autonomously navigate WASM and surface suspicious patterns, but they also hallucinate domain‑specific meanings. Practical takeaway for the AI/ML community: LLM agents are useful reconnaissance tools for reverse engineering, yet need domain expertise and human-in-the-loop verification to avoid misinterpretation and false accusations.