Main Cloudflare Worker that proxies all GameHub app API requests, handles automatic token replacement with signature regeneration, and provides privacy-focused features.
Deployed at: https://gamehub-api.secureflex.workers.dev
- 🔄 Automatic Token Replacement: Detects "fake-token" and replaces with real token from token-refresher
- 🔐 Signature Regeneration: Recalculates MD5 signatures after token replacement
- 🎮 Game Details Proxy: Forwards game data requests to Chinese servers
- 📰 News Aggregation: Routes news requests to news-aggregator worker
- 🛡️ Privacy Protection: Sanitizes device fingerprints before forwarding
- 📦 Component Manifests: Serves Wine/Proton/DXVK configs from GitHub
- 🚫 UI Cleanup: Removes recommended games and tracking sections
- 💾 Smart Caching: 5-minute cache for GitHub content
📱 GameHub App (sends "fake-token")
↓
☁️ gamehub-api worker
├── Detects fake-token in request
├── Fetches real token from token-refresher
├── Regenerates MD5 signature
├── Sanitizes device fingerprints
└── Routes to appropriate backend
↓
┌───┴────┬──────────┬────────────┐
↓ ↓ ↓ ↓
Chinese News GitHub Direct
API Worker (Components) Response
The app sends "token": "fake-token" in every request. The worker:
- Detects "fake-token" in POST body
- Fetches real token from token-refresher worker
- Replaces fake-token → real token
- Regenerates MD5 signature with new token
- Forwards to Chinese server with valid auth
Before (from app):
{
"token": "fake-token",
"sign": "abc123...",
"time": "1760032301893",
"app_id": "585690",
"clientparams": "5.1.0|16|en|..."
}After (to server):
{
"token": "f589a94e-fec5-4aea-a96b-115ecdfd50d8",
"sign": "6e5092f2c5d40eb8a8ba66313982847a", ← Regenerated
"time": "1760032301893",
"app_id": "585690",
"clientparams": "5.1.0|16|en|..."
}Secret Key: all-egg-shell-y7ZatUDk (discovered via APK reverse engineering)
function generateSignature(params) {
const SECRET_KEY = 'all-egg-shell-y7ZatUDk';
// Sort parameters alphabetically (exclude 'sign')
const sortedKeys = Object.keys(params)
.filter(k => k !== 'sign')
.sort();
// Join as key=value&key=value
const paramString = sortedKeys
.map(key => `${key}=${params[key]}`)
.join('&');
// Append secret key
const signString = `${paramString}&${SECRET_KEY}`;
// MD5 hash (lowercase)
return md5(signString).toLowerCase();
}Get game details (proxied with token replacement)
Features:
- Replaces fake-token with real token
- Regenerates signature
- Removes
recommend_gamesection - Removes
card_line_datatracking
Privacy: Your IP hidden from Chinese server
Get news list (routed to news-aggregator worker)
Request:
{
"page": 1,
"page_size": 4
}Response: Gaming news from RSS feeds + GitHub releases
Get full news article (routed to news-aggregator worker)
Request:
{
"id": 1
}Response: Full article HTML with mobile-optimized styling
Get Steam game configuration (with privacy protection)
Sanitization:
// Original (from app)
{
gpu_vendor: "Qualcomm",
gpu_device_name: "Adreno 750",
gpu_system_driver_version: "615.0",
token: "fake-token"
}
// Sanitized (sent to server)
{
gpu_vendor: "Qualcomm", // Only field needed
gpu_device_name: "Generic Device",
gpu_system_driver_version: 0,
token: "f589a94e-..." // Real token
}Privacy: Device fingerprint stripped, only GPU vendor sent
Get component manifests (Wine, Proton, DXVK, etc.)
Component Types:
1- Box64 (x86_64 emulator)2- GPU Drivers3- DXVK (DirectX to Vulkan)4- VKD3D (Direct3D 12)5- Game Profiles6- Windows Libraries7- Steam Integration
Source: GitHub (gamehublite/gamehub_api)
Cache: 5 minutes
Get app configuration
Source: GitHub repository
Check cloud save timer
Source: GitHub repository
Get Steam CDN hosts
Source: GitHub repository Format: Plain text hosts file
Get DNS pool (empty for real Steam connections)
Source: GitHub repository
Get game icons (empty response, UI feature)
// Fetch real token with auth header
const tokenResponse = await fetch(`${env.TOKEN_REFRESHER_URL}/token`, {
headers: {
'X-Worker-Auth': 'gamehub-internal-token-fetch-2025'
}
});
const { token } = await tokenResponse.json();
// token: "f589a94e-fec5-4aea-a96b-115ecdfd50d8"// Forward news requests
const newsResponse = await fetch(
`${NEWS_AGGREGATOR_URL}/api/news/list?page=${page}&page_size=${pageSize}`
);Original:
User (123.45.67.89) → Chinese Server [TRACKED]
With Worker:
User (123.45.67.89) → Cloudflare → Chinese Server
Server sees: Cloudflare IP [USER IP HIDDEN]
- ✅ Keeps: GPU vendor (needed for configs)
- ❌ Strips: Device model, GPU model, driver version, all identifiers
- No login required (tokens managed by separate worker)
- Tokens refreshed every 4 hours automatically
- Never expires
- Component downloads are direct from CDN
- Worker only provides URLs
- Your IP not logged in download requests
cd gamehub-api
npm installEdit wrangler.jsonc:
npm run deployIn modified APK, change base URL to:
https://gamehub-api.YOUR_SUBDOMAIN.workers.dev
npm run tailExpected logs:
[TOKEN] Detected fake-token, fetching real token...
[TOKEN] Replacing fake-token with real token: f589a94e-...
[TOKEN] Replaced fake-token and regenerated signature
npx wrangler deployments listCloudflare Dashboard → Workers & Pages → gamehub-api → Metrics
npm run devVisit: http://localhost:8787
curl -X POST http://localhost:8787/card/getGameDetail \
-H "Content-Type: application/json" \
-d '{
"token": "fake-token",
"sign": "test",
"time": "1760032301893",
"app_id": "585690"
}'{
"vars": {
"TOKEN_REFRESHER_URL": "https://gamehub-token-refresher.secureflex.workers.dev"
}
}const GITHUB_BASE = 'https://raw.githubusercontent.com/gamehublite/gamehub_api/main';
const NEWS_AGGREGATOR_URL = 'https://gamehub-news-aggregator.secureflex.workers.dev';
const GAMEHUB_SECRET_KEY = 'all-egg-shell-y7ZatUDk';| Scenario | Response | Action |
|---|---|---|
| Token fetch fails | Log error | Continue (will fail at server) |
| Signature generation fails | Log error | Forward original request |
| GitHub fetch fails | 500 error | Client retries |
| News worker down | Empty news | Client shows empty state |
| Chinese API down | Forward error | Client shows error |
- Cold Start: ~100ms
- Token Replacement: ~200ms (includes fetch from token-refresher)
- Signature Generation: <5ms
- GitHub Proxy: ~300ms (cached)
- News Proxy: ~50ms (cached at news worker)
- Memory: <20MB
- Cost: Free tier (< 100k requests/day)
- Check token is being replaced (view logs)
- Verify signature algorithm matches server
- Ensure secret key is correct:
all-egg-shell-y7ZatUDk - Check parameters sorted alphabetically
- Verify app sends "fake-token" exactly
- Check token-refresher is responding
- Test auth header:
X-Worker-Auth: gamehub-internal-token-fetch-2025 - Review worker logs for errors
- Check news-aggregator worker is deployed
- Verify
NEWS_AGGREGATOR_URLis correct - Test news endpoint directly
- Verify GitHub repository exists
- Check manifest files in repo
- Test GitHub URLs directly
- Token Security: Protected by auth header to token-refresher
- Signature Validation: Proper MD5 signatures prevent tampering
- Device Privacy: Fingerprints sanitized before forwarding
- CORS: Open for app access (not a security concern for proxy)
- Input Validation: JSON parsing with error handling
-
Base URL Change:
# Change in network config const-string v0, "https://gamehub-api.secureflex.workers.dev" -
Token Hardcode:
# UserManager.smali:508 const-string v0, "fake-token"
- Decompile APK with apktool
- Modify base URL and token
- Recompile and sign APK
- Install on device
- Monitor worker logs while using app
Want 100% privacy? Deploy your own instance:
# Clone repository
cd gamehub-api
# Install dependencies
npm install
# Deploy to YOUR Cloudflare account
npm run deployOutput:
Deployed gamehub-api
https://gamehub-api-YOUR-NAME.workers.dev
Update APK to use your worker URL!
- Token Refresher: Automatically refreshes tokens every 4 hours
- News Aggregator: Provides gaming news from RSS/GitHub
- GitHub Static API: Component manifests and configs
- All requests pass through this worker (main proxy)
- Token replacement happens transparently
- Signature regeneration prevents authentication errors
- Privacy features strip identifying information
- GitHub components avoid Chinese server dependency
- News aggregation provides custom content
- Compatible with Cloudflare Free tier
- Request Caching: Cache identical requests
- Rate Limiting: Prevent abuse
- Metrics: Track token replacement success rate
- Error Retry: Automatic retry for token fetch failures
- Token Validation: Verify token works before using
- Fallback: Use cached old token if fetch fails
For questions or issues, see the main GameHub documentation.
{ "vars": { "TOKEN_REFRESHER_URL": "https://gamehub-token-refresher.YOUR_SUBDOMAIN.workers.dev" } }