Table of contents:
b.
c.
1-Android Game Hacking:
Greetings and welcome to our blog post on the topic of Android game hacking. Today, we aim to provide you with an overview of the process involved in hacking Android games. It’s crucial to distinguish between app hacking and game hacking within the Android ecosystem. While games are a form of application, the methodologies employed to hack them differ from the standard OWASP top 10 for mobile applications.
An important point is that most games on the Android platform are developed using Unity. Consequently, it’s pertinent to understand about Unity game hacking, given that most game developers utilize game engines rather than building games from scratch. Before we proceed, let’s outline the prerequisites:
o il2cppdumper (https://github.com/Perfare/Il2CppDumper)
o frida-il2cpp-bridge(https://github.com/vfsfitvnm/frida-il2cpp-bridge)
o Frida
o Dnspy (https://github.com/dnSpy/dnSpy)
Version =0.9.0.9a
Google Play Store Link :
The Version We Tested On:
2-General Introduction to Game Hacking (Optional):
The primary method of hacking these games, and the most commonly used, involves manipulating memory. Here’s how it works:
1. Static Method (Patching):
Open the game in a disassembler.
Look for keywords like “gold,” “health,” “damage,” and “weapons”
Modify these values according to your preferences.
Close the game, sometimes needing to recompile it.
2. Dynamic Method (Hooking):
Use a program like Cheat Engine.
Connect Cheat Engine to the game.
Like the static method, search for keywords or values of interest.
Change the values to whatever you want.
· Close the program.
The dynamic approach is considered more reliable and enjoyable. The static method faces hurdles, with ASLR
3-Reverse Engineering Unity games
Assembly-Csharp.dll, constituting the game’s actual source code. The process of extracting the source code is generally quite reliable. However, to perform this extraction, two files need to be located:
1. Global-metadata.dat
2. [Il2cpp.so](http://il2cpp.so/)
In recent years, game developers have become more vigilant, often removing the file from the APK to prevent easy reverse engineering. Nonetheless, numerous workarounds exist for this issue. Sometimes, developers encrypt the metadata file to prevent dumping, although solutions to this problem also exist. For those interested, detailed research on this topic can be found at: .
The process of extracting the
3.1-Dumping the il2cpp.so file:
In order to dump the source code, there are 2 files that we need Global metadata file and native library. Don’t worry if you can’t find those in an APK,you can still dump the source code using other ways. However, let’s focus on most cases where you can find them. You can find the global metadata file in the following path “\assets\bin\Data\Managed\Metadata” and the il2cpp in the path “\lib\arm\ “. If you were lucky and you found both files, go to the first method here. If you didn’t, go to the 2nd method.
Method 1: il2cppdumper program:
DummyDLL” in the path the Il2cppdumper exists. If you find dumped dlls there, then move to the next section about static analysis using Dnspy.
What if the il2cpp.so doesn’t exist?
adb
Download the il2cpp-bridge plugin from the official GitHub page too. According to the official page in order[] to dump the il2cpp file you only need one method “Il2Cpp.dump();“
3.2-Static analysis using Dnspy:
Reverse engineering and reading code are an art. It’s like understanding how a building works through its blueprint and inner pipes. It’s truly amazing and fulfills the inner child ‘s curiosity in each one of us!
If you are trying to hack a game, you can try cracking the game ‘s own rules and modes. That and you can also try hacking the game itself according to the normal pentesting process. Meaning you can look for XSS,SQLI,IDORs,etc…However, since most properly games are different and implement a different ecosystem of coins,health,inventory,and other customized logic for each user, let’s start by looking for those.
Old school way of game hacking :(String search)
money
collectmoney
In summary, what do to do during the static analysis phase?
Focus on 3 things:
Return value of target function
Parameters and their types
3.3-Dynamic analysis on Android games using Frida:
Method 1:il2cppbridge
Il2Cpp.perform(() => {
//Il2Cpp.dump();
const Modulebase = Module.load(“libil2cpp.so”).base
const CSharp=Il2Cpp.Domain.assembly(“Assembly-CSharp”).image
const className=CSharp.class(“Bank”)})
How do we trigger the money function?
We try to find any function or action that deals with money. We see on the loading page that we can be taxi drivers to earn money, but there is a much easier way. Just throw money on the ground, then pick it up again:
Notice that the total is 290$, before you pick up the money.
collectMoney is being triggered or not?
Firda Launch Command :
!!!! The first step of hacking the collectmoney function has been validated, we caught the function that deals with money collection. The next step is to use the plugin to increase the amount of money.
Let’s write a function that changes the amount of money we have to something bigger:
className.method("CollectMoney").implementation=function(arg0){
var ret=this.method("CollectMoney").invoke(arg0+2000)
return ret
}
Now let’s attach our script and enjoy…
Now notice that after we collect the money from the ground, the 2000$ is added!
To confirm that the money is really changed and it’s not just a silly mistake in the UI, we try buying a weapon and we did really buy it with the fake hack money we earned
Method 2: Frida ‘s interceptor
function HookUnity(pointer,classname){
Java.performNow(function(){
Interceptor.attach(Module.findBaseAddress('libil2cpp.so').add(pointer), {
onEnter: function (args) {
console.log("[+]"+classname+" "+"is being called"+"[+]")
//console.log(args)
console.log("Intercepted integer value: " +args[1]); // Print the integer
args[1]=ptr(0x2000)
},
onLeave: function (retval) {
return retval
}
})
This was just the tip of the iceberg; you can do much more with Frida. Try yourself and search for more hacks and more cool stuff to be done.
