Android game hacking :)
Seokha Lee (wh1ant)Security Researcher at SEWORKS
seworks.co
SECUINSIDE 2015
Memory manipulationCode injection
Explanation Unity3dReverse engineering
Speed hackDemoQ&A
seworks.co
Agenda
My first mobile hacking
seworks.co
Saving game file
Send to me a game item
Save to mobile
seworks.co
Easy hack using ptrace()
seworks.co
/proc/<pid>/mem
/proc/<pid>/maps
memory scan!
Hack!
lseek()
seworks.co
seworks.co
Code injection 1
seworks.co
Unity3dAPK —> libs —> armeabi-v7a
seworks.co
Unity3dAPK —> Assets —> bin —> Data —> Managed
seworks.co
Code injection 2APK —> libs —> armeabi-v7a
dlopen()dlsym()dlclose()
seworks.co
.NET Decompiler
seworks.co
https://en.wikipedia.org/wiki/List_of_CIL_instructions
seworks.co
Packing and Encryption
(gdb)dump memory FileName 0xb6edb000 0xb6ee4000
seworks.co
Anti-decompile
Normal header for x64 ELF
Modified header for x64 ELF
seworks.co
Anti-decompile
… or Insert “pop {pc}” instruction
seworks.co
…or “/etc/hosts” falsification
seworks.co
Kernel Level HookLKM (Loadable kernel module)
seworks.co
Speed hackPast time and current time network time synchronization
seworks.co
DEMO
seworks.co
Anti-breakpoint1. get memory information ‘r-xp’ from /proc/self/maps map_fd = open(“/proc/self/maps”, O_RDONLY);
2. create a file for code, like this. fd = open(“code”, O_WRONLY|O_CREAT, 0500);
3. write code to the ‘code’ file. write(fd, 0xb6d5e000, 0xb6d69000-0xb6d5e000);
4. open new ‘code’ file for file mapping using mmap() mmap(new_fd, 0xb6d5e000, 0xb6d69000-0xb6d5e000, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_FIXED, new_fd, 0);
seworks.co
Anti-breakpoint
b6d5e000-b6d69000 r-xp 00000000 b3:19 1097
to
b6d5e000-b6d69000 r-xs 00000000 b3:19 1097
but…
seworks.co
How to defense
Control flow Data flowObfuscation
… and randomization!
seworks.co
Obfuscation
mov %r0, #1mov %r1, #2bl 0x4000
push {r3} mov %r3, #16384 mov %r2, #0 mov %r1, #1 add %r2, %r2, %r2 add %r0, %r2, %r1 mov %r1, #9 add %r1, %r0, %r1 sub %r1, #8 blx r3 pop {r3}
seworks.co
Fast update!
Q&A
seworks.co