2014年4月27日 星期日

Android game hacking

Frustrated with some Android games? Want to hack? Want to kill the monsters with one slice?
Okay, this is the main purpose I learn about Android rooting. After we gain the “#” from “adb shell” (refers to my previous post), now we can see all the files in /data folder. This folder contains the game save data and also some libraries.

Simple problem and solution

My hacking method is not memory editing, but save file editing. So, to edit the save file, we must have the knowledge and experience on hexadecimal editing. Now, since we can access those data files in /data/data folder, meaning that we can pull them, edit them, push them back.
So, pull the save file you want, the name such as Save0.dat or similar name. Use a hex editor, such as blessghexhexedit, etc. Edit the value, then push the file back.
I personally wrote a small command-line tool, so that I can do hex editing in adb shell. (It is available here). I push it to /data/local/tmp folder, so that I can use it without pulling and pushing the file.
For some games, the save file is plain binary file. We can understand the file with the hex editing, such as the value of the coins, the level of the weapons, the status of the hero such as strength, vital, hp, and so on. These can be easily edited. (Please always make a backup before editing).

Advanced problem and solution

For other games, the save file is really a pain. They are encrypted/encoded save file. We cannot understand anything about the file. Modifying the file does not help. So, my only solution is to edit the library file, i.e. shared object (.so).
For example, if there is a library called libdhunter.so, we need to use objdump (ARM target, not x86 or x86-64 target) to disassemble the shared object. The objdump can be obtained from Android NDK package.
/path-to/objdump -dC libdhunter.so > asm.txt #pull the library file first, not doing this in adb shell
This will create “asm.txt” which contains the disassembled data. Now, what we can do is just study the functions. We might find some functions such as “encode”, “encrypt”, “decode”, “decrypt”, “save”, “load”. And also, need to look for open file, read or write file, and close file. This is because normally, they will call encrypt or encode before write the file (save). Study what the functions they are calling.
For example, in the “save” function, it might contain a call of “encode” function, then only “write” the buffer. In this case, it will be quite easy to solve the problem. Use a hex editor to open the shared object. Edit the hexadecimal value of the opcode that calls the “encode” function within “save” to “00 00 00 00″, this will produce NOP operation. That means, we disable calling “encode” function in “save” function.
Then, we can objdump again to check whether we have disabled the function call.
Push the edited library to the device. Make sure backup the original library and also the save file.
Run the game, load the save file, save the game, then exit.
Now, do not restart the game yet. Now, check the newly saved file with hex editor. If it is a plain binary file, then we success! If not, try until you want to give up.
Do not restart the game yet, because the game will load the encoded save file, not the plain binary save file. So, to make the game load the plain binary save file, we need to disable calling “decode” function in the “load” function as the method discussed above.
Push the newly edited library, then start the game.
Now, we can hex edit the save file freely as we like.

Other problem and solution (added 2012-03-19)

There are even easier problems, such as the game Aqua Pet. There is no shared object (lib*.so). And the save file is also a plain text file. Meaning, we need no hex editor to edit it. However, editing the file might not change anything. In this type of case, we must “force stop” the app first, then edit the file.
Now, enjoy the games.