TUT Hack Gamevil Games Via Ida Pro

[Sysadmin]

Hey guys,

 

I asked for some help on how to mod Gamevil games, and a user "Aswag1", helped me out and posted a guide on it. This is courtesy of him and iOSCoderz.

 

Alright, so Aswag1 here again for another tutorial. This one will be designated towards answering a question posed by d2dyno in the VIP Requests which can be found in the link below....

 

http://ioscoderz.com/ygjQLhHz/topic/315-mod-gamevil-games/

 

So basically I am going to make an ever-growing tutorial on how to "mod" (I prefer "hack" as that sounds cooloer ) gamevil games for android. Keep in mind that this method only works if the game comes with a libGAMENAME.so for the game(not a libmono.so or a libunity.so). So without further ado, let us commence this tutorial...

 

Requirements:

- Arel Wars 2 v1.0.6

- IDA PRO (I am using IDA PRO 6.4, the demo will suffice)

- A hex editor of your choice (I will be using HxD)

- WinRAR

- ARM/ASM online convertor http://armconverter.tk/

- A tool to sign your apk file after you are done hacking the .so file

 

So first off we would like to load the .so file of the game into IDA PRO. But before you do so, you might be asking, "Where do I get that .so file Swaggy?!? " Well the answer is simple. Open up the apk file using WinRAR and navigate to the /lib folder as shown below...

 

 

You should be faced with either a armeabi-v7a folder, a armeabi folder, or a combination of both. For newer models of android phones, choose the armeabi-v7a folder as shown below

 

 

Now we want to extract the lib.so file that is both the largest and contains fragments of our game name. As we can see below, there is a libgameDSO.so file that is 2 mb (hence the largest file) and contains "game" in the name. So extract that file to your desktop.

 

Now it is time to load our .so file into IDA PRO. The simplest way to do this is to drag and drop the .so file onto the IDA PRO application icon...

 

 

Now a window should pop up. Choose ARM as the processor type, click Set, and then choose OK...

 

 

After that IDA PRO will start to decrypt the binary. We must wait until it fully decrypts the binary in order to examine the function names (assuming that the game is not sub_x). We know it is fully decrypted when it says "idle" on the bottom left of the IDA PRO window.

 

 

Now that the game is fully decrypted, we can begin searching for viable function names. Since this is gamevil, they are usually creative at what they name their functions, so it is trial and error as to what to search for. Let us search for "Atk"--without the quotation marks--as that is an abbreviated name for attack. To search for a function, highlight any random function in the functions window, then click ctrl + F...

 

 

Now, we want to find the function that sets the level for the attack. As we can see in the functions window, there is a function name called CCard::SetAtkLv. Double-click on it and you will end up here...

 

 

Now in order to understand the code, one must have some knowledge in ASM/ARM language. Personally, it took me about a year and a half to get to the level where I am at today where I can read the code sorta like English So, in Assembly language a STR stores the value into a register. Now there are renditions of the STR function--STR.W, STRB, etc. In this case, we want to edit the STR function because the function name, CCard::SetAtkLv, is a Set (Set functions you ususally want to edit the STR). Okay, so we see that there are two STRB functions that we can edit. So what should we edit them to? Well in ARM the register R7 contains the value 803 million, sort of like a static value. By changing the functions:

 

STRB            R2, [R0,#0xC]--->STRB            R7, [R0,#0xC]

STRB            R2, [R0,#4]----->STRB            R7, [R0,#4]

 

It will give us an attack level of 803 million, sort of close to infinite. To change the functions, we need to use a hex editor to change it. So load up the libgameDSO.so file in your hex editor of choice...

 

 

Now in order to find the hex location, we must find it in IDA PRO. Highlight the STRB function in IDA PRO and go to Hex-View A as shown below...

 

 

 

Now for STR functions I use a simple little trick. Notice how the original function is a STRB R2 right? and the hex value is 02 73. Well, the 02=R2. So if we want it to be a STRB R7, we would input 07 73. Now we go to our hex location as highlighted below...

 

 

 

And then we change it to the hex value 07 73. Now we must re do the steps for the other STRB function. It is the same thing, except that now the hex value for the other STRB is 02 71. But that is okay, as all we do is change it to 07 71 for a function value of STRB R7. Once you edit both, save the file. Place the hacked .so file in the /lib/armeabi-v7a folder. Sign the apk file and install the apk file on your phone. Now go and enjoy your hacked game ^^.

[Trasd]

Nice, but it looks like the demo version will work here as well: "- IDA PRO (I am using IDA PRO 6.4, the demo will suffice)"

[berman37]

Using HxD hex editor, IDA demo, Arel Wars 2 1.0.7 (got from google play), and APK_OneClick - decompile & disassemble APKs. After doing all the steps above, when I try to run my newly installed modded apk I was prompted with "Unfortunately, Arel Wars 2 has stopped". If there is somebody out there who manage to successfully open and play their modded Arel Wars 2, can you please tell me what you have done differently from mine.

[berman37]

Okay. I've used APK-mutli-tool instead of APK_OneClick and its working now. My modded game can be played now. Though I cannot seem to feel the almost infinite attack level.

[ElNoobMega]

Awesome post, thanks. Was wondering how to reverse android apps, this helps