Jump to content

Server-Side Hacking (Glimpse) & Game Hacking ( Advanced )


Recommended Posts

Posted (edited)

 

 

Disclaimer:
This guide is for educational purposes only. The techniques explored here are intended for understanding the technical aspects of Android games. Users are advised to use this knowledge responsibly and within legal and ethical boundaries. I disclaim any liability for misuse or unauthorized activities. Use this information at your own risk.
As you explore with me, remember it's all about learning, not mischief. If you decide to try out any of these tricks, make sure it's within the rules and plays nice with the devs. I'm not taking responsibility for any shenanigans, so be cool, and enjoy the learning ride.

Cheers!


Goals : 

• Identify server-side data from local data.
• How to tamper server-side data .
• bypass SSL encryption.


Requirement : 

• You should be familiar with requests ( http ) .
• You should have some level of knowledge about reverse-engeneering / Exploits / etc.


Tools : 

• GameGuardian.
• Frida.
• IDA (Pro).
• BurbSuite / any other proxy interceptor.

• LUA Decryption and Encryption for cocos2dlua.

Difficulty : 8/10

 

-----  Let's Dive IN -----First step is to collect information about the game
start playing the game normally to get some information about it, it's concept and what data they have like items , coins , gems , vip , battlepass, etc and what they call it in game.
Open GameGuardian or root explorer to know what engine the game use and it's libs, like libIl2cpp.so for Unity , Cocos2d for coco's 2d games , or a custom lib built on top of other games engines like libLotaApp.


BurbSuite


Start Intercepting traffic.

Set Up Your Environment

Install Burp Suite:

Download and install Burp Suite from the official website.

Configure Your Android Device:

Connect your Android device to the same network as your computer.

Go to Wi-Fi settings, find your connected network, and set the proxy to your computer's IP address and the port Burp Suite is running on (default is 8080).

Step 2: Configure Burp Suite

Start Burp Suite:

Open Burp Suite and go to the "Proxy" tab.

Configure Proxy Settings:

Under the "Options" tab, go to "Proxy" settings.

Ensure the proxy listener is running on the IP address and port you specified in your Android device's Wi-Fi settings.

Install Burp's CA Certificate:

In Burp Suite, go to "Proxy" > "Options" > "Import / export CA certificate."
burbstart.thumb.png.57cd6d4d77be5fcf7f49551288d39c62.png

Click "Save CA Certificate" to save the certificate.

Transfer the certificate to your Android device and install it.
when Exporting the Certificate You should put the Extention of it .ctr
burbCrt.thumb.PNG.b6948d3e3e68e37ff28256b75ee730ee.PNG

Step 3: Configure Android Device

Install and Configure Proxy on Android:

Ensure the proxy listener is running on the IP address and port you specified in your Android device's Wi-Fi settings.
Listener.thumb.PNG.d3af1c7fdda6aec0b1df9573795c26d4.PNG

For APN edit the Access point name : 

APN.thumb.jpg.1545df6c1713c0a275b0e7632a1695f0.jpg

Install the Exported Certificate from burb to your Android phone

Step 4: Start Capturing Traffic

In the "Target" tab, you should see the target host(s) that your Android device has communicated with.
burbListener.thumb.PNG.99c932fa76b3b57e4b583da337ffb0ec.PNG

Browse on Android Device:

Open the browser on your Android device and start browsing.

Burp Suite will capture the traffic, In the "Target" tab, you should see the target host(s) that your Android device has communicated with.

Inspect and Manipulate Traffic:

In the "Proxy" tab, you can intercept requests and responses, inspect them, and even manipulate them before forwarding.

Use Other Burp Suite Tools:

Explore other tools in Burp Suite, such as "Repeater" and "Intruder," to perform further analysis and testing.

 

Hierarchy:

The Site Map is organized in a hierarchical structure that represents the different hosts and paths your client has communicated with.

Hosts and Paths:

Hosts represent the web servers or domains that your client has interacted with.

Paths represent specific URLs or routes within those hosts.

HTTP Methods:

Each entry in the Site Map includes information about the HTTP methods used (GET, POST, etc.).

Status Codes:

The status codes of the responses (e.g., 200 OK, 404 Not Found) are displayed, providing insights into the server's responses.

Request and Response Details:

Clicking on an entry in the Site Map reveals detailed information about the request and response for that specific interaction. This includes headers, parameters, and content.

Filtering and Searching:

You can filter and search for specific requests or hosts, making it easier to focus on relevant parts of the traffic.

Context Menu:

Right-clicking on an entry provides a context menu with various options, such as sending the request to other Burp Suite tools for further analysis.

Interactivity:

The Site Map is an interactive tool that allows you to manipulate and analyze the captured traffic in real-time.

Use Cases:

Analysis and Debugging: Identify patterns and anomalies in your web traffic for analysis and debugging purposes.

Security Testing: Spot potential security issues, such as vulnerabilities or unusual behaviors.

Mapping Application Flow: Understand how different paths in your application are accessed and interacted with.



select all URLs and right click -> delete selected items ( we don't need them ) launch the app and watch what the app send when it execute 

GameStartTrafic.thumb.PNG.19ebfd2b7187334ebcc6950d51710d3c.PNG

I launched "Mythic Su*moner" and this traffic get captured

But Most games use SSL pinning and they don't show the full trafic even when intercepting with them .
in this case we need Frida to UnSSL it. ( u can use it to bypass root detection aswell ).

SSL pinning, also known as certificate pinning or public key pinning, is a security mechanism employed in applications to enhance the security of SSL/TLS connections. It involves associating a specific SSL certificate or public key with a particular domain, and the application will only accept connections with that specific certificate or key.

Normal SSL/TLS Connection:

In a standard SSL/TLS connection, a client (e.g., a mobile app) connects to a server, and the server presents its digital certificate to the client during the handshake process.

SSL Pinning Process:

With SSL pinning, the client embeds a specific SSL certificate or public key within the application.

When establishing a connection to the server, the client checks whether the server's presented certificate matches the embedded certificate or public key.

Verification and Trust:

If the presented certificate matches the pinned certificate or key, the connection is considered trusted, and the communication proceeds.

If there's a mismatch or the server presents a different certificate, the connection is rejected, preventing potential man-in-the-middle attacks.

Using Brbsuite To listen to the game traffic is man-in-the-middle attack.
 that's why Most of the trafic is rejected in the 1st capture


FRIDA


Connect your phone with ur pc via USB & and inject an Agent into the process to UNSSL Pinning : 

SSL.thumb.PNG.49ae75bee18be13412d042da42227692.PNG

when You UNSSL the game you get More Trafic : 
moretrafic.thumb.PNG.c9c42dba15b4658e4542626eeee4cf94.PNG

With this traffic UNSSLed you can play with it, inspect it and modify it with the repeater ( this is how you hack the server-side ) 
this method called Tampering data.

How to Identify Server Data and Local Data.

Select the inapps.appflyer.com 

and watch it when you play every changement in data ( server side ) get registered by this url ( most cases ) it will send a gzip to server and save it there . any local data will be saved in your machine ( android device ) or memory and the inapps.appflyer.com won't send a request.

958249936_AndroidEvents.thumb.PNG.bb30ab45e61c503895a2d79b808adb5d.PNG

Some games use SOCKET to connect the game and the server and keeps the connection open until the game get terminated or the server get shut down, with burb you can Intercept sockets aswell.

TIP : while you intercepting traffic from burb open the lib with IDA pro to dissassemble it.


IDA



make sure IDA fully dissassemble the lib by showing idle on the buttom go to the functions menu hit ctrl + F to start searching for keywords I mentioned at the beginning ( gold , items name , coins , player stats etc ) 

ida.thumb.PNG.e69a5af8d63a897b59726d9bbf892b80.PNG


when I search for the keywords no functions / methods found that mean the logic and the data proccess isn't in the lib nor in the traffic ( most of them ) 
that means the only way to store the logic is in the files in this example game.

if you found functions your starting point start with frida,  you can use Frida to hook it and track the pointers and afterword GG to create a script.

Decrypt LUAC


take the apk and unzip it ( open with rar / 7zip )  you'll end up with the game files

 files.thumb.PNG.a1cfc84c535cd8afe028201b49b02fad.PNG

and Done the logic is found in the game files , the game use lua to run with C and cocos2d.

but the game won't leave the game logic and codes open and public the must use some sort of encryption to it , for that they use LUAC is the Lua compiler responsible for taking Lua source code and transforming it into Lua bytecode encrypted.

encryped.thumb.PNG.c981d654ce3eb92e79dfc4567a092b20.PNG

try another file : 
1765120386_anotherencryption.thumb.PNG.c04175dcd6bb35873feeb8534f5515e9.PNG


notice : i0lzCcmB1Cjxk6DpvlmdPINybrXXeBA1 
each file have this signature at the start ofthe it 



IDA &  LUA Decryption and Encryption for cocos2dlua.


copy the signature and search ida for it but this time in the string 
sign.thumb.PNG.eb61eadb0828fb51995b67f58400cbd8.PNG

if found you should find the key aswell : 

key.thumb.PNG.e026d14060661e91e93f1446921912e7.PNG


I use IDA &  LUA Decryption and Encryption for cocos2dlua to decrypt the files.

decrypt.thumb.PNG.b5ab69ff020a50b8682d8020ae52d988.PNG

after it's done every file will be unencrypted and easy to read : 


decrypted.thumb.PNG.b022a587ce4a75e7e12885a66219cef1.PNG
1066462307_anotherdecrypt.thumb.PNG.10aaef56b2caaeb4e90bb527bfb0b444.PNG

Capture.thumb.PNG.2a26e173303f6bedeb717e4e0fe96077.PNG


and with that data you can create anything you want / mod / script etc 

Why not just frida?
to use frida you need a pc ( termux users isn't included because you just need a pc to use frida -_-) 
agents ( frida scripts ) isn't portable you always need your pc to use the script powerd with usb I mean too much pain that's why in my opinion GameGuardian is the best choice you can run the script anywhere anytime + lua much easier than js.
not all libs work with libc and not all of them contain usefull resources like the example above.
----

tips : 

the data should be stored in
-server
-local machine ( your device )
 the game files "apk" ( your device aswell ) 
look at these 3 places to find the game resource.
game logic either in the files or in the lib ( like il2cpp ) android games can't afford Hosted Hypervisor for the logic processing.


 

I can update this topic, comment out what you want to know more about ( exluding server-side hacks ) 
I won't provide tools all you need is your brain to outsmart devs. 

Edited by XEKEX
more content
  • 2 months later...
  • 3 weeks later...
Posted

I will check this later 🫡💥

  • 9 months later...
Posted
On 1/16/2024 at 6:38 PM, OREW said:

I will check this later 🫡💥

Starting with this, I will comment For any success or end point see ya 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.