RSS Feed

Android game hacking

Posted on

[Added 2012-10-16] Read this first: Quite a lot of readers asked me how to hack this game or hack that game. Sorry to say, I am not that expert in hacking those games, and I don’t have much time to play and hack the games. And what I shared here is only how to hack the games in general way, without permanent root the Android. So, if you are asking about a specific game, please find it on other channel. Thank you.

Frustrated with some Android games? Want to hack? Want to kill the monsters with one slice?

Okay, this is the main purpose I learn about Android rooting. After we gain the “#” from “adb shell” (refers to my previous post), now we can see all the files in /data folder. This folder contains the game save data and also some libraries.

Simple problem and solution

My hacking method is not memory editing, but save file editing. So, to edit the save file, we must have the knowledge and experience on hexadecimal editing. Now, since we can access those data files in /data/data folder, meaning that we can pull them, edit them, push them back.

So, pull the save file you want, the name such as Save0.dat or similar name. Use a hex editor, such as bless, ghex, hexedit, etc. Edit the value, then push the file back.

I personally wrote a small command-line tool, so that I can do hex editing in adb shell. (It is available here). I push it to /data/local/tmp folder, so that I can use it without pulling and pushing the file.

For some games, the save file is plain binary file. We can understand the file with the hex editing, such as the value of the coins, the level of the weapons, the status of the hero such as strength, vital, hp, and so on. These can be easily edited. (Please always make a backup before editing).

Advanced problem and solution

For other games, the save file is really a pain. They are encrypted/encoded save file. We cannot understand anything about the file. Modifying the file does not help. So, my only solution is to edit the library file, i.e. shared object (.so).

For example, if there is a library called libdhunter.so, we need to use objdump (ARM target, not x86 or x86-64 target) to disassemble the shared object. The objdump can be obtained from Android NDK package.

/path-to/objdump -dC libdhunter.so > asm.txt #pull the library file first, not doing this in adb shell

This will create “asm.txt” which contains the disassembled data. Now, what we can do is just study the functions. We might find some functions such as “encode”, “encrypt”, “decode”, “decrypt”, “save”, “load”. And also, need to look for open file, read or write file, and close file. This is because normally, they will call encrypt or encode before write the file (save). Study what the functions they are calling.

For example, in the “save” function, it might contain a call of “encode” function, then only “write” the buffer. In this case, it will be quite easy to solve the problem. Use a hex editor to open the shared object. Edit the hexadecimal value of the opcode that calls the “encode” function within “save” to “00 00 00 00″, this will produce NOP operation. That means, we disable calling “encode” function in “save” function.

Then, we can objdump again to check whether we have disabled the function call.

Push the edited library to the device. Make sure backup the original library and also the save file.

Run the game, load the save file, save the game, then exit.

Now, do not restart the game yet. Now, check the newly saved file with hex editor. If it is a plain binary file, then we success! If not, try until you want to give up.

Do not restart the game yet, because the game will load the encoded save file, not the plain binary save file. So, to make the game load the plain binary save file, we need to disable calling “decode” function in the “load” function as the method discussed above.

Push the newly edited library, then start the game.

Now, we can hex edit the save file freely as we like.

Other problem and solution (added 2012-03-19)

There are even easier problems, such as the game Aqua Pet. There is no shared object (lib*.so). And the save file is also a plain text file. Meaning, we need no hex editor to edit it. However, editing the file might not change anything. In this type of case, we must “force stop” the app first, then edit the file.

Now, enjoy the games.

About allencch

A programmer, a software engineer, a philosopher, a Catholic.

122 responses »

  1. wa, need meh?
    “geng”, so, now you’re using your samsung to play game extensively huh?
    well… i supposed…^_^

    Reply
  2. please can you explane me hot to disassemble the shared object library .SO with objdump ??? THXXXXX

    Reply
    • I can only share with my method.

      1. Firtly, you need to get the .SO file from the phone, using “adb shell”.
      2. Then, get the objdump (not the x86 or x64, must be the ARM, which can get from Android NDK). In my case, it is android-ndk r7-1.
      3. In the command-line, use the objdump, namely /opt/android-ndk/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/arm-linux-androideabi/bin/objdump, or you can use alias to make a shorter name, such as “arm-objdump”. So,
        arm-objdump -d “XXXXX.so” > output.txt
        This will disassemble the .so file and dump to the output.txt file. So that you can read the disassembled file. The disassembled file might be 10-20 megabytes. So, use a good text editor, suggest gvim or emacs. You can study the file, to see which function is calling save and load file.
      4. Based on the information you know, then you can use hex editor to edit the orignal .so file. Make sure make a backup beforehand.
      Reply
  3. Ok I’v done the point 1- I’v the .SO file but I still have problems in pont 2,I dont know how to use a command line and what is it .. I’m a simpy barman, please explane me , btw I use Windows /,I’v got android-ndk r8 :) THX FOR ALL Allencch !!

    Reply
  4. the game is Dungeon Defenders Second Wave for Android. Ok I give up to hack this game, thanks anyway for your time ;)

    Reply
    • Welcome. To hack the game, you need to see what you want to do. If you want to change game so that HP will not decrease, this might be difficult. Because you need to know the operation that will deduct HP. But in my case that I shared about encoded/encrypted save file, just avoid the function, then it will solve the problem. HP decreasing might need only one statement in C or C++. Thus, difficult to find the location.

      Reply
  5. Thank you for the informative post. Much appreciated :)

    Reply
  6. Hello, how can you edit a .json file that some games use?I can edit but the game stays the same.
    Thanks

    Reply
    • Firstly, make sure the .json file is the only saved file. Meaning that, it is not just a product from the games like logging. If you are sure that the .json is the save file, meaning that, it will be loaded by the game to retrieve the game state, then you can simply edit it.
      The game stay the same may be you haven’t close the game yet. To close it, such as Aqua Pet, you need to force stop or end the task using the task manager.

      Reply
      • The save game file is the json one but although i changed it and forced close the game it still doesn’t change.. :s

      • I think it is because the .json file is not the actual save file. May I know what is the game? What is the filename of the .json file? And also where is it located?

      • The game is Robinson for android..the file is userprofile.json and the directory is android/data/com.pixonic.robinson/files..
        There is one more file that is a 2.3kb png called main

      • mmm… may be you can try to see the SD card folder whether got related files. Just may be the save file is saved in SD card instead of data/. If like that, even the phone is not rooted still be able to modify the data.

      • It has the same folder and json file on the sd card but the data on this file but i had already changed it as well.. My guess is that maybe there is a hidden file that i cannot access..

      • normally the files are saved in data/ folder. if your phone is rooted, then should be able to see all the files. do you use “ls -a” in the adb shell? so that you can see the hidden files with “.” prefix in the adb shell.

      • Please hack octro teen patti game unlimited chips its on line game

  7. My phone is not rooted.. is there a different way to see the hidden files?
    Thanks

    Reply
    • oooh. that means you “adb shell” in, does not see the “#”, but “$”. If so, then you cannot see anything in /data folder, right? If so, then what you edit is not the save file. No way to see the files in /data unless you root it.

      Reply
  8. Hi,

    Thx for the tutorial. I successfully edited a game. but many of shared libraries cant understandable. For example unity games. Any solution about this?

    Reply
    • Yah. A lot of shared libraries are not understandable. Currently, I only solved Inortia 3 and DemonHunter for the shared libraries. Third Blade does not work. But if you look for the forum, the save file can be directly edited. For the plain text, I tried Mega Jump and AquaPet. For the binary saved, I tried AirPenguin and Fishing Diary. Others I never tried.

      Reply
  9. Found another game with text-editable savegames. It’s Extreme Road Trip 1.13. Wrote a tutorial on my blog here: http://techomie.blogspot.com/2012/08/how-to-get-all-cars-in-extreme-road.html

    Allen, what I wanted to ask you was that, I have a game: Shake Spears!, that has data stored on the SD card AND on the internal memory. I tried searching for the lib.so files. I found several shared libraries. About 7 shared libraries are present in the SD card data and 2 shared libraries are saved on the internal memory card. My question is that, which files are most likely to affect the encryption of the save data, the SD card shared libraries (5 with .dll extensions and 2 with .so extensions) or the Internal memory shared libraries (2 files with .so extensions). Do I have to use IDA Pro to decompile and edit these files or would editing them be possible using a hex editor?

    Reply
    • Hi Ijlal,
      Thanks for your sharing of the your tutorial.
      In my opinion, I will ignore .dll file, because the Android is based on Linux kernel, that means the shared libraries are .so files. And I will choose the .so file in the internal memory, because I think Android runs the .so from the internal memory. Then, based on my heuristic, I will choose the .so file with larger size, because normally the main game is the large library.

      We can only decompile the library into assembly, using IDA Pro is a good choice. Editing with hex editor only after we know exactly which position we can edit, not for reading. Reading with hex editor does not help anything.

      Reply
  10. Ok. Thanks very much for your prompt and very helpful response Allen :) I’ll try my hand at modifying it in accordance with your suggestions and post here if I’m successful :)

    Reply
  11. hi allencch,

    saw your tutorial but i dont know whether it can help me or not. i’m trying to hack dark legends. i oledy downloaded the hack which contains lib*.so files and an xml file. i also have rooted my android.

    what should i do with this files? the instruction says run the hack. but run from where? the android? if so, how?

    run from pc? again, how?

    here’s the link to the hack, i hope you can help me.

    http://kmu-team.netne.net/?p=87#comment-417

    Reply
  12. what about the game Rage of Bahamut? i dont know what kind of save file it is, but im just curious to know whether or not it could be hacked

    Reply
    • Chris, I am also curious about what Rage of Bahamut is. Actually, there are a lot of games I didn’t play. If you are interested, just use the step I mentioned to check these save file.

      Reply
      • Allen, Rage of Bahamut is a server-sided game, so I don’t think savegame modification is the answer here. I think you have to manipulate the .smali code of the apk itself to achieve the results desired.

      • Thanks Techomie. If it is server-sided game, i don’t think save file will make any changes. All the game data should be saved in the server. Unless it is possible to send the edited game data to the server.

      • You’re welcome Allen :) And yeah, even if you could send the edited data to the server, it must have some built-in security to ensure that variables like gold and coins do not change to unrealistic amounts, like from 231 coins to 1283182 coins in just one go :)

        So, what could be done is to change the in-game costs of something to negative values, so that you GET coins instead of having them deducted from you when you purchase something.

      • If dealing with the server, it will be difficult. Even using memory editing, it does not work also. I tried before on desktop online game.

      • Indeed, server sided games are exponentially harder to cheat than offline games, but that doesn’t mean that they’re impossible to cheat :) If I stumble across something, I’ll be sure to let you know.

        There’s a member on a forum I’m a member of, that claims to have been able to cheat Rage of Bahamut. I’ll try to get him to tell me, and post here if he does.

  13. Thank you Tech

    Reply
  14. Can we edit memory on runtime? Is that possible on android?

    Reply
  15. Where is the androis NDK package go where to gt objdump?

    Reply
  16. can we increase coins to a big value in subway surfers? just tell me what to edit and i will do it , thanks in advance and for this great technique

    Reply
  17. i want to add one thing , i found where the coins are , its in my sd card under the playerdata, but that file has no extension , simply playerdata , when i open it using HxD it says somewhere ‘amount of coins’ but how do i edit it when i cant even open it properly

    Reply
    • Firstly, I need to state that I have never played this game before.
      Since you said you open the “playerdata” with the HxD, what do you mean can’t open it properly? If can’t open it properly, then how did you get the “amount of coins”? May be you can post some more information.

      Reply
  18. do we need sd card to hack?
    i don’t have sd card in my phone yet is there another way?
    but i also found the game files i edited but it wont let me save it.

    Reply
  19. Pingback: Cheating any android game savegame to get as many coins/acorns/credits/energy/anything you want :) Part 2 - Techomie

  20. Thank you a bunch for sharing this with all folks you really recognize what you are speaking approximately! Bookmarked. Kindly also talk over with my site =). We may have a hyperlink change arrangement among us

    Reply
  21. Hi…im trying to edit the highscore in subway surfers game….i go to d save file…playet data…and i am able to edit the score
    ..but after that when i open the game..all the saved data is gone amd looks like its been reinstalled…pls help…thankyou…

    Reply
  22. Hi there, after reading this amazing post i am as well delighted to share my know-how here with colleagues.

    Reply
  23. Attractive section of content. I just stumbled upon your
    site and in accession capital to assert that I acquire actually enjoyed account your blog
    posts. Any way I will be subscribing to your augment and even I achievement you access consistently fast.

    Reply
    • So in the decoded ask.txt it gives you a line with 3 sets of hex/ASCII and the function like this
      50fe5c:>> eb029e49 >> bl>> 5b7788 <Clara::RecordDB::SetEncryption(safe enum<clara ……….so on etc so which set of those do you search for with a hex editor cause I've searched all 3 using hex and ASCII and I can't find them in the .so …

      Reply
      • In the hex editor, we go to the address, not search the pattern.

      • Well that’s kinda what im asking . how from the decoded “asm.txt” do u find the address

      • Or to be more specific say the address is 5b7788 I search the .so it puts me close to that address but there is no exact match there might be 005b7782 or 005b7778 etc so how do u know which is the right address ?

      • The first column in the asm.txt is always the address. This is how the disassembling shows.
        Then in your hex editor, you should go to 0x50fe5c if this is your first column. Because I am not very understanding your
        “50fe5c:>> eb029e49 >> bl>> 5b7788 <Clara::RecordDB::SetEncryption(safe enum<clara …" how actually looks like.

  24. how to change number of gems in dungeon hunter 4 for android. thx.

    Reply
  25. hello sir ! would you give me a hand in my problem about ZENONIA 3 ..
    im about to use hex editor to hack the ZEN in game .
    but there is a problem , when i click /data/data there is no file in the folder !!!
    as for other solution , they say to check the “ROOT PERMISSION” box but every time i check it, it says : CAN’T CHANGE SHELL: SHELL DOES NOT START ..

    im using HEX EDITOR v2.0.21
    my phone is ROOTED – Samsung Galaxy Pocket ..

    PLEASE HELP !!!

    Reply
  26. Thanks in favor of sharing such a fastidious idea, post is nice, thats why i have read it completely

    Reply
  27. I have a problem with Rule the kingdom. In the save file folder the automatic save is a .bin fule and I can´t manage to open said file.

    Reply
  28. I have a problem with Rule the kingdom. In the save file folder the automatic save is a .bin fule and I can´t manage to open said file with Hexedit or XVI programs. I even tried to use note pad but all there is is gibberish and nothing even remotely recognoisable.
    Please give me a hand

    Reply
    • I think you don’t have root permission. Please get the root permission from in adb shell, then use adb pull to retrieve the file.
      But if your notepad can open the file as gibberish, normally it can be open with hex editor.

      Reply
      • I have permanent root. Yet when I try opening the “save.bin” or “save_prevbin” with Hexedit it says it´s read only and it cannot be opened

      • If you use adb pull the file, then you can edit the file with the hex editor. Please check the file permission of the pulled file.

      • Sorry allencch but how do I use adb and pull the file? I´ve read this and the previous post but I still don´t get it to much

      • If when you “adb shell”, you can get “#” symbol for the prompt, you are log in as root. Then you are able to access the file. If you get “$”, then, you cannot access the file.
        To pull the file, in a command prompt, enter
        adb pull /data/and_path_to_where_your_file_locate

  29. Hi allencch, you know if clash of clans can be hacked ?

    Reply
  30. please edit octro teen patti data

    please please edit octro teen patti data with full of chips

    Reply
  31. how to hack money and gems in games android Happy farm – Candy Day?
    please tell me because i need money and gems to up my rating my train…

    Reply
  32. Post writing is also a fun, if you be acquainted with afterward you can write if not it is complex to write.

    Reply
  33. wht 2 do in /data/data/com.octro.teenpatti/ folder help me..
    i cant understand

    Reply
    • how to get unlimited chip on octro teenpatti, can you pls help to edit data/data/octro.teenpatti files? pls help sir…

      Reply
  34. Hey hi.. I need to hack an android game… The name is dh texas poker.. U think is possible??? If u hack the game ill pay u.. Santostefano@outlook.com my email. Thanks

    Reply
  35. Can you hack online games???

    Reply
  36. Dear

    I am playing the octro teenpatti game in my Samsung note 2 and I am using the game killer 2.60 but when hack is running in the table play my score see 99999999 but when I am clicking my photo the original chips amount see.and when I back to lobby server massage you have lossed 99999999 in last session
    Kindly help sync my edited amount in teenpatti or any idea like hex editor and other meta
    Please inform me

    Reply
  37. I have been hacking game saves and local games for years. My troubles is hacking online android games while save data is not stored locally, even if I find the address of the data, I modify it, it will not stay because the game continues feed data to server and server to my device.

    I would like to learn how to intercept the data being sent to server and I can modify its value.

    Any advice?

    Reply
  38. hey dude
    your site is awsome. I have learned many things from it.
    now as the topic is goin on about hacking the game.
    I can simply hack most of the Android games using GAMECIH, SB game hacker, game killer etc. but its for offline game and if this methid not work I simply goto data/data/package_name/shared_pref/any.xml file. you can simply open that xml file with any editor in your fone and search for your desire thing like coins and code and change it to whatever you like.
    but now I want hack online games like many in the comment said its teen patti.
    as in someone comment we can easiky change valurme in front end but not in back end.
    so can you please tell me hiw to do it. or I fink I have to manipulate the smali codes for changing the value in thier database.
    I am not an expert in android but just learned within few week from searching and learning.
    so if you can help me I will be more than happy……
    will be waiting for your reply…..

    Reply
    • Online game cannot be hacked through the client only. Because most online game data are stored in the server. It will have difficulty to hack online data, and may be illegal and be banned.

      Reply
      • Thanks for the reply..
        I know its not very easy to hack online data but not impossible na.
        I don’t know exactly because I m not that expert in android but I fink we can alter the smali codes of a decompiled apk and send our data in such a way that we want.
        or I want to know that whatever data the game send to the server that can be intercepted and then alter and then send it to the server…
        just curious about to know

      • Correct. It is possible to send the data to the server to cheat. But the server admin is also possible to investigate the suspicious data sent.

      • ok forgot all that
        say me how to do smali coding to change the value in games

      • Sorry, I didn’t try the smali coding before

      • so dude do you any idea how to do it..
        can you tell me how to intercept packets send by the game to its server.
        I have used shark for android to intercept packets send by my GSM cellular network but it always show raw data with nothing inside it.
        So do have any idea on how to do it, It would be great thing for me.

      • I am not experienced with that. You may need to learn the data structure of the packet sent. They are normally binary data, not the plain text.

    • Today no reply from you dude.
      Waiting for your reply …………. ;-)

      Reply
  39. okk thanks for the information.
    I want to know that where are the initial value of the games are stored
    For example when we play any game (offline) we get certain amount of coins gold health etc.
    so where are they are stored In the apk.
    Is it in the smali folder or in the res folder where all the .xml files are there.
    I tried changing in res folder strings.xml but it didn’t affect any thing in the game.
    so can you please tell me where are they stored.
    and I also want to know how to use IDA pro and what’s the use of it.

    Reply
    • Where the initial value stored in the game, either res folder or smali folder, in my opinion it is depending on the developers. For the strings.xml, it is storing the string (text) only.

      Besides that, I am not very familiar about smali and assembling again from the smali.

      But for the IDA Pro, it is used for disassembling the binary file. Because most of the current mobile phones are ARM architectures, after disassembled, you see get the assembly instruction set. It is exactly same as the objdump. But IDA Pro at the same time is the debugger, so you can do the debugging at the same time.

      Reply
  40. thnx buddy for replies.
    I have seen many post when I searched for keyword hacking online games and I found this site showing the way to hack online game vis IDA pro but I don’t know from where to start.
    it does not have clear information about it.

    Here is the site—> thedefaced.org/modding-android-games-is-it-really-that-hard/

    In this site there is a example for modding UNO..
    I have not played this game before so I m not familiar with it but I think its online game.

    So can you atleast help me on how to use IDA pro..??
    how to edit the data of an apk using IDA pro….???
    what to do first..??
    Can you just tell me with steps if you are familiar with IDA pro… Thanks. . :-)

    Reply
    • Your question is too difficult to answer. To learn the IDA pro, you need to learn reverse engineering, such as how to use OllyDbg and also IDA Pro. I can’t help this. Please find the tutorial from internet. There are a lot of resources online.

      Reply
  41. can you please just look to that site…..

    Reply
    • Looked. It is too advanced from my knowledge. And the webpage doesn’t explain in detail. May be you can consult the author.

      Reply
      • hey dude I need your help….
        I have decompile an apk.
        I have the library .so file.
        I can load it into IDA pro but now I want to debug that .so file.
        when I go to debugger click on start debugging it ask me to choose between android /gdb.
        I tried both to debug but it gives me an error of something like not valid parameters passed.
        my host name is localhost

        can you please explain me how to do it correctly if I m doing anything wrong…
        Thanks. ………. :-)

      • Hi Prince, I am not very experienced in IDA Pro. You cannot debug the .so file directly. This is because it is the library file, not the executable file. That is why it request for the parameter.

        I only have the experience of using the IDA Pro to disassemble the .so file.

      • ok so how to disassembled the .so file
        just have to drag and drop on the main interface of ida pro or have to do something else…???

      • Please trial and error. I cannot remember everything.

      • ok dude.
        can you suggest me some nice website or forum in which I can learn more.
        or how about you only try to hack the game which I want to hack if u don’t mind n if u hav time….

      • Hi Prince, I don’t have time to hack any game, and even play the game. About the nice website, these are the websites I bookmarked long time ago: http://www.woodmann.com/crackz/ and http://rewiki.regengedanken.de/wiki/Main_Page

      • NP dude.
        you have helped me alot.
        I have learned alot ffrom what ever you told me.
        Thanks dude.. :-) :-) :-)

  42. aryt dude
    thnx for all your help and answer you gave of my questions.
    if anytime I need you I will contact you for sure.
    Thank you. ……….. :-) :-) :-)

    Reply
  43. awesome blog and u buddy too.
    i wanna know that how to change data which we sent to server in online games.
    how to modify them ?
    hey prince i read ur all que. and sir your ans too. mist of them are miny queries and most of them i satisfied my self.thank you.

    Reply
  44. Any buddy help me to hack teen patti…?

    Reply
    • sorry dude teen patti is online game and its data is stored on server not on our device.
      so basically to hack teen patti you have to hack database of it.
      in short online games cannot be hacked soo damn easily.

      I have trying to hack this game from more than 2 months but no success at all.
      Tried all the ways to hack but can’t do any hacking in it

      You can read all my and allencch conversation above.

      Reply
  45. how to hack Octro teen patti in android phone without root?????

    Reply
  46. clash of clans hack
    battle beach hack ??? plzzzzzzzz

    Reply
  47. How can I hack your blog to delete the 900 questions asked by Prince? Talk about pushy and mostly unappreciative. Dude, your patience deserves an award.

    Reply
  48. how to hack castle clash 1.2.39 using IDA pro? can u help me pls. . . .

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 142 other followers

%d bloggers like this: