Android game hacking

[Added 2012-10-16] Read this first: Quite a lot of readers asked me how to hack this game or hack that game. Sorry to say, I am not that expert in hacking those games, and I don’t have much time to play and hack the games. And what I shared here is only how to hack the games in general way, without permanent root the Android. So, if you are asking about a specific game, please find it on other channel. Thank you.

Frustrated with some Android games? Want to hack? Want to kill the monsters with one slice?

Okay, this is the main purpose I learn about Android rooting. After we gain the “#” from “adb shell” (refers to my previous post), now we can see all the files in /data folder. This folder contains the game save data and also some libraries.

Simple problem and solution

My hacking method is not memory editing, but save file editing. So, to edit the save file, we must have the knowledge and experience on hexadecimal editing. Now, since we can access those data files in /data/data folder, meaning that we can pull them, edit them, push them back.

So, pull the save file you want, the name such as Save0.dat or similar name. Use a hex editor, such as bless, ghex, hexedit, etc. Edit the value, then push the file back.

I personally wrote a small command-line tool, so that I can do hex editing in adb shell. (It is available here). I push it to /data/local/tmp folder, so that I can use it without pulling and pushing the file.

For some games, the save file is plain binary file. We can understand the file with the hex editing, such as the value of the coins, the level of the weapons, the status of the hero such as strength, vital, hp, and so on. These can be easily edited. (Please always make a backup before editing).

Advanced problem and solution

For other games, the save file is really a pain. They are encrypted/encoded save file. We cannot understand anything about the file. Modifying the file does not help. So, my only solution is to edit the library file, i.e. shared object (.so).

For example, if there is a library called libdhunter.so, we need to use objdump (ARM target, not x86 or x86-64 target) to disassemble the shared object. The objdump can be obtained from Android NDK package.

/path-to/objdump -dC libdhunter.so > asm.txt #pull the library file first, not doing this in adb shell

This will create “asm.txt” which contains the disassembled data. Now, what we can do is just study the functions. We might find some functions such as “encode”, “encrypt”, “decode”, “decrypt”, “save”, “load”. And also, need to look for open file, read or write file, and close file. This is because normally, they will call encrypt or encode before write the file (save). Study what the functions they are calling.

For example, in the “save” function, it might contain a call of “encode” function, then only “write” the buffer. In this case, it will be quite easy to solve the problem. Use a hex editor to open the shared object. Edit the hexadecimal value of the opcode that calls the “encode” function within “save” to “00 00 00 00”, this will produce NOP operation. That means, we disable calling “encode” function in “save” function.

Then, we can objdump again to check whether we have disabled the function call.

Push the edited library to the device. Make sure backup the original library and also the save file.

Run the game, load the save file, save the game, then exit.

Now, do not restart the game yet. Now, check the newly saved file with hex editor. If it is a plain binary file, then we success! If not, try until you want to give up.

Do not restart the game yet, because the game will load the encoded save file, not the plain binary save file. So, to make the game load the plain binary save file, we need to disable calling “decode” function in the “load” function as the method discussed above.

Push the newly edited library, then start the game.

Now, we can hex edit the save file freely as we like.

Other problem and solution (added 2012-03-19)

There are even easier problems, such as the game Aqua Pet. There is no shared object (lib*.so). And the save file is also a plain text file. Meaning, we need no hex editor to edit it. However, editing the file might not change anything. In this type of case, we must “force stop” the app first, then edit the file.

Now, enjoy the games.

Rooting Android manually

In the previous post, I mentioned about rooting the Android emulator. Now, rooting the real Android phone is another thing, quite different from rooting Android emulator.

What is the main difference? In the Android emulator, once we “adb shell”, it is “#” as root. That is why we can remount the filesystem, and do whatever as root. In the real Android phone, once we “adb shell”, it is “$” instead of “#”. That is the main difference. That is why we cannot remount the filesystem or do whatever.

Then, how should we do? According to this article, it mentions a very general way to have a temporary root. To simplify it, what we need to do is to get “psneuter“. We can get the source code of “psneuter” also. In my case, I compile the source myself with Android NDK.

Before connect the phone with the computer, make sure the setting of USB Debugging is enabled. Once we obtain this psneuter (compile by our own or get pre-compiled binary), we can

adb push psneuter /data/local/tmp

/data/local/tmp is the only folder that has read/write/execute access. So, “adb shell”, then in “adb shell”,

/data/local/tmp/psneuter

As a result, we will kick out from “adb shell”. Now, “adb kill-server”, then wait a while, then “adb devices”, then “adb shell” again. Now, we can see the “#” instead of “$”. Yes, this is a temporary root. If we reboot the phone, everything will be restored, then we need to run psneuter from “adb shell” again.

So, we can put the busybox or any other command-line tools in the /data/local/tmp/ as well.

PS: Next, I am going to post about game hacking. Actually, this is the original purpose that I want to root Android, because I am frustrated with some stupid games.