Android Game Hacking

As I have no mobile pentesting experience yet, I decided to try my hand at a little android game hacking.

Android Game Hacking - Introduction

This post will be a little vague, as I don't want to give everything exactly away for this game, and I still play it for enjoyment.

That said, I hope this provides a decent example into one way to change local save data for Android games.

Data Backup

First of all, since I didn't have root, I needed to get a list of the packages installed.

root@kali:~/android$ adb shell 'pm list packages -f'
package:/data/app/com.google.android.youtube-2/base.apk=com.google.android.youtube
package:/data/app/dev.games.mygame-1/base.apk=dev.games.mygame

< ... snip ... >

Once I had the name of the base.apk, it was time to back up the files to my local system.

root@kali:~/android$ adb backup -f mygame.ab -noapk dev.games.mygame
Now unlock your device and confirm the backup operation.

Using the Android Backup Extractor I was able to get the tar archive of the files from the ADB backup file.

root@kali:~/android$ java -jar abe.jar unpack mygame.ab mygame.tar
Backup encrypted, enter password (will NOT be displayed):
Password:

The next step was to get an (in order) list of all the files in the archive, as I will need that later when I want to rebuild the archive.

root@kali:~/android$ tar -tf mygame.tar > mygame.list

File Analysis

With my file list in hand, it was time to extract the archive and take a look at the files.

root@kali:~/android$ tar -xvf mygame.tar 
x apps/dev.games.mygame/_manifest
x apps/dev.games.mygame/r/app_data
x apps/dev.games.mygame/r/app_data/UserInfo.usr
x apps/dev.games.mygame/r/app_data/PlayerDataBackup1.txt
x apps/dev.games.mygame/r/app_data/PlayerData.txt
x apps/dev.games.mygame/r/app_data/PlayerDataBackup2.txt
x apps/dev.games.mygame/r/app_data/PlayerDataBackup3.txt
x apps/dev.games.mygame/r/app_data/PlayerDataBackup4.txt

< ... snip ... >

Android Game Hacking - Editing the Values and Rebuilding the Archive

Already in the first few files, I figured that PlayerData.txt was the one that I'd want to look at.

Once I opened the directory and looked through the PlayerData.txt file, I found the line that I wanted to change.

Android Game Hacking - Player Data

Once I modified the line in question, it was time to rebuild my tar archive.

root@kali:~/android$ cat mygame.list | pax -wd > mygame-edited.tar

With the tar rebuilt, I needed to create a new ADB backup file so that it could be restored to the device.

root@kali:~/android$ java -jar abe.jar pack mygame-edited.tar mygame-edited.ab

Last, but not least, I had to restore my edited ab file to the device.

root@kali:~/android$ adb restore mygame-edited.ab
Now unlock your device and confirm the restore operation.

With everything in place, it was time to actually check the item in-game.

Android Game Hacking - Modified Item

As you can see from the screenshot, the item's new values match the modified values from the PlayerData.txt file.

Android Game Hacking - Conclusion

I know this was a bit vague, but I didn't want anyone ruining this game (or the developer catching on to it) quite yet.

That said, if you have any specific questions, or other games that you'd think I should take a look at, then I'd definitely be willing to try!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.