God Mode Mobile Exploiting: Mobile Apps With Game Cheats - Bruno Sena

Hi everyone. We're ready. Hopefully you've all had a nice lunch. Uh Bruno is going to wake you all up again with his fantastic talk. Uh so this is um Bruno Senna. I think you you've come over from Brazil. >> Yeah. >> Yeah. Come all the way from Brazil. So please give him a warm welcome, a Bournemouth welcome. Um and I'll let you get started, Bruno. >> So thank you. Thank you guys. Hello. Uh well, before uh you get to know me, get to know my research and I get to know you as well, I'd like to to express my deep gratitude to all of besides Bournemouth organization for allowing me to be here today. It's a

great honor and I'm really happy that my my research on mobile hacking caught your interest. So in return, I really hope that everyone here in this room today could get at least one or two insights about mobile security and mobile hacking and everything. So without further ado, let's get to it because I have a lot to show you today. Well, my research is called God Mode Mobile, exploiting mobile apps with game cheats. And I'm going to tell you a story about how I managed to exploit a critical app using gaming hacker techniques. So let's get to it. A little bit about me. My name is Bruno. Hi. Born and raised in Brazil and still living in there. I am working currently

at Italian security. I work with offensive security in general, but I have a focus on mobile security, a degree in computer science, and I've also have a hobby which is game hacking. And that's actually how it all started by combining these two things which is my expertise on mobile security and game hacking which is a hobby and and game hacking is actually what first brought me to cyber security in the first place. I'm also the creator of mobac crew which is a a mobile security and hacking community that I've created and I with mobs crew I organized the mobile security villages and besides S Paulo and other events in Brazil. So if you guys wants any mobile village in the

next years, here I am. And well, although I started my cyber security career career by game hacking, I've never actually taken some time to actually explore mobile game hacking. And a few moments ago, I decided to actually go through it and do some research on mobile game hacking. And I was I was as I was going and searching and came across like uh uh technologies and and and techniques at some point I began to wonder how can I use these techniques could I use these techniques to actually exploit apps like critical ones like maybe a mobile banking app with these techniques and that's what I'm going to show you today. So I started with this game which is

Asoft cube which is it was a game originally developed for PC with this cube engine which uses C++. It's a very simple game engine and because of that it's a very simple game to reverse engineer too. And then it a port for Android. Yeah. And as you can see this is the the Android version. Please don't mind. I'm a terrible player but that that doesn't matter. And as you can see I can die. I can Yeah. I'm I'm a shitty player. So every there's a lot of of of tutorials on the internet on on how to hack and cheat this this game, but in the PC version. So I decided to do it on the mobile version on Android. So the

first thing that I did was to open it in JDX to see some code. And as the game was originally developed for PC, all the game logic is not on the Java code but yet but but yet on the on the the libraries the native code libraries that this Java code loads. So we can see here that we have main and main and server. So these are the the the game logic is contained on those native libraries. So as any other app I I use a APK2 to the compiler and apps that normally load native library they are they are commonly stored in here in ARM 64. So we have here our lib main.so and our game logic

is contained here. So with our lib main.so I saw enhance we can actually go through some more common game techniques and we're going to go with hydra gyra. So I I decided to to look for some some functions names like this as I said that cube engine is a very simple game engine. So we can see all the all the functions with their their names. So I went searching for some damage functions and I came across this one with this address do damage and as we can see here we can see the structure of our function. So we have the do damage we have an integer called damage which is probably the the the damage itself. We have two player

entities P1 and actor. So we can assume that actor is the player that is that it's inflicting damage and P1 is the player receiving damage. We also have an interest for gun which probably is the ID for the gun that has been used. And down there we can also see a D reference for player one. And if we go through it and look further we can see that this actually is it is uh the static address of our character our player. So this will be very important. So with this we we already have all we need. We have our address to our character. We have the function and we know how it works. And most importantly, we know how it fits

together. So as we are in an Android environment, we're going to go with Freda. So here I develop a Python loader. What this will do, it will simply uh start our app which is net.cubers.cube and then we'll attach our 3D script which is assault cube underline god mode. So this is actually our freed script. So what is what it is doing uh it is finding the the address of the the native library and it's uh it's saving on that base address variable and then with the with this in interceptor module we can actually intercept and attach our freed script to that uh to that native library. Uh so that is the address that we found

earlier and here I'm just logging every time that the this function the the do damage function is called I'm printing the arguments. So the uh damage the player everything here down there we cannot we're also saving our pointer to the static address of our character and then we're going to get the effective address which is the the address that that is actually in the memory of our process. And here is where the magic happens. Basically, what I'm doing here is I'm saying every time that the player who's been damaged is myself, is my character, I'm patching the damage to zero. So, what should happen here is every time that I get shot, I got shot or

everything, I will not get any damage. So, let's see how this works. So, we are I'm going to run my Python loader which will start my 3D script. The game is already running and they should be working by now. So, our Freda is already running. So as we can see I started on comma match and uh we can see every time the function is called when I shoot an enemy and when I'm got shot too but see that every time that I got shot the the damage is being patched to zero. So my life doesn't change but I can still kill the other enemies but my life is not is not affected. So here you can see a lot

of of patch damage to zero but that doesn't affect other other players just me. All right but interesting nothing particularly remarkable but interesting but what can we do with this? Well, uh I've uh after uh exploiting this this game, I started to wonder are there any apps that use this technique of uh load native library code into the process and there are apps that probably were developed firstly for PC and then gain a port for Android and then I went searching for it and that's when I came across this app which is key pass to Android. Basically this is a a port of keypad which is a famous uh password manager software for Windows and it it was developed with C and this

is a uh an Android port and as we can see here uh although this is not official port we can see that it has a lot of users more than a million dollars. So that's very interesting. And I I'm going to do the same thing that I did with with with Asoscube. I'm going to open it on JDX, see the the the the libraries that are being loaded with low library. And by looking at this, I I was uh analyzing those those libraries. And when I see this mono genen, monative mono droid, I I I I saw it and I begin to wonder, well, I I think I I have already seen it before in some place and

then I remember where I've seen it. Unity. Unity is for those of you who are not much into games. Uh Unity is one of the biggest uh and most famous game engines. It is a crossplatform development framework for 2D and 3D 3D games everything. and the scripting with C# and Unity has two types of of runtimes. One of them is is mono runtime and one of them is IO2 CPP. Basically the difference is the compilation. Mono uses JIT compilation which is just in time and IO2 uses AOT compilation. In mono runtime uh we have a moderate performance. what it actually do do it is uh it is has it has a bite code which is called common intermediate language

and this bite code is executed on a VM pretty much like like Java J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J J JVM. So it is is executed on a virtual machine and I sp it uses ahead of time compilation. It has a higher performance. It converts the intermediate language to C++. So it strips the original code. So it's very much harder to reverse engineer IO2 CCPP than mono runtime because most of the time runtime it already keeps the it keeps the the original by code on the

actual file. So it's easier to reverse engineer it and that's it. So we're going to focus on mono runtime and to do it we're going to use a game which is which was developed uh to to run on the monor runtime which is Cuphead uh developed with Unity engine and runs on mono runtime. So here we are uh in a in a pretty common uh game play where I can hit the boss they he can hit me. I I I think I die here. I I must die. But you can see that that I I don't kill him right away. So, we're going to go through some game files. As I was searching through the game

files, we can see the managed folder and the mono folder. So, that mono folder also says to us that we that this game is actually uses mono, but we're going to not want to uh search for it right now. We're going to focus on manage. So, here we are. We see a lot of DLS. We also see some mono DLS, mono security, but we're going to focus on assembly C# DL which is our main our main DL which contains all the game logic. So with the this DL we can use another tool very commonly used for game hacking which is the Nspy which is the compiler for DLS and helps us to understand its its its structure.

So here we we opened the assembly C on DNS pie. I went searching uh for damage too. So I found this weapon properties level weapon pshot basic damage. Pshot is basically the basic attack uh of the the game that blue burst of fire that we shoot. Yeah. And uh I went through this damage the the class and and the and the potshot class. we can see the the actual damage. So we get we can see here. So I was thinking what would h what will happen if I like change this value to something ridiculously high and that's what I did and let's see and then and then I alter it. Let's recompile and see what

happens. So well actually I've I must be do some a lot of damage. So you can see that the boss can also hit me. That that shot is not the Pshot, but when can when we shoot the Pshot, which is the basic uh the basic attack, it kills the boss right away like with one hit. This one I I hit him with the first time, it didn't kill him because I think that he wasn't able to get damage by the time. So yeah, that's it. We hit everyone. We kill everyone with just one hit. >> So back to key pass to Android. We we see we see those those libraries monogen we also see zamarine and I will talk

about it later but all right so we're seeing this the the mono libraries the the the zamarine but we're not we're not actually viewing the the libraries that contain the keypad logic itself so where are them so I went searching a little deeper in uh in the Android APK I found this mono uh this monopacture mono package manager and I and I found these two functions get assemblies and get dependencies both of them both reach out to resources the resources folder assemblies and dependencies so I went to the resources folder inside there was another folder called assemblies and there was this assemblies blob assemblies assemblies this manifest. So let's see what are those. So when I

try to access assembly.blo, I got this file too large for view. So it didn't help me very much. But on assemblies manifest, we can see a lot of uh of names that they look very they look very similar to what a DL would be called. We can actually see those here. Keypass Android setup, keypass lib to Android. So all right, I I we can presume that this that those are the the libraries that contain the the password manager logic. But how do we get them? We just have names and this blob that it doesn't mean very much. So I started to searching some a little bit about Zamarine because there's a lot of Zamarine libraries here.

And uh basically Zamarine is a mobile app development platform framework. It is based on .NET and C Microsoft framework. Uh BA basically it is used to develop an app with .NET and things like that and then uh makes a port for both Android and iPhone iOS and most importantly it runs the apps on montime. So I went through I went through digging uh uh a little bit and and looking for some some content about zamarine exploitation on on Android and I found this article which helped me very much from go secure and it's talking about bypassing zamarine certificate pinning on Android. So uh apps develop with zamary they can implement certificate pinning and this article talks about how

to bypass it. So very briefly what this code does. The most important thing about the the this article is that I discovered that there are actually a freedom mono a freedom module for for mono. So what this code is doing it it just is loading the the target DL which is net.http. Then it it looks for the class the target class. So in this case it is HTTP client handler. And once it's found its class we can go searching for the actual method that we want to to hook. So in this case it is this create default handler and and also messenger invoker. So uh so so all right. So we've hooked the the mono the mono library h we found the

target class and the target method. So what we must do now is actually hook it and uh temper it temper with it to do what we want. So what we uh what the code is doing here it is actually changing the the handler that it is creating for another HTTP client that will not uh actually validate the the pinning. So very briefly when when it runs uh without the script the by the the certificate pinning is validated and we do don't get anything but when the script is is is running we got a okay response. So very briefly just to show you uh this freedom module to to temper with mono and and everything and to and

with zamry. All right, but back to our assemblies and assemblies.blo and manifest. How can we actually get those those libraries those those libraries that contain our password manager uh logic? Well, that's that's actually very simple. In that in that article they were talking about this this tool which is pi zam store and what it does it's h basically those two files manifest and blob they are used to parse the the libraries into one single file and this pym story it reverse it. So we can get by by by passing the the the both the assemblies and the the blob the assemblies and the the blob and the manifest. What this tool does is that extracts our the library all the

libraries contain that. So here we have everything that we saw before. So like zamarine uh and most importantly right there the keypass libraries. So right now I think we have what we need. We we know how to hook uh monor runtime with Freda. We know how to temper with DLS that we we learned from from Cuphead. we learned from from outside cube how to to hook into into the the the process. So I uh uh we can see that here that we I I've actually opened all the the keypass libraries that I got it from the the past two on the Nspy so we can an analyze it back to JDX. I was searching I I will uh

I will virtually show show you the actual app the the key pass Android but I was as I was searching through JDX uh in the in the Android manifest I found these two activities which is password activity and quick unlock. Password activity is basically the the activity where you where the user inserts uh his submits his password, his master password and then unlocks all the other passes he's storing. And this quick unlock uh activity is basically a feature on that app that allows you to unlock all your passwords without actually uh submitting all your password just the the last three characters. So the user can uh enable it or not. So uh as I was uh looking through the

through through the that quick unlock activity, I found out that it relates to the key pass to Android setup 2. So I I I can assume that this is the the main the main library actually that that deals with quick unlock functions. So I I open it the key to Android uh which is what it's called key the key pass Android setup 2 on the nspy and I went searching for quick unlock and I found this method called on unlock and it's actually very simple it receives an argument which is uh which came from which come from a an edit text so it's probably the the digit text where the user actually submits his three character password the last three

characters of his password actually then it compares to that expected password string and if it if it's equal then it calls that unlock and sync and close that unlock and sync and close is the actual method that unlocks the database which is which has all the the passwords so let's go to our script I I don't know if you can see guys but uh basically what we are doing here uh we're using that that Freda module for hooking mono we are uh well we are hooking the Freda to our our mono runtime then we are then I'm enumerating all the assemblies to find the target DLL which is that one key pass setup two uh then I'm I think I'm I'm printing uh

uh the when I found the target DLL which in this case is the Android setup 2 Android keypass setup too I think. All right. So when we found we I'm going to get a console log. Then uh I'm actually looking for the class contained on the key pass Android uh library. So we want the quick unlock class and inside quick unlock class we want to locate both on unlock and unlock and sync and close methods. So that's what we're doing here. Uh all right and we we're we're looking for them and then we are uh instancing those those methods. Uh what are we doing here? All right. So once we have uh found our target library, our target

class and our target methods, we can actually intercept it just like we did with with asot cube. So what we want here is to intercept both on unlock and uh unlock and sync and close methods. And what uh I I think I Yeah. So what I'm doing here is actually very simple. When the the original code the original onlock code uh is executed, it compares the the string that we passed that uh come come from the edit text which is the three less characters of his password and it compares to something he calls the the pass password expected part. But what we what I'm doing here is that every time that the unlock method is called, I'm just

calling on unlock and sync and close right away. So it doesn't have to compare though any password. So if this works, we should unlock the database without any password. So uh I'm just printing here every time the unlock and sync and close method is called and this is just me passing the what what is the target library that I'm want that I want to find. Well, let's see if it's work if this works. So this is the key pass to Android quick unlock. I just submitted a random password and then I submitted my actually password which is sea unto. And here we have all the the the passwords that are being stored. I'm not running the script yet.

So we we we saw that the any any password doesn't work. we have to actually submit the three last characters of our pressor. But when we run the script, we can see that it found the target DLL, the the target class and the target methods. So when I submit any password, it just opens it right away. So we can see that the unlock and sync and close was called. And just for for you to to see it as I we're not actually validate oh yeah we're not validating any password. So if we actually open it and don't submit don't submit anything at all we actually bypass it.

And I've actually been more fast than than I thought it would be. Thank you guys. [Applause] Any questions? Yeah, please. >> What made you choose Keypass? >> Uh, I was digging through a lot of of apps and searching for apps that actually were firstly developed for PC and then gain support for Android. Uh, and I I decided for this one because I I I saw there was a really big app with more than a million downloads and I think, okay, I'll start with this one. And it was the first one that I've tried and I already found this. So that's that's it. >> Yeah. Um, have you looked much in terms of like API calls to because

increasingly I'm seeing a lot of games they are basically putting things like user metrics and leaderboards into like built-in API. Have you done any exploration in that? in in this app actually no because he's a mostly offline application so it doesn't communicate with any APIs but in in another app which I forgot to to put here but uh I actually found uh many other apps that uh use uh these techniques and mon time and everything. So in an app with that uh with these technologies that both communicates with an API, this could be used to to exploit it too. >> Do you have to do this on a device or can it work on any device? No, I can

work on well I I've actually uh run it on Android um mostly on a physical device but uh any any app even in iOS or another another platform we can we can actually use Freda too to hook on on Windows on iOS. So uh obviously it will be uh a little bit different or the process to to to identify the the DLS and everything but the the logic it will be the same. >> Yeah. >> For this to work you would need the victim's device and then to have configured that unlock. >> Yeah. the user would have to to have it it it uh enabled. Um you guys might ask me why I I I could have actually did

done this like I did with uh with Cuphead which I actually just uh reverse engineer it and altered the the the damage and then repacked it, recompiled it. But what I wanted to show you is that by hooking it dynamically is that if the if these app was in an device that was infected by some kind of malware, that malware could exploit this this function dynamically. So it wouldn't the an attacker wouldn't have the the it wouldn't need to have physical access to the device because we could exploit it dynamically. Any more questions?