Android App Hacking – Hero Defense

[Intro]

Here I will show you how to disassemble an android game, and modify its files to obtain an advantage like god-mode.

[Tools]

  1. APK Downloader
  2. dex2jar
  3. jd-gui
  4. IDA Pro or similar disassembler
  5. Binary patcher
  6. ZipSigner

[Tutorial]

The steps for this project are as follow:

  1. Download the Hero Defense APK.
  2. Extract its contents.
  3. Turn its dex file into a .jar file.
  4. Dissasemble it.
  5. Dissasemble the shared library containing its API.
  6. Patch the library.
  7. Repackage the APK.
  8. Sign the APK.

The first thing you need to do is download the APK.  This can be done by using your android device, or you can do it from your pc using the APK Downloader from evozi.  Once you have the APK downloaded you can rename it to a .zip file and use any zip utility to extract its contents. You will see a classes.dex file at the root of your directory, you can turn this file into a jar with the dex2jar utility.  After you have done that you got yourself a dex2jar.jar file containing all the game’s class files.  You can load those class files using jd-gui and begin reading the code.

After reading the code for a few minutes it becomes apparent that the game is not written in java, but instead is written in c++ using native shared library. In order to modify the game’s behavior in any meaningful way we have to patch that libdawn.so lib.  So we crank up IDA Pro and see what we can do.

dawn

Loading dawn.so in IDA Pro on my computer takes about 5 minutes to index all the exports in dawn. But after a while you can see that there are many interesting names being exported.  One such name is Hero::underAttack(float), which as the name would suggest handles what is supposed to happen when our hero is under attack.

Going through the underAttack function we can see that a value is loaded into R3, then checked against the value of 0.  If the comparison is true then we take the conditional jump into isAlive, if not we go somewhere else.

graph view

By setting the value being checked against R3, we can ensure that the conditional jump will never be taken, and we will avoid any actions regarding that branch.  In this case that turns out to be the branch where the damage is calculated and dealt to our hero, so by modifying it we end up with a hero that takes hits (visual effects), but no damage or death.

opcode modification

 

graph view modified

 

So after we modify the bytes, we use IDA Pro to generate a diff and we then patch the libdawn.so binary.  After successfully patching we throw it back into the original game apk, load into our device, and sign it with zipsign.

patching

Once signed we are ready to go.

[Conclusion]

I hope this wasn’t too hard to follow.   If you are having a hard time following this drop a comment.

The hack in action can be seen here:

15 Responses to Android App Hacking – Hero Defense

  1. anonymous says:

    Hi i generated a dif file from ida and then i executed all the steps shown in picture (binary patching).. but when i replace lib.so in game and sign .. game still not modded

  2. emist says:

    Two things:
    1) Make sure that you in fact generated something to patch with. Sometimes your diff file will be blank, so the patching will go ahead successfully but you did not actually modify anything.

    2) Make sure you’re replacing the game’s original dll with your patched dll so that the changes can take effect.

  3. anonymous says:

    i edited the value from 00 to 99 in HxD editor at the offset , i found in ida pro..

    and btw i need some help in debugging android app using gdb server

  4. anonymous says:

    If you could add a tutorial on debugging android app on phone using gdb , it could be awesome

  5. emist says:

    Hey dude, if you edited the byte by hand using a hex-editor then there is no doubt that the modification took place. You are probably just mistaken as to what the function you are modifying does, it might be getting called at all by the game which is why you do not notice any difference. Or it might be called, but the side-effect of your change is not manifesting itself to you in an obvious matter.

    For debugging using GDB check this: http://www.eweek.com/c/a/Linux-and-Open-Source/How-to-Set-Up-Android-Platform-Development-and-Debugging/

  6. anon says:

    Hi, I recently started hacking android games by following the usual IDA->Patching->Signing procedure, and I could successfully hack most games, including some of the latest releases from Gameloft. However I’ve noticed that some games -for example, Subway Surfers and all of Glu’s games- only have “libmono.so” and “libunity.so” files as their native lib files, and as you probably know they do not store any useful info about the actual game functions.
    From your brief mention about java, I’m assuming that I need to disassemble the app through APK tool, set up a debugging session on Netbeans and “somehow” edit the smali codes I’ve extracted from the APK file. The part that I don’t understand is how to set up the debugger and how to find out the actual line that I need to edit.
    I couldn’t extract much out of Google, so I apologize if my questions seem ignorant. Thanks in advance.

  7. emist says:

    That probably means that the game code is inside written in java as opposed to stored in a native lib and called from java. You don’t need to setup a debugging session although that might be helpful, you can just decompile the game’s code and see how far it takes you.

    • Steven says:

      What about libcocos2dlua.so?

      Using IDA gave a lot of function name sub_xxx
      And file it, the binary is stripped

      I wonder if you can share education base on hack against stripped binary? or..just like “libmono.so” and “libunity.so”, the real game logic is in Java?

      Please help

  8. What are you choose the code that true?however in IDA many code bro

  9. raj says:

    Hi. Can we do this with all online muilty player game?

  10. prince says:

    hello dude..
    nice tut abt hacking…
    I want to know that can we hack the online games which does not keep its data on phone instead it keep it on its server.
    I have hacked many offline games by just modifying its value ising gameCIH SB tool hack etc but can’t find any solution to hack any of the online game….
    I have IDA pro but don’t know how to use it…
    can you just explain me in steps what to do ………

    • emist says:

      Online games are a different animal. While you will be able to do client modifications like these to achieve in-game advantages, it won’t be to the same extent as offline games where you have full control of the front and backend of the game.

  11. prince says:

    thats what I wabt ti learn
    I know its difficult to hack but not impossible
    if anyone can help me with hacking online game or making mod of this game it would be great :-)

  12. Akilesh says:

    sir i am a biggner in reverse engineering process, can i able to change the character of any 3d game to my own created 3d character instead of the inbuilt character in the game?
    if it is possible means please send the steps to change the character in any 3d game..!!!!!

    • emist says:

      That’s a pretty broad question. Speaking generally if you hook the drawing function of whatever graphics library the game is using you could have the game draw your model instead of the original game model. How you’d do that though would depend on what graphics library the game is using, what platform the game is for, etc. You should look at the articles here about stripping textures, it goes somewhat indepth into drawing functions of Directx.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>