Mobile Game Modding Using Dynamic Code Injection & Memory Editing

There are many ways fraudsters can cheat in and alter mobile games. I discussed these in my previous blog on modding mobile games. This blog will focus on how experienced programmers use dynamic instrumentation tools to modify mobile games by attaching to running processes and modifying/injecting code while the game is running. The specific memory editing methods and techniques I will cover in this post are:  dynamic code injection, memory injection, and saved game state editing (plist editing).   

This type of cheating is often accomplished by scanning the memory of the game or using dynamic instrumentation tools to learn where certain values or game states are stored, and then modifying those values to whatever value the cheater wants. Memory editing can be done for any mobile game where the player’s actions are stored in local memory, which is true for most mobile games. Here are some examples of memory editing for iOS and Android games built in Unity.

Cheating iOS and Android Games Using Dynamic Memory Injection (modifying dynamic libraries or DLLs)  

In most mobile games, whenever a player performs an action, the result or score is stored in local memory on the mobile device, and then batched up and sent to the server in batches (because sending one by one might be impractical or hurt the game performance). In order to modify the memory, a game cheater can attach to the process using a memory editor or hex editor and change the values. For example, for games built in Unity, the game values, attributes, scores, player characteristics, and/or in-app purchase logic are stored within DLL files (dynamic libraries). So changing the game is as simple as finding the right file, and editing it.

First the game cheater needs to figure out where the DLL files are stored within the game. Here’s an example of how game cheaters can use an open-source decompiler to find all the .dll files in a Unity game. 

example of a Unity game after running it through a decompiler

Sometimes game cheaters also disassemble mobile games as it may not exactly be obvious which files they need to edit in order to change the game values. To learn that info, they can use freely available tools like Hopper or IDA-Pro to disassemble the app until they have enough information to know what values to edit in order to create a game mod or to cheat in the game.  In native iOS apps, cheaters often create mods by using dynamic memory injection or plist modification. Advanced game cheaters use dynamic instrumentation tools like Frida and ADB to modify app code and runtime behavior using advanced methods like dynamic code injection, function/method hooking, and memory editing.

One of the things cheaters can do with function and method hooking is to load or change their own dynamic libraries at runtime, in order to change almost any aspect of the game that’s stored in memory. The process is as follows: use Frida Trace or a similar dynamic instrumentation tool to find and attach to running processes to memory and inject their own JavaScript, libraries, or other code in order to change the values of the game to whatever they want. They simply replace the existing code with their own malicious code.

Another popular memory editing tool is called 010 Editor. It’s a popular open-source hex editor that allows cheaters to modify the memory of that stores game values. Here’s an example of how you use 010 Editor to modify a plist for an iOS game.  

use 010 Editor to modify a plist for an iOS game

Memory Editing to Alter iOS Games 

Now I will show you how easy it is to alter an iOS game to create a game mod using the ‘Saved State Editing’ method, a form of live memory editing.  Saved State Editing is one of the easiest ways to mod iOS games. In this example, the game was encrypted, so the attacker first decrypts the files in the game using a tool called bfinjectThen he uses a tool called findipa to find the directory of the file that contains the values he wants to modify.  Similarly, you can use grep or some other search tool to find the values that you want to edit (the value in the game will be represented in binary or hex, so an easy way of figuring out which value to modify is to do an integer search using the value you already have in the current game.  For example, below is a screenshot of a game called “EarnToDie2”, and the current “money” value in the ‘un-modded’ game is $31,337.

unmodded ios game

To change this value using ‘saved game state’ memory editing technique, the cheater simply needs to find the specific file in the game where that value is stored, and then change it. Here’s how you can do that using 010 Editor (a hex editor). Searching for the integer 31337 returns the hex value associated with that integer (69 7A 00 00). So to mod this game, all you need to do is using the 010 Hex Editor to change the value stored in memory from 31337 to 999,999,999) 

changing a value with a hex editor
Using the 010 hex editor to change the game value from 31337 to 999,999,999. 

looking for the right value to change with a hex editor

 

And finally, below is the modded game with the new value of $999,999,999. In order to persist the memory edits beyond a single play of the game, the cheater can simply re-package, re-sign and even re-distribute the game mod on alternative app stores. 

modded ios game with changed value

How Mobile App Developers Can Prevent Memory Injection and Other Modding Methods

The best defense against mobile fraud is to prevent it from occurring in the first place. Appdome’s No Code Mobile Fraud Prevention offers developers, publishers, game studios, and financial institutions an easy way to stop mobile fraud at the source. Using Appdome’s no-code technology, developers or fraud specialists can build pre-emptive and defensive protections into any mobile app in minutes and prevent mobile fraud before it starts.

Appdome offers Mobile developers several options for preventing the multiple cheating techniques I illustrated in this blog. This KB article covers how to detect memory injection attacks. 

In addition, developers could also use Appdome to block the malicious use of advanced dynamic instrumentation tools like Frida and ADB, and also to protect plists from being altered to cheat in mobile games.

Give Appdome a try today. Get started at https://fusion.appdome.com

 

Table of Contents

Have a question?

Ask an expert

DanaMaking your security project a success!

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Build What You Love Automate What You Don’t

Drop us a line and keep in touch