Thursday, June 16, 2011

iPhone: Dumping Game Memory and Injecting Custom Code into Games

iPhone: Dumping Game Memory and Injecting Custom Code into Games — zkoolkyle

This article was written by zkoolkyle


Prerequisites:
iPhone

=Overview=
This is a tutorial for game hacking, this is the first degree of hacking for Iphone games yet and I'm hoping that it will evolve into something bigger. This kind of hacking if done correctly could lead to code injection to make your character jump 1000ft instead of 2ft, make your car go 20x faster and lead to invunerability in fighting games. I'm hoping that someone takes this idea and make a terminal app to make this alot easier for people (searchers and what not) but since this is the first of its kind for iphone you'll have to live with using the GNU debugger as your weapon lol. Which is very strong if used correctly.
This tutorial Explains how to Lock your game, Dump multiple copies of your Memory so that they may be compared to find special addresses, then inject your custom address values back into the game.

LETS BEGIN :]

1.SSH to your iphone from your OS.

Windows - Putty - PuTTY Download Page
Mac Os/Linux - Terminal


2. Go to Cydia and install GNU Debugger if you havn't already.

3.Take the non-encrypted IPA that you have on your computer and extract it. (if you downloaded it cracked then its already non-encrypted)
Inside of the .app folder you will see a file with the name of the game on there with no extension.

Example:
Im hacking TouchGrind.app so when I go inside of it I see a file called just "TouchGrind" (Its usually the biggest file in that folder)

Now boot up a file transfer application that supports SFTP (also known as SSH-FTP). WinSCP for Windows is good, as are Transmit (Shareware, but excellent) and Cyberduck (Free) for Mac, and gFTP for Linux. Test it by setting up a connection to your iPhone (get your iPhone***8217;s IP address from Settings ***8211;> Wi-Fi ***8211;> Right-arrow next to your wifi conneciton ***8211;> IP Address) over the SFTP protocol. The username for the connection is ***8216;root***8217;, and the default password is ***8216;alpine***8217;.

Then upload your MainDataFile (the file inside of your .app folder that we just talked about, Mines "TouchGrind") to /var/root/
We will be using this file later.

4.SSH to your iphone from your OS. (Same Username and Password - root:alpine)

Windows - Putty - PuTTY Download Page
Mac Os/Linux - Terminal

Now we are going to get the stack size of the program in the memory so that when we try to make a dump of our memory later we can know exactly how much to dump so we don't get to big of a file and then there would be no point in trying to hack the game lol.

While in SSH with your iphone use the command
Code:
otool -l MAINDATAFILE | grep crypt

Note: Replace the words MAINDATAFILE with the name of the file that we just uploaded to our Iphone, remember mine was TouchGrind.
Now you should get something like this

Code:
cryptoff 4096
cryptsize 913408
cryptid 0

We want the cryptsize number (Yours Will probably be different). cryptoff should be 4096 and cryptid should be 0. Now take your cryptsize number and convert it from decimal to hex. You can easily do this with this website.

DECIMAL to BINARY conversion, DECIMAL to HEX converter, Decimal to Hexadecimal convertor

913408 converted to hex is DF000 (Yours will be different then mine)

SAVE THIS HEX Value! Write it into a text file in your computer or write it down

5.Now go back to your dashboard on your iphone and Boot the game you want to Hack up. Once it***8217;s running, type the following into your ssh tunnel on your computer and press Enter:
Code:
ps ax

You***8217;ll get a massive list of every running process on your phone. It looks similar to this:
Code:
PID TT STAT TIME COMMAND
1 ?? s 0:00.00 /sbin/launchd
12 ?? s 0:00.00 /usr/sbin/mDNSResponder -launchd
13 ?? s 0:00.00 /usr/sbin/notifyd
14 ?? s 0:00.00 /usr/sbin/syslogd
15 ?? s 0:00.00 /usr/sbin/configd
19 ?? s 0:00.00 /usr/sbin/update
20 ?? s 0:00.00 /usr/libexec/lockdownd
23 ?? s 0:00.00 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd
24 ?? s 0:00.00 /usr/sbin/fairplayd
28 ?? s 0:00.00 /System/Library/PrivateFrameworks/CoreTelephony.framework/Support/CommCenter
29 ?? s 0:00.00 /usr/sbin/BTServer
819 ?? s 0:00.00 /usr/sbin/mediaserverd
1325 ?? s 0:00.00 /System/Library/CoreServices/SpringBoard.app/SpringBoard
1327 ?? s 0:00.00 /var/stash/Applications.1SLxl9/MobilePhone.app/MobilePhone
1695 ?? s 0:00.00 /var/stash/Applications.1SLxl9/MobileMail.app/MobileMail
1705 ?? s 0:00.00 /System/Library/Frameworks/SystemConfiguration.framework/SCHelper
1790 ?? s 0:00.00 /var/mobile/Applications/3015A1D1-0421-31A2-2DD9-15E0A2F235A1/TouchGrindl.app/TouchGrind
1791 ?? s 0:00.00 /usr/libexec/launchproxy /usr/sbin/sshd -i
1792 ?? 0:00.00 /usr/sbin/sshd -i
1797 ?? s 0:00.00 /usr/libexec/amfid
1793 s000 s 0:00.00 -sh
1798 s000 + 0:00.00 ps ax

The very first column that says PID is what we***8217;re interested in. PID stands for Process ID, and it***8217;s a number that gets assigned to each running process. One of these processes is the currently running app, so scan down through the final column (COMMAND) until you find your app. In my case, the app I ran is TouchGrind, and its pid is 1790. Make a note of your PID.

In your terminal window, type the following ***8212; but replace the letters PID with the actual PID number you just found:
Code:
gdb -p PID

So, for example, I would type:
Code:
gdb -p 1790

Now you SEE WHAT JUST HAPPENED - YOUR APP FROZE. This meens that all the values for that game are locked.

3. Now we are going to make our first dump of the memory! You should be in the (gdb) prompt while doing this. Remember that Hex value that I told you to save, well now here is were you use it. Replace the text "HexValueHere" with your hex value that you saved.

So now we will type:
Code:
dump ihex memory dump1.dmp 0x2000 0xHexValueHere

My Example:
dump ihex memory dump1.dmp 0x2000 0xDF000

What this line of code is saying is Dump the Memory(dump) in Hex format(ihex) starting from offset from 0x2000 to your value and naming it dump1.dmp.

CONGRADULATIONS you just made your first Game Memory Dump. Now the points of these dumps are to get 2 different dumps that have different values in them so that you can compare them and find the address of sayyy your score and edit it.

Example:
You boot your game of Touchgrind and get 16,847 during the game, well during that you

1.Freeze the game with that score:
gdp -p ProcessID (remember your process id)

2.Dump the memory:
dump ihex memory dump1.dmp 0x2000 0xHexValueHere

3.Unfreeze the game:
quit

Then you skate for 20 more seconds and now you have a score of 53,832

1.Freeze the game with that score:
gdp -p ProcessID (remember your process id)

2.Dump the memory AGAIN and rename it to dump2.dmp:
dump ihex memory dump2.dmp 0x2000 0xHexValueHere

3.Unfreeze the game:
quit

6.Fire up your SFTP client again and navigate to /var/root. Now there should be a files called ***8216;dump1.dmp & dump2.dmp' there

7. Compare your 2 dumps ECT...... (tons of tutorials online on how to compare dumps, Sketch will probably write one.)

8. To inject your code boot back up through ssh, Run your app again. Freeze it again with your pid.
Code:
gdb -p 1790

Then now for the fun part,TESTING INJECTION of code!!!
While in gdb.

code:
set * (Address You want to hack) = (Orginal + New Offset)
set * 0x08049d24 = 0x40003000 + 0x000034

Tutorial Written
By LoGiKz of OneHitGamer.com

REVIEW:
Everything you just did was accually really simple , you just have to get the concept down. You just did this in this order and this can be used as a refernce if you dont wan't to go back through everything.

1. Put the games data file on your Ipod
Extract and SFTP

2. Get the CryptID and Convert to Hex
otool -l MAINDATAFILE | grep crypt

3. Get the ProcessID
ps ax

4. Freeze the game
gdb -p ProcessID

5. Dump the Memory as many times as needed with the values you supplied
dump ihex memory dump1.dmp 0x2000 0xHexValueHere

6. Inject Code
set * (Address You want to hack) = (Orginal + New Offset)

Do this at your own risk

Basic Linux Commands

Hi All,

This is something different which i normally post. Here are basic linux commands.. Enjoy . This is for newbies, People who know it and would like to add something else. Please do ..

so here goes nothing.


Prerequisites:
Access to a Linux/Unix box or a Windows box with Cygwin installed.

As most people know, there's a fuck load of commands in Linux so I'm only going to be including a few of the main ones off the top of my head.
Also, there's going to be examples in here which show you some more options ex. -(whatever the fuck) that
you will need to add onto the command; better ex. tar -zxvf (-zxvf == whatever the fuck) which I will explain which options I use but will not go into detail about all of the options because there are MAN pages for that.
The operators you learned in dos >, >>, and | still apply fairly normally.

man
Linux "manual" pages, describing in detail every command, what it's options are, and what it does.

ex
$ man
What manual page do you want?

ex2
$ man ls | more
LS(1) User Commands LS(1)

NAME
ls - list directory contents

SYNOPSIS
ls [OPTION]... [FILE]...

DESCRIPTION
List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuvSUX nor --sort.

Mandatory arguments to long options are mandatory for short options
too.

-a, --all
do not ignore entries starting with .

-A, --almost-all
do not list implied . and ..

--author
--More--

pwd
Shows the path of the directory you are in; aka "Parent Working Directory".

ex
$ pwd
/home/cisc0ninja

ls (ls -al shows hidden files too)
Same as dir, list files and folders in your current directory.

ex
$ ls
agetty.exe hwclock.exe mkfs.bfs mkfs.minix sln.exe
fsck.cramfs init.exe mkfs.cramfs mkswap.exe sysctl.exe
fsck.minix killall5.exe mkfs.exe runlevel.exe telinit

clear
Same as cls, clears you current shell's screen.

cat
Same as type, "concatenates" aka list the contents of a file "normally text files".

ex
$ cat test
test

grep
"Global Regular Expressions Parser"<---(don't ask me why I know this) is used for searching files for strings you want. ex $ cat hackers.txt | grep Steve Richard Stevens Steve Bellovin Steve Crocker Steve Jobs Steve Shirley Steve Wozniak Steven G. Steinberg chmod Changes the access file attributes of a file or folder.(readonly,writable,hidden,etc...) ex (the first number is (7) is for user, second number for group, and third for everyone else, 7=writable, 5=read&execute, 0=nothing chmod -R 700 /home/share/mydirectory chown Changes the ownership file attributes of a file or folder. ex (-R means recursive ie.. for every folder and file underneath) chown -R cisc0ninja:localadmins /home/share rm Removes a file. ex $ rm test.txt rmdir Removes a directory ex $ rmdir test ifconfig (ifconfig -a) List your network interfaces and their configuration options. ex shinra:/home/share# ifconfig -a | more eth1 Link encap:Ethernet HWaddr 00:17:31:37:9b:7d inet addr:172.30.115.75 Bcast:172.30.115.255 Mask:255.255.255.0 inet6 addr: fe80::217:31ff:fe37:9b7d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:751482 errors:0 dropped:0 overruns:0 frame:0 TX packets:743923 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:496898734 (473.8 MiB) TX bytes:180162903 (171.8 MiB) Interrupt:16 ssh Upgraded version of telnet with an added bonus of encryption and secure copying capabilities. ex cisc0ninja@shinra:~$ ssh -l cisc0ninja argos.soldierx.com Password: §+++++++++++++++++++++++++++++++++++++++++++++++§ ]|[ [-=- SOLDIERX.COM Presents -=-] ]|[ cisc0ninja@argos:~$ tar Linux zip utility to zip and unzip files. ex $ tar -zxvf dnsenum1.1.tar.gz belgacom.be_ips.txt dnsenum.pl dns.txt README.txt sort Sorts the content inside of a document. (alpha-numerically) ex $ sort hackers-orig.txt | uniq >> hackers.txt

uniq
Removes duplicate entries in a file.

ex
$ sort hackers-orig.txt | uniq >> hackers.txt

mv
Moves a file.

ex
$ mv test /tmp

mount
Makes a connected device (hard drive, flash drive, etc..) accessible to you and the system whether it's mounted as readonly or writable is up to you.
It can also be used (as below) to show what devices are mounted, how, and where.

ex
shinra:/home/share# mount
/dev/md2 on / type ext3 (rw,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
procbususb on /proc/bus/usb type usbfs (rw)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
/dev/md0 on /boot type ext3 (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)

df (or df -h)
shows file system usage

ex
$ df -h
Filesystem Size Used Avail Use% Mounted on
C:\cygwin\bin 75G 63G 13G 84% /usr/bin
C:\cygwin\lib 75G 63G 13G 84% /usr/lib
C:\cygwin 75G 63G 13G 84% /
c: 75G 63G 13G 84% /cygdrive/c

ps (ps -aux) or top
used for showing amount of processing power and memory each service/application is using.

ex
top - 02:35:57 up 8:07, 2 users, load average: 0.00, 0.00, 0.00
Tasks: 6 total, 2 running, 4 sleeping, 0 stopped, 0 zombie
Cpu(s): 2.7% user, 4.8% system, 0.0% nice, 92.5% idle
Mem: 1015152k total, 609300k used, 405852k free, 0k buffers
Swap: 1523712k total, 71080k used, 1452632k free, 0k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
11392 cisc0ninja 8 0 2388 2860 40 R 2.9 0.3 0:00.09 top
1712 SYSTEM 8 0 2028 2292 76 S 0.0 0.2 0:00.15 cygrunsrv
2220 SYSTEM 8 0 2572 3692 40 S 0.0 0.4 0:00.15 sshd
3952 cisc0ninja 8 0 2860 356 12 R 0.0 0.0 0:01.12 bash
2344 cisc0ninja 8 0 2924 1884 40 S 0.0 0.2 0:01.06 bash
244 cisc0ninja 8 0 2640 132 0 S 0.0 0.0 0:00.18 ssh

vi/vim
A text editor for command line, very powerful, takes some time to getting use to.
note: (to exit out of vi/vim press esc a couple of times then the shift and colon key "same time", then type q! "not at same time";)
(if you want to save make it wq!)
ex
vi test.pl

MORE OPERATORS!!!

$
Used to define a variable or constant

ex
$ echo $SHELL
/bin/bash

--help
Gives further information on a command, such as what options are available for use with that command.

ex
$ cat --help
Usage: cat [OPTION] [FILE]...
Concatenate FILE(s), or standard input, to standard output.

-A, --show-all equivalent to -vET
-b, --number-nonblank number nonblank output lines
-e equivalent to -vE
-E, --show-ends display $ at end of each line
-n, --number number all output lines
-s, --squeeze-blank never more than one single blank line
-t equivalent to -vT
-T, --show-tabs display TAB characters as ^I
-u (ignored)
-v, --show-nonprinting use ^ and M- notation, except for LFD and TAB
--help display this help and exit
--version output version information and exit

With no FILE, or when FILE is -, read standard input.

Examples:
cat f - g Output f's contents, then standard input, then g's contents.
cat Copy standard input to standard output.