Cheaters Gonna CheatBattling Fake High Scores

Nataly Eliyahu

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 1/15

About Me• Background in Security

and Reverse Engineering• Army Service in

Technology Units• Today - Freelance Game

Developer• nataly@natalycreates.com

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 2/15

What we’ll talk about• Back & forth between

developer and hacker• Approaches and

considerations for a developer• Think like a hacker!

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 3/15

Step 1 – Naive Score Saving

Developer POV• Save the score locally• Use Player Preferences

Hacker POV• Rooted phone• Edit Preferences

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 4/15

Edit Preferences

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 5/15

Step 2 – Manipulate the Score

Developer POV• Encode the score

(base64 / hex / custom encoding)• Math manipulations

Hacker POV• Blackboxing• Guessing• Find the Pattern

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 6/15

Step 3 – Encrypt the ScoreDeveloper POV• Encode the score (base64)• Encrypt the score with a

secret key (a string)• Use obfuscator on the

compiled apk

Hacker POV• Decompile apk, rename

functions, organize code• Find the encryption code -

see which algorithms is used• Find the string for the

encryption key• Decrypt and encrypt your

own scoresCASUAL CONNECT

TEL AVIV19 – 21 OCTOBER

2015Slide: 7/15

Decompile APK

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 8/15

Decompile APK

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 9/15

Decompile APK

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 10/15

Step 4 – Non-standard encryptionDeveloper POV

• Encode the score (base64)• Encrypt the score with a

secret key (a string)• Change code of

encryption function to non-standard implementation

Hacker POV• Previous method fails!

Score isn’t saved correctly with your script• Read the encryption code• Look for the differences

from the standard implementation• Alternative – use dynamic

debuggingCASUAL CONNECT

TEL AVIV19 – 21 OCTOBER

2015Slide: 11/15

Step 5 – Server sideDeveloper POV• Encode the score (base64)• Call a function on the

server to encrypt and decrypt the score• Secret key is no longer in

the apk• Always Online issue!

Hacker POV• Attack the server, look for

loopholes• Alternative - Use dynamic

debugging, change the score in memory before it’s sent to the server

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 12/15

The Heuristics Approach• Recognize suspicious scores• Is the score possible in the

amount of time the player played?• Patterns in the score • Send constant updates to

server about player status

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 13/15

To Sum Up• With enough determination, the

hacker will always win• If cheating at your game is really

hard, most people won’t bother• Going always online helps makes it

much harder to cheat, but at a cost for the majority of players• Choose the most cost-effective

solution depending on your game

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 14/15

Questions? Feel free to contact me!nataly@natalycreates.comFacebook: Nataly EliyahuTwitter: @NatalyEliyahu

Slides: bit.ly/1ORclQV

CASUAL CONNECT TEL AVIV

19 – 21 OCTOBER 2015

Slide: 15/15