One Step Before Game Hackers - Instrumenting Android Emulators

Video thumbnail (Frame 0) Video thumbnail (Frame 2055) Video thumbnail (Frame 5923) Video thumbnail (Frame 7252) Video thumbnail (Frame 8636) Video thumbnail (Frame 9372) Video thumbnail (Frame 11927) Video thumbnail (Frame 12397) Video thumbnail (Frame 15302) Video thumbnail (Frame 16012) Video thumbnail (Frame 17522) Video thumbnail (Frame 19020) Video thumbnail (Frame 25317) Video thumbnail (Frame 27217) Video thumbnail (Frame 27629) Video thumbnail (Frame 28249) Video thumbnail (Frame 28832)
Video in TIB AV-Portal: One Step Before Game Hackers - Instrumenting Android Emulators

Formal Metadata

One Step Before Game Hackers - Instrumenting Android Emulators
Alternative Title
One Step Ahead of Cheaters Instrumenting Android Emulators
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Commercial Android emulators such as NOX, BlueStacks and Leidian are very popular at the moment and most games can run on these emulators fast and soundly. The bad news for game vendors is that these emulators are usually shipped with root permission in the first place. On the other hand, cheating tools developers are happy because they can easily distribute their tools to abusers without requiring the abusers to have a physical rooted device, nor do they need to perform laborious tuning for different Android OS / firmware version. However, luckily for game vendors, commercial Android emulators usually use an x86/ARM mixed-mode emulation for speed-up. As a result, a standard native hooking/DBI framework won't work on this kind of platform. This drawback could discourage the cheating developers. In this talk, I will introduce a native hooking framework on such a kind of mixed-mode emulators. The talk will include the process start routine of both command-line applications and Android JNI applications as well as how these routines differ on an emulator. The different emulation strategies adopted by different emulators and runtime environments (Dalvik/ART) will also be discussed. Based on these knowledge, I will explain why the existing hooking/DBI frameworks do not work on these emulators and how to make one that works. Lastly, I will present a demo of using this hooking framework to cheat a game on emulator. With this demo, I will discuss how the dark market of mobile game cheating may develop in the foreseeable future.
Android (robot) Presentation of a group Demo (music) Line (geometry) Android (robot) Demoscene Emulator Emulator Hacker (term) Game theory Hacker (term) Information security Information security Game theory
Polar coordinate system Android (robot) Intel Game controller Code Codierung <Programmierung> Mobile Web Data model Emulator Energy level Integrated development environment Endliche Modelltheorie Game theory Form (programming) Task (computing) Mobile Web Arm Android (robot) Code Translation (relic) Arithmetic mean Emulator Integrated development environment Software Touch typing Game theory Musical ensemble Simulation Routing Library (computing)
Intel Code Codierung <Programmierung> Mobile Web Virtual machine Translation (relic) Code Arm Emulator Hooking Touch typing Logic Gastropod shell Game theory Library (computing) Simulation Arm Binary code Code Physicalism Translation (relic) Binary file Emulator Touch typing Game theory Musical ensemble Simulation Routing
Line (geometry) Virtual machine Open set Arm Revision control Emulator Booting Library (computing) Personal identification number Arm Matching (graph theory) File format Binary code Android (robot) Java applet Client (computing) Line (geometry) Binary file Offenes Kommunikationssystem System call Virtual machine Hooking Process (computing) Emulator Personal digital assistant Musical ensemble Table (information) Physical system Library (computing)
Slide rule Android (robot) Functional (mathematics) Java applet Parameter (computer programming) Binary file String (computer science) Gastropod shell Process (computing) Category of being Physical system Arm Java applet Android (robot) Cartesian coordinate system System call Category of being Process (computing) Emulator String (computer science) Software framework Lipschitz-Stetigkeit Gastropod shell Lindenmayer-System Physical system Reading (process) Library (computing)
Functional (mathematics) Arm Computer file Java applet Multiplication sign Structural load Android (robot) Open set Cartesian coordinate system Revision control Type theory Data management Pointer (computer programming) Emulator Oval Bridging (networking) Interface (computing) Negative number Process (computing) Musical ensemble Data structure Computer-assisted translation Library (computing)
Purchasing Android (robot) Functional (mathematics) Mobile app Computer file Structural load Code Multiplication sign Virtual machine Open set Mass Mereology Arm Substitute good Revision control Word Emulator Hooking Semiconductor memory Authorization Software framework Contrast (vision) Address space Computer architecture Injektivität Installation art Arm Software developer Structural load Binary code Java applet Sound effect Bit Substitute good Dean number Hooking Message passing Process (computing) Emulator Function (mathematics) Order (biology) Software framework Normal (geometry) Musical ensemble Library (computing)
Point (geometry) Functional (mathematics) Email Demo (music) Java applet Code Interface (computing) Structural load Demoscene Mechanism design Mechanism design Process (computing) Fluid statics Emulator Hooking Oval Network topology Musical ensemble Game theory Physical system Library (computing) Computer architecture Physical system Condition number
Emulator Arm Structural load Game theory Library (computing)
Mobile Web Mathematics Emulator Presentation of a group Emulator Euler angles Server (computing) Mobile Web Game theory Musical ensemble Game theory
good afternoon our one o'clock speaker is doki-doki on one step before game hackers hello thanks for coming here my name is Jung Hyung and I'm delighted to be here to talk in Def Con today I'm gonna talk about Android emulators like BlueStacks Knox or something like that and hooking techniques on the emulator originally Nevermore who is my friend was going to give this presentation but unfortunately he was unable to come here so I'm covering for him he is a security engineer working for DNA and my name is youngsaeng I work for lying and just security engineer okay then let's finish the introduction and let's let's start with agenda this is today's agenda background of this research emulator internals cooking's and demo and conclusion
we define three roles in the game cheating threat model futures cheaters and vendors 4k for PC games all three of these roles have full control over their PCs they are allowed to install or run privileged code but on mobile devices is different the user usually don't have permission to access over devices unless they rotate their devices and this is the same for game developers however the cheaters usually want rotate devices then the cheaters are the most powerful nor can stop them from cheating but this doesn't mean the cheaters can make a profit actually yes it is true that the cheaters can hack their own devices but if they want to sell their cheating tools to users they will have to persuade their users to route their devices it is not an easy task so for cheaters they think of an easy way to distribute their cheating tools the emulators especially BlueStacks and Knox but not everyday from Android studio every DS from Android studio or basically for x86 emulation which does not support apks with arm library only or for our memorization which is super slow on the other hand commercial emulators like Bluth Tech and Knox is a technique called Houdini which I will discuss later for these commercial emulators they have of highly unified environment so you don't need too hot you don't need to turn your software to a different form your API level etc and what is better here is that the emulators are usually very easy to route or they are shipped with a routed environment in the first place
according to my investigation according to my investigation the most popular cheating approach on emulator is touch simulation and it requires route privilege or shell access but it does not involve modification of game binary or fucking skills this means touch simulation is a great John you can say it is cheating but you
can hardly say it is a crime on the other hand you can say that a cheat by hooking does not show up on emulators this is because game codes are usually native and on commercial emulators take they use Deenie to translate arm code to x86 and runtime so this make it difficult to hook on emulators than on physical pure devices so purpose of my research is to enable hooking on commercial Android emulators especially hooking native arm binaries on x86 emulator machines [Music]
the emulators targets I have investigated are belowed BlueStacks Noakes and ledian you can tell from the table that these emulators are very much alike maybe they chose these emulators constantly I'm not sure but it could be if you try to run on armed binary on
emulators command line we will find it it will be executed properly this is because the emulators is the feature on Linux called pin fmt misc with this future feature you can register uncertain binary signature or match number with a certain loader in our case when we excute on our binary on an emulator which is on x86 machine houdini will be used to execute our binary [Music] in this case is easy to inject your library to the target process using LD preload and perform cooking's from your injected library however another popular in line hooking techniques using P trace doesn't work if you try to call x86 versions P trace you won't make it work directly because you can't called x86 versions deal open system call to open arm library maybe you want to try to run an emergency trace so that you can call on versions yell open but this doesn't work either because P trace is not fully translated by foodini then can you inject our arm
library using LD preload and also take advantage of it in a java application the answer is no and I will show you why in following slides to use LD preload we
can use the rebbe property provided by android when you set the read property the application startup is like this the jagged is a listening on a socket and ready to fuck yourself whenever whenever a startup request comes after the child process is fucked from jihad it excused the shell first instead of executing on application directly and then excused application with the shell this is the detail of the call stack you can see that after the J got fucked itself the function exede application will be called in this function in concatenate some command-line strings including our LD preload parameters and if cute excuse the command string with a shell so you can see that the final command of starting an application with read property looks like this the LD preload is quickly injected into the command line so far it looks fine that we can inject our library to the top application using a lip preload but looks carefully the shell command under system - bin folder is of x86 and the library we want to inject a double arm so we cannot use LD preload in job application so now we
have to dig deeper into foodini for android 5 with art if the application startup request from activity manager is received the type of fact itself and it is at a time that Houdini is initialized by the function initialize native bridge [Music]
what initial large negative breach function da G is very simple it just arrested registers some callbacks to a structural structure called native bridge callbacks from leap Houdini ASO file not with the function load library and cat rampling you can think of them as an ARM version DL open and DL seam whenever the Java layer wants to load on native arm library it calls this load library function you can find that a structural called native bridge LTF and some function pointers are there these function pointers will be eventually registered to the native reticle this structure in
contrast in Android for which comes without the virtual machine we have to modify the virtual machines code directly to use Houdini because Android developers hadn't expected under it to run on x86 architecture at that time here you can see how deaning is initialized in hook TL open function it first tries to open target library by calling the x86 versions DL open and if it fails it registers houdini's DVM to ta HDL opened handler inside Houdini hook init function finally it calls the handler to open on on library [Music]
there were interesting effects that I found when conducting my research as far as I know Houdini was developed by Intel and they didn't provide any commercial license of Houdini publicly as you can see there is another emulator called genymotion which is also famous but not included in my research it was not bundled with Houdini when it was released in order to avoid breaching license instead in it encourages users to download and install Deenie by themselves but you can see it blew step it is using Houdini from its release and deliberately or now since that they are trying to hide it they are using foodini binaries as you can see from the decompile the code of the VM it tries to open leap three bit trance that ISO file which doesn't look like Dini but when first open it locked the message which says it fails to load lib Houdini [Music] now let's see some existing looking frameworks first exposed works by substituting the app processed binary with a past one so it loads it one jar file a startup exposed is only double layer cooking framework and Frida is my favorite one and it can do almost across almost everything across massive reforms layers and architectures but according to the authors it will not support commercial emulators like notes for now and substitute also works in Android but it is outdated so I won't discuss it now [Music] this is a normal cooking process using P trace the trace are called P trays to attach to the target process and then the P trace to call DL open to up to load a fucking library into the target process after injection library is loaded into the target process memory the function in the library it's executed to perform the hooking stage such as modifying the entry address of target function here comes my first idea of hooking on emulators which is vini it's only one more step then normal process I called Patrice to attach to a target process and to load the x86 versions cooking cooking library inside the x86 purchase ISO file we called the Houdini's load library to load the armed versions fucking library finally inside the arm versions library it hooks and modifies the into the instructions of the original arm meso file on a memory the best part is that all the modifications on the arm master file will be automatically translated to x86 instruction by Houdini after I completed
my fucking fairy mock by utilizing convenient interface provided by foodini I realized that the key point to hook on them later is to inject your library to the title process and being aware that exposed has already enabled you injecting Java code to target process you can just take advantage of this feature called system that load library in the target process note that the system that load library function will take care of architecture dependent native library so you don't even need to know how the inbox method a and B have their one Meritor and marriage and the marriage method a utilized the petrous function so it is more stable and method B enables you to early trees excluding some extreme conditions and does not trigger any anti debug mechanism [Music]
I'll give you a simple demo has just changed it just changed the demo games result by hooking this is the original
play and before the second play I hooked the game to make it always win this is
the second play and even if it loads I always win note that this game is shipped with arm library only and it is running on Knox emulator conclusion not only mobile
games but also cheating is getting more popular and I expect a cheating music hooking becomes more popular on mobile games like cheating on PC games and I would like to know what is going to be changed after my presentation might nothing be happen but sum up game vendors might reconsider their attitude to emulators thanks for listening and if you guys have any questions I will be outside so please ask [Applause] [Music]