While playing video games with leaderboards you might notice that sometimes there are players with enormous, impossible scores.

lbhack

Impossible scores!

As you probably guess those ones weren’t scored by playing a game the fair way.
There are three (known to me) ways to do such a terrible thing:

  1. By modifying the save files or the shared preferences. Better not to use any kind of shared preferences to store vulnerable values, while the save files should be encrypted and has a checksum for checking if someone was trying to modify them.
  2. By using a proxy to perform a-man-in-the-middle attack (in other words – by modifying the request that was sent to the leaderboards system). Sensitivity to this type of attack depends of the leaderboards’ vendor you use. If you have your own leaderboard system make sure you communicate with it via SSL with public key infrastructure.
  3. By modifying the memory during the game runtime with such programs like GameGuardian.

We will talk about the 3rd way to cheat. During the first part I will explain how memory hacking works. In the second part I will show a proposition of the mechanism, that can protect the game against memory hacking.

For the sake of simplycity I will use a CheatManager to demonstrate how memory hacking works (the process is very similar to the GameGuardian’s one).

Of course, if someone want to hack a game very much, they will find a way anyway. The goal is to make it a little harder than it would be without any kind of security.

Let’s run a simple program, that will increment scores in each second:

Run this program and pause it using CheatManager (set the hotkey in Edit->Settings->Hotkeys->”Pause the selected process”.

beforehack

Application with scores before memory hack.

Now search for the current score value which is 130.

mem1

Memory values and addresses.

As you can see there are three values in this process that are equal to 130. Which one is the one we are looking for? Unpause tha application and check which one is changing:

mem2

Highlighted changing value.

Now, when we’ve got the address of the value we’re looking for, we can change it by right-clicking on the address and selecting “Change value of selected address”:

1SX7pZOAm2x21N5noNnhdIaP4pmvoB1kZ6nqHiA

Changing value for the address.

At this moment, when you unpause the application, you will see that the score value was truely changed:

afterhack

Application running after memory hack.

As you can see the memory hacking is based on searching the specific values in the memory and then changing them to receive better scores. To make life more difficult for swindler the value must not be represented in the memory as itself.

In the next part I will show a proposition how to obfuscate selected, important to us variables and protect them against changing their values.