Peek, Poke - to get Unlimited stuff

A couple of decades ago, kids sat in front of a TV screen armed with a tape recorder and cassettes waiting patiently for the tape to play and load the game onto the home computer. This 15-30 minutes task was then rewarded with a game running on the machine. Since the game was loaded using a cassette player (Transmitted via audio), copying it was easy, Tape-2-Tape copy. However, some games were a challenge and since many games did not have a save option, the moment one turned the machine off, the game and all the achievements were lost. Games had three lives and trying to complete the level was a real challenge.
Well if you pick up a magazine from the 80's you are sure to find pages dedicated with pokes, these are not the same that kids use these days on Facebook. These were memory locations that one had to alter to change the code from giving the player unlimited lives, high score, etc. Entering this wasn't easy, most games would load up and autorun, so there was no way to access the memory location and use the command POKE memoryLocation, value. So there was hardware that was like an extension that at the press of a button froze everything and gave the users the ability to modify certain memory locations and then also save this memory snapshot back to tape, or even a disk drive.

Those were the 80's these days it is no longer necessary to have those, but on and off players look for a way to get stuff in games for various reasons, most of them being about personal gratification.

To provide an example, there is a social game like what Farmville used to be at a time from EA called The Simpsons Tapped Out (TSTO) and it has managed to keep the content interesting however getting half the things in the game requires the player to get Donuts. There are two types of in-game currency, Donuts and Bucks. The Donuts are used for Premium items where as the Bucks can be earned everytime one completes a task, etc. There are players that have practically every premium item in their Springfield, which if is purchased using real money would be worth over 1000's of dollars. It might not be easy for many to spend that kind of money on a game, however crazy and cash rich they might be, there are or rather there exist programs that hack the app to generate more donuts and cash. Unfortunately I have been unsuccessful in getting to try that and nor would I try that on my user account and risk the chance of being banned and lose all the hard work of over a year or so.

The question remained how did they do it. This came about with the fact that on some forum (cannot recollect which) someone discussed using iFunBox, I recollect using iFunbox in the past for saving and providing a developer some data for debugging (another game) and I was amazed with the speed and finesse of the program. So to check if there was an update, I navigated to their site where there were a coupe of documents on how to use iFunBox and one of the articles included hacking Temple Run to get all the goodies without ever buying them from the store. It was a simple text file that had a line each with the new setting. Wish all in-app purchases were that simple.

This then sparked a question in my mind, how secure are in-app purchases? The way in-app purchases work is they offer everything the user purchased unless it it time to restore purchases when the program might find that the user did not buy anything, however in the case of consumables, there is no way to verify that unless a detailed purchase and action history is maintained for every user that can recreate the situation till date (if played back). While I was waiting for the new version of iFunBox to download, I thought of checking out a game I had downloaded on the Samsung tab a while ago, it was called "Nun Attack: Run and Gun" I had tried the earlier Nun Attack game and it was cool, I had not realised that this was another endless runner genre game. It was interesting and the thought that came to mind, can this be modified to get the in-app purchases? Money and Diamonds (that are used to buy upgraded and unlock certain characters?

Note: All the information hereafter are for educational purpose, using it in any other form is the sole responsibility of the reader not mine. The aim of this was to test how easy is it for a player to modify/alter the game data. It is after all from these that we realise how easy it would be for a player to crack the app/cheat a developer of revenue. So if you like the game, please consider buying their in-app purchases.

What you need

Download the game to your iOS device.
Copy of iFunBox (has Mac and Windows versions, use the one appropriate to your platform)
Copy of a Hex Editor, suggested ones are 0xED for Mac and for windows there's Hex Editor XVI32, HxD to choose from

General Technique

I remember having the question how do people know which locations to poke and alter? How did the Interface II and other similar hardware devices know what locations to alter. They worked on a simple principle, they worked out the altered locations or performed a search for values in memory. It is the same thing that would work for us here. In a step-by-step process, it would be
1. Get snapshot of data file
2. Get known values and perform some action in the game that would have altered the data file
3. Get new snapshot of this data file
4. Open the files in a Hex Editor, locate the changes in the locations, check against known values and VOILA!! you know what to alter

So let's get to it.

Step by Step - Case 1

1. Play the game
2. Connect the iOS device to the computer and start iFunBox
3. Navigate to the Applications to see the icon for the game, double click to view the files
4. Go to the Documents Folder where the data file is, it is called SAVEGAME_0.sav
5. Select this file and use the option Copy to Mac, or right clik and copy to the desktop.

Note: The device is not Jailbroken

Here's a snapshot of the game after it was played once

By looking at the numbers in hex editor would mean nothing as there is no context to what these numbers mean. So to find out what the numbers mean, we need to compare it with another snapshot.

Then going back and playing the game further altered the data file and here's how it looked

The only information that I had was that the number of coins I had were 1310, 0 diamonds and 2 retries. Since the data is not stored in text format like a plist or ini file, it would a bit more challenging. However, there are a couple of locations that look different between the two snapshots, namely the first line, 6th column in the second line, the first column that starts at offset 0x193 which was 00 F0 04 00 and now it was 00 1E 05 00. A little hex conversion, the number 1310 is 0x051E in hex which when expressed in WORD or double byte format is 05 and 1E, seem familiar?? so altering that to FF FF would max out the same, FF FF in hex equates to 65535, the bytes staring at offset 0x194 is where the coins are stored, this would be 4 bytes at this location, which are 1E 05 00 00. Altering these to FF FF FF 00 and saving it would give a lot of coins, in fact 16777215 to be precise. However since the number formatter in the game only displays 7 digits, this would show up as 9,999,999 coins.

Press the home button to come out of the game, now double press the home button, this would bring up the list of apps from where kill the app, if it is running in the background you cannot alter the data file. Now delete the data file from iFunBox and then drag drop the saved file from the desktop.

Now when you restart the game, the coins would show up as 9 999 999.

Then a couple of more runs with altering a couple of things like the retries and diamonds, the locations were found where these reside. Altering them, you can get unlimited diamonds and unlimited retries and if you do run out, replenishing them is a breeze.I leave finding the locations for the Diamonds and the retries to you, the reader to practice.

can you spot the locations that provide diamond and retries?? The other numbers in the middle represent the various characters and their weapons upgrade, etc. Worst case scenario, if you really mess things up, delete the file and the app would create a new SAVEGAME_0.sav file.

Step by Step - Case 2

In this case study, I would like to also look at another app example; Go Ninja, this is another endless runner type game, which is also like Run and Gun, an amazing game both in terms of graphics and playability. It is even more closer to heart for me as I am credited in this app for a library that I had written and they have used (not all developers credit others work, the guys at Hiptic were great and did).

This app stores all of its data in a database rather than text or binary files. This is a good way but less secure than the previous method as anyone can open a SQL database and query the contents.

What we need

There are plenty of tools to view SQLite databases, on the Mac a really handy one is called Lita, since it is build using Adobe Air, I presume that it would work for Windows as well.

After connecting iFunBox, navigate to GoNinja! Navigate to the Documents directory where you will find a file called goNinja.db, copy this to the desktop and open it in Lita.

There are 6 tables in here,

This database contains the various setting required for the game, simple alteration to the value in the table ninja_points with the number of ninja points required.

Aim of this article

The article is not to encourage hacking or cheating developers out of revenue, instead it is a look at how simple it can be to alter the data that the app/game relies upon. Some suggestions on how to make this more secure would be a topic of a future howto article. A simple way would be to save it as a text file but then encrypt the file using some algorithm, the only catch being that if there is an error while saving, the data can be lost.

Personal Feedback

I played Nun Attack: Run and Gun without the upgrades and then with unlimited diamonds and money, the game was very easy, the fun part was taken away, there was no joy in actually completing the level, if I died rather than be frustrated and try all over again to just reach the 4th or 5th level before carelessly getting killed, I could simply breeze through without a care, which takes away the fun from the game.

I tried to see if the number of donuts could be altered in TSTO (Simpsons game) but I was not able to find a simple way to do so. Thinking back, I spend countless hours tapping the Simpsons to see the Level up screen, prior to that tap for hours on my strawberry fields (these also serve as a timer for breaks while coding). If I had unlimited donuts and every character and object that the game has to offer, I would have been devoid of the fun of discovering and exploring the game and might have dropped it and moved on to some other game. I had prior to Simpsons spend some time on Hay Day, but since SuperCell did not really care about the feedback and their UI challenges meant accidentally using up their premium currency on the silliest of things, I gave up on it in frustration. It has some nifty graphics, I believe another popular game Clash of the Clans is by Super Cell and their money raker.


Popular Posts