01 Cheat method and countermeasure of Japanese social game. Shibuya.gamesec #1 

New graduate in 2016 1st 2st current @mofneko @mofmofneko Whois Yusuke Arakawa Security Engineer, Software Developer 

I offer several Android and iOS libraries available as Unity native plugin. The usage method as UnityNativePlugin is described in README.md, but just install all the prepared files in the specified directory, the installation is completed. You can find these libraries from https://github.com/mofneko?tab=repositories. . Emulator Detector Android emulator detection. ANDROID Lilium SafetyNet Attestation API wrapper. ANDROID JBInspector iOS JailBreak detection. and iGG detection. IOS Portfolio 

RAMemory hack example of the method and countermeasure of the memory hack used in the so-called casual hacker layer. iOS and Android topics i will explain from the features of both OS whether to defend each of the two OS. Binary hack how to tamper with the application which has a relatively high degree of difficulty and the lowest level of difficulty of use and how to deal with it. Cheat Market do you know where the mod application comes from? I will show you where to get mod apk of Japanese casual hacker. Today Agenda Goal: Everyone grasps the content and method of the cheat and thinks about countermeasures together. 

iOS and Android topics CHEAT METHOD AND COUNTERMEASURE. 

6 About iOS security There are barriers to JailBreak Hacking to remodel iOS, so it can be said that the number of remodeling is fewer than the latest OS. However, depending on an illegal method, it is executed without being changed, so it can not be said that there is no threat. iOS is Secure by Apple policy. ...but, the threat when it collapsed is unknown. 

Semi Untethered Jailbreak The difficulty level of JailBreak is rising as I follow the iOS version. Especially at iOS 10 and above, there is a change in the logic at the time of start, jailbreak processing becomes necessary every reboot, and usability is also worse. 

Weak point Of Mod ipa Developer certificate only, but this is inconvenient because it is necessary for rebuilders to re-sign each 10 days. 

Cydia To Sileo "Cydia", which is a jailbreak Market application that has been used for a long time, is being replaced by "Sileo". Please be careful if you are doing JailBreak countermeasure just to check Cydia binary! 

10 About Android security Android respects the personality of the user's smartphone and can customize it independently for considerable items compared to iOS. However, since it can be remodeled at the OS level, the number of cheetahs is overwhelmingly more for Androider. Android gives users freedom. ...but, it deprives liberty to developers. 

SuperSU To Magisk Magisk of RootManager and TweakManager has become mainstream from SuperSU which simply manages root authority. The troubling point of this is Root Hider. 

Account Market CHEAT METHOD AND COUNTERMEASURE. 

13 About Account Market Services like game trade that can be sold with domestic game accounts have lowered the limits for the general users of the market that had been done by trading between Twitter accounts. Since this is a mass sales that strengthened the initial account by executing the reset marathon, it is necessary to cope with not only the misbehavior but also the overload by the bot. Accelerate Account Sales. ...and the load factor of the server also accelerates. 

It sounds difficult to create a bot, but it can be easily executed by using an emulator. For example, NoxPlayer has a macro function, so once you have recorded the tutorial from the completion of the tutorial to the first gacha you can launch multiple emulators and automate the process. 

It sounds difficult to create a bot, but it can be easily executed by using an emulator. For example, NoxPlayer has a macro function, so once you have recorded the tutorial from the completion of the tutorial to the first gacha you can launch multiple emulators and automate the process. "Reset marathon" overload by bot 

On the premise of blocking the emulator whenever possible My EmulatorDetector will help you. https://github.com/mofneko/EmulatorDetector 

...Is that okay? You will block the emulator Blocking the emulator may be a measure that is not effective in terms of domestic game management. For example, there are many users who wish to view the live viewing mode on a large screen for Cygames' released Release Delete. 

RAMemory HACK CHEAT METHOD AND COUNTERMEASURE. 

19 About RAMemory hack RAMemory hack is what is commonly called memory Cheat and you can easily do Cheat of Game with a smartphone alone using an application. It is simple in kind of Cheat type. ...but preventing long-term experience is necessary. 

Android Game Guardian Required root. After installation, randomly change the package name to conceal itself so that it will not be found. Update frequency high (Apply about 3 times a month) iOS Game Guardian (iGameGuardian) JailBreak Required. Paid app. Update frequency low (Response to the latest iOS is slow). About Game Guardian Android and iOS GameGuardian are different things. 

Not only Memory Search The game guardian can execute not only the memory search but also the script from the memory configuration analyzed in the past. 

To you who is about to implement It is recommended to use AntiCheat-ToolKit which has secret know-how cultivated through attacks against attackers. https://assetstore.unity.com/packages/tools/utilitie s/anti-cheat-toolkit-10395 

Binary hack CHEAT METHOD AND COUNTERMEASURE. 

24 About Binary hack Since falsification requires reverse engineering of C ++ binary, advanced technology that can read binary is necessary. However, since the use of mod apk can install even non-root, the threshold is low, explosively Cheat is dangerous. Modding is very difficult. ...but easy to use. 

Is there a project that builds the build system as a dll? Warning! 

In the case of mono2x, it can easily be restored to the original code Warning! 

Please change to IL2CPP as soon as possible! 

libil2cpp.so Execution code. lib/armeabi-v7a/libil2cpp.so global-metadata.dat A file that summarizes function names, character strings, and so on. assets/bin/Data/Managed/Metadata/ global-metadata.dat How to follow the logic of IL2CPP 

Step 1. Use IL2CPPDumper for dumping global-metadata.dat Run Il2CppDumper.exe and choose the libil2cpp.so and global-metadata.dat file, then select the extraction mode. The program will then generate all the output files in current working directory. Step 2. Use IDA Pro to analyze IL2CPP logic Since IDA Pro is excellent, it visualizes the result of the logic analysis of the function in a graph. Search dump data by reading it from a script, hitting a function name familiar to the game such as getHp, observe the trend of nearby code and try to remodel. After discovering IL2CPP and global-metadata.dat, you only need to start using the tool to start the analysis! How to follow the logic of IL2CPP 

Use a third party product Use Google Safety Net Use obfuscation assets What do to protect the Product 

Google Safety Net Free Android already installed A problem occurred once in the past. Credibility Made By GOOGLE Support OS It is necessary to implement it on the server Aavailability Obfuscator $60 Unity Assets Low Credibility Later Support OS You must enumerate function names you want to exclude yourself Aavailability AntiCheatProduct $40k ex. library module High reliability. Credibility from β version Support OS There is no flexibility in setting items depending on the product Aavailability Pricing Table Analysis by me. /users /year 

Let's use the SafetyNet Attestation API SafetyNet is Google's mod apk detection library for Android. If you use it incorrectly, strength will decrease, so please use it properly. 

The advantage of SafetyNet is that Google's server returns results of analysis with certificate (JWT). You must handle this correctly. For example, if an implementation that confirms a response with only an edge device is performed, the implementation is immediately modified and skipped. Also, if server side verification of certificate is inappropriate it will not get the correct result. The handling of nonce is also. SafetyNet Attestation API Architecture https://developer.android.com/training/safetynet/attestation 

Terminal root, availability of emulator (boolean) Whether it is Google's certified terminal (boolean) 01 02 03 Obtained from the result of safetynet attestation api Acquisition of APK certificate and APK hash. 

Terminal root, availability of emulator (boolean) Whether it is Google's certified terminal (boolean) 01 02 03 Obtained from the result of safetynet attestation api Question: If it is a signature check, if I can obtain self-signature from an application using getPackageManager. Acquisition of APK certificate and APK hash. 

You can easily disguise your signature check with 2 steps Here is the tool to use here: https://github.com/mofneko/Alchem1c Step 1. Use KeyTool to get original signature Run KeyTool.exe stored in keytool/bin/ and drag and drop Original apk to KeyTool to check the signature. Step 2. Apply Alchem1c patch Decompress the apk file and decompile the dex file. Place Alchem1c.java in the com/nekolaboratory/ directory. It searches the UnityActivity.java class and calls import and Alchem1c.injectSignature in it. By compiling the apk file again you can avoid authenticating the signature. 

Acquisition of APK certificate and APK hash. base64 encoded, SHA-256 hash of the certificate used to sign requesting app and base64 encoded, SHA-256 hash of the APK installed on a user's device. Terminal root, availability of emulator (boolean) If the value of basicIntegrity is true, then the device running your app likely wasn't tampered with, but the device hasn't necessarily passed Android compatibility testing. Whether it is Google's certified terminal (boolean) If the value of ctsProfileMatch is true, then the profile of the device running your app matches the profile of a device that has passed Android compatibility testing. 01 02 03 Obtained from the result of safetynet attestation api 

In case of music game Many cheat methods fix score judgment such as miss is always set as Perfect. The number of times to touch the screen should be 0. Logic detection can be performed by determining the number of touch times on the screen. In case of battle game Many cheat methods fix player's setHp. In case of an enemy character, its number is decreased in the initial stage. Countermeasures are verified on the server based on the given damage log. Recommended anti cheat Notice that a tamper will try until you can. Make it as a success by secretly securing a fraudulent log behind it. Dealing with & checking at BAN. If you have money power, use another company's product. However, I do not overstate that power. Some products can not exclude root terminal detection and deactivation. CI incorporation etc. are solid and operation is easy. Even when using a product it is done when it is cracked. Other things you can do 

CONCLUSION There is no silver bullet in security (Catch up cheat as soon as possible to follow it) Cooperation between game development team and cheat countermeasure team is important for countermeasures Let's cooperate and make good service! 

Thanks! ANY QUESTIONS? Shibuya.gamesec #1