background

GameSentry was born from the NetEase Yidun mobile security team, which is derived from the team's many years of experience and methodological precipitation in the front line. It is a simple and efficient tool, mainly through the analysis of game protocol content, game function logic and corresponding addresses, some code hot updates, automated hooks and other functions to reduce the threshold of deep security testing.

GameSentry is now officially open source ( NetEase Yidun GameSentry is officially open source, and it is a sharp blade for game security assurance ). We hope that by reducing the complexity of security testing, game companies can discover and perceive vulnerabilities and risk points in advance, and build a more mature security Guarantee system, reduce game risks, and give back to players' love for games.

What is security testing

Usually the life cycle of a game can be divided into four stages: [development] [testing] [release] [operation] .

Before the game is released, it is a very critical part to do a good job of security testing. A good [test] can not only better strengthen the external defense, resist the damage of plug-in cracking after the release, but also check and fill the gaps. It is found that the previous internal design And the negligence in the code structure, optimize in advance to reduce the bugs after the official launch, so that players can get a better game experience and make the life cycle of the game longer.

At present, common game security testing has the following three directions:

  • Game Protocol Vulnerability Test: Check whether the game has any exploitable risk points in design, data verification, logic or numerical design by modifying the content of the protocol. There is some overlap with QA testing here, but the focus is different. The input of the protocol test is not limited by the client. For example, in the chat function, the input box of the client must have length and type restrictions, but the protocol does not have these restrictions.
  • Server Robustness Test: Verify whether the server can run normally by sending malformed, large, and out-of-order data. Prevent malicious attacks by plug-ins or studios, causing abnormal or downtime of the server.
  • Plug-in simulation test: simulate the operation of the plug-in to modify the memory, speed change, resource files, etc. of the game, and check whether it can obtain benefits in the game or reduce the difficulty of the game.

Testers generally choose appropriate technologies and tools according to their needs, and reversely analyze and crack the game from the perspective of attackers, and then actively discover and mine weaknesses, technical defects and security loopholes in the system, and carry out defect amplification and risk. In order to expose potential security risks in game applications in advance, provide security vulnerability repair solutions, and minimize the cost of post-event damage and hacking.

What are the usual test methods

Resource extraction: AssetStudio, UABE

C# code: il2cppdumper, dnspy

Lua code: dump, load, reload

Modify memory: GG, frida, hook technology, root related

The main risks and test methods are described below.

Resource cracking

Hazard: game resource leakage

Test steps: Use tools to crack resources and observe whether there are unencrypted or crackable resources, including pictures, audio, models, etc.;

Note: Judgment is based on the content that should not be exposed in the game, such as prop icons, background music, etc.; not due to the opening animation, theme song, CG and other resources.

Unity3d engine use: AssetStudio/GD Ripper;

UE4 engine uses: umodel;

neox engine: GD Ripper/quickBMS;

npk file: NXPK format, EXPK format using NPKExtractor1.1.5.5;

Extract using the Extractor tool

re-signature verification

harm:

  • Delete key art model (monsters, characters, pets, etc.) files, repackage them, and observe whether it affects the game logic - causing loopholes, and players benefit from it.
  • Delete the audio resources (battle sound effects, background music, etc.) files, repackage them, and observe whether it affects the game logic - causing loopholes, and players benefit from it.
  • Delete the special effect resource (skill special effect, etc.) file, repackage it, and observe whether it affects the game logic - causing loopholes, and players benefit from it.
  • If the content and type of the file cannot be accurately located, random sampling will be conducted.
  • If the art resources are placed in multiple files and can be seen from the file name, try to modify the file name and see if you can replace free skins or props with paid resources.

Test steps:

After the APK is parsed and some resource files are deleted, it can still be repackaged to see if the game can be installed and run normally.

dll modification risk

Hazard: Modify game logic.

Test steps:

  • Modify Assembly-Csharp.dll using ilspy's reflexil plugin.
  • Recompile to dll, rename and replace the original dll file.
  • Package the APK, install and run it, and observe whether it takes effect.

SO cracking risk

Hazard: Modify the normal logic of the game

Test steps:

  • Observe the function list, whether the logical function name is deleted. E.g:

mono_image_open_from_data_with_name ,

luaL_loadbufferx ,

il2cpp_image_get_class etc.

  • Symbol lookup

Find data-%p and observe whether it exists (il2cpp.so). Some special symbols can increase the probability of the game being cracked to a certain extent.

Anti-debugging detection

Test steps:

  • Use tools to open the game.
  • Set breakpoints at libc.so and open.
  • Run the game and see if it pauses.

Archive Migration

Test steps:

  • Copy the files in the game directory to the PC.
  • Copy the file to another device/emulator.
  • Observe whether to inherit (partially inherit) the progress of the original game.

Archive files are stored in plaintext

Test steps:

  • Observe whether there are archive files, files with .sqlite, .db suffixes, and test whether they can be opened with sqlitemanager.
  • Observe whether there are other archive files, open them directly with notepad, and check whether there is plaintext.
  • Observe whether there is plaintext privacy information in the configuration file, such as the user's account password, resource storage path, etc.

memory test

Test method: Analyze the game logic and modify the memory of the corresponding location. (This process requires tools to decompile the APK, dump the memory content, and use Hook to modify it)

This content needs to be tested according to different games and different logics. It mainly detects exceptions such as ultra vires, numerical values, and logic.

Protocol test

Test method: Get all the protocols in the game, modify them and resend them. (This process requires tools to decompile the apk, obtain the relevant code for the protocol to send, and decrypt it if necessary. It also needs to use Hook to modify the relevant functions)

It mainly detects ultra vires, malformed data, retransmission, etc. Different games need to construct different test cases.

What are the advantages of GameSentry

Ordinary security testing requires testers to have a higher level of reverse engineering and higher technical requirements for personnel. For result-oriented testing, although reversing is essential, it is time-consuming and labor-intensive, and the quality of testing has little to do with the level of reversing. Therefore, a tool is needed to make the work content no longer focus on reverse engineering, Hook, Lua modification, but directly focus on the logic of the game.

As far as results-oriented testing is concerned, although the level of reversal is not as demanding, it is time-consuming and labor-intensive and not acceptable to every team.

GameSentry mainly achieves the purpose of lowering the threshold for deep security testing by analyzing the content of the game protocol, game function logic and corresponding addresses, part of the code hot update, automated Hook and other functions. It can simplify the complicated operations of APK reverse, Hook writing, script modification, and script dump in the process of memory testing and protocol testing, which greatly reduces the threshold for testers to get started and reverse work.

From the perspective of practical effect, GameSentry's design idea is to reversely analyze and crack the game from the attacker's point of view, actively discover and mine weaknesses, technical defects and security loopholes in the system, and carry out defect amplification and risk assessment. Expose the potential security risks of the game, so that the security team can prepare a vulnerability repair plan before the damage occurs, which can minimize the cost of post-event hacking damage and hacking.

Why open source

NetEase Yidun has faced the pain points of different game types in more than 20 years of first-line actual combat experience, accumulated a lot of experience and methodology, and built a mature set of tools based on this. We have absorbed a lot of nutrients from the community over the years, so we also want to give back to the community such a new generation of products that integrates the team's years of experience.

As an open project, we believe that making the project open source is also conducive to promoting product iteration. For example, there are many versions of Unity, and il2cpp changes frequently, which faces huge challenges in compatibility. Open source not only allows everyone to enjoy the collective wisdom, but also facilitates the testing work of game developers. It can also cover more compatible engine versions through the contribution of the community, improve the overall efficiency of the industry, and not repeat the creation of wheels.

More importantly, as game lovers, we hope that by reducing the complexity of security testing, game companies can discover and perceive vulnerabilities and risks in advance, build a more mature security system, reduce game risks, extend game life cycle, and improve User experience, give back to players' love for the game! Looking forward to working hand in hand with more game lovers and game developers in the future to share the ecology.

A brief description of the current version

Welcome to contribute

Are you planning for security testing of new projects before going live?

Are you struggling with the problem of reverse project APK?

You are very welcome to participate in the use and feedback of game security testing tools, and we look forward to your joining.

Scan the QR code to view the open source source.

Scan the community QR code to join the community interaction.


github QR code


Open source exchange group


网易数智
619 声望139 粉丝

欢迎关注网易云信 GitHub: