GMS 2 I have found a way to HACK HMAC hash Encryption

FoxyOfJungle

Kazan Games
I was recently looking at a safe way to be able to save the file without a regular user being able to modify the gamedata. So I made a system that works as follows to save the game safely:

1 - Save variables in a "ds_map"
2 - Save ds_map as JSON
3 - Save the JSON string to a buffer with byte length equals to the JSON string.
4 - Turn all the buffer content into base64 string to send it via HTTP, but for now I saved it into a text file.
5 - Before saving the buffer content, I added the HMAC hash in the end of file to check integrity later.


At the end of the process I get the file like this:




Okay, now I will try to hack It:



1 - I entered in this website to convert base64 string into readable JSON format:

2 - Now I got readable JSON format with it's contents:




3 - To adjust the JSON format, I used this website to better viewing:


I changed the money variable to a desirable number ;)
Note that right at the end there is the HMAC hash!


4 - Now I will encode that modified JSON string to the base64 again, but now in this website. (I removed the JSON white space):




5 - I will put that base64 string into the original game data:




6 - Running the game and loading I got it:



Okay, I couldn't hack the game, but what to do now? I forgot something?
.
.
.
Yes...

In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message.

As you know, to recreate a hash that is compatible with the file I need the secret key, but how do I get the secret key?

I found a very strange way but considered famous by programmers or hackers, I opened the .apk game file containing the final binary code of the game with the "WinRAR" software, I searched for "hmac", then I get the string value of the variable:

1 - The game file containing all the whole code:





2 - I used Notepad++ for this (Windows Notepad should work too). As you can see, all I had to do was locate the word HMAC to obtain the secret key!



In my GMS2 Project:



It is now super easy to create a new file using the HMAC key, all I need to do is copy the entire game previously saved by removing the hash, after that, I create another hash using the same key obtained from inside the file previously.

To create a script that can create a HMAC hash, this tutorial is necessary. More about.


~~ After creating the hash using the original key, now just add it to the end of the JSON string and convert to Base64, after that put it inside "gamedat.dat" file and open the game:



What to do to reduce the risks above:
- Compile in YYC;
- Use less obvious variable name, example: global.Q1WE8R5T6YUIOP;
- Use the least obvious variable value, example: global.Q1WE8R5T6YUIOP = "AZ0ER5TYA8BC9DE".



I hope you guys or girls liked it :)
 
Last edited:

FrostyCat

Member
This isn't really news to anyone who knows what they're doing. The common downfall to all hard-coded secret keys that ship with the client-side product is a hex editor. You could use a less obvious name or store the HMAC key in non-string-readable form (e.g. 64-bit integers), but these are minor distractions in the grand scheme of things.
 

EvanSki

Raccoon Jam Host
Congrats on file sniffing and using the Internets wide verity of 64base decoders, hide your hmac key and you'll be less likely to do so,
really all im seeing is you converting data then converting it back and thinking thats an exploit, the hmac stuff was kinda cool and i didnt know that part, so props for that

TLDR: Neat trick but its really nothing ground breaking
 

Tthecreator

Your Creator!
I think this goes a great way to show that you can't expect your game to be uncrackable on a compter your customer has 100% control over. Offline anti-cheat is like playing with god, with god being the user. You gave a good example of this :duck:
 

FoxyOfJungle

Kazan Games
This isn't really news to anyone who knows what they're doing. The common downfall to all hard-coded secret keys that ship with the client-side product is a hex editor. You could use a less obvious name or store the HMAC key in non-string-readable form (e.g. 64-bit integers), but these are minor distractions in the grand scheme of things.
This was exactly what I had thought when I did these tests, maybe I should include this explanation in the topic :) But in any case, it is interesting to know the vulnerability.
 
Last edited:
Top