FoxyOfJungle
Kazan Games
I was recently looking at a safe way to be able to save the file without a regular user being able to modify the gamedata. So I made a system that works as follows to save the game safely:
1 - Save variables in a "ds_map"
2 - Save ds_map as JSON
3 - Save the JSON string to a buffer with byte length equals to the JSON string.
4 - Turn all the buffer content into base64 string to send it via HTTP, but for now I saved it into a text file.
5 - Before saving the buffer content, I added the HMAC hash in the end of file to check integrity later.
At the end of the process I get the file like this:
Okay, now I will try to hack It:
1 - I entered in this website to convert base64 string into readable JSON format:
2 - Now I got readable JSON format with it's contents:
3 - To adjust the JSON format, I used this website to better viewing:
I changed the money variable to a desirable number
Note that right at the end there is the HMAC hash!
4 - Now I will encode that modified JSON string to the base64 again, but now in this website. (I removed the JSON white space):
5 - I will put that base64 string into the original game data:
6 - Running the game and loading I got it:
Okay, I couldn't hack the game, but what to do now? I forgot something?
.
.
.
Yes...
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message.
As you know, to recreate a hash that is compatible with the file I need the secret key, but how do I get the secret key?
I found a very strange way but considered famous by programmers or hackers, I opened the .apk game file containing the final binary code of the game with the "WinRAR" software, I searched for "hmac", then I get the string value of the variable:
1 - The game file containing all the whole code:
2 - I used Notepad++ for this (Windows Notepad should work too). As you can see, all I had to do was locate the word HMAC to obtain the secret key!
In my GMS2 Project:
It is now super easy to create a new file using the HMAC key, all I need to do is copy the entire game previously saved by removing the hash, after that, I create another hash using the same key obtained from inside the file previously.
To create a script that can create a HMAC hash, this tutorial is necessary. More about.
~~ After creating the hash using the original key, now just add it to the end of the JSON string and convert to Base64, after that put it inside "gamedat.dat" file and open the game:
What to do to reduce the risks above:
- Compile in YYC;
- Use less obvious variable name, example: global.Q1WE8R5T6YUIOP;
- Use the least obvious variable value, example: global.Q1WE8R5T6YUIOP = "AZ0ER5TYA8BC9DE".
I hope you guys or girls liked it
1 - Save variables in a "ds_map"
2 - Save ds_map as JSON
3 - Save the JSON string to a buffer with byte length equals to the JSON string.
4 - Turn all the buffer content into base64 string to send it via HTTP, but for now I saved it into a text file.
5 - Before saving the buffer content, I added the HMAC hash in the end of file to check integrity later.
At the end of the process I get the file like this:
Okay, now I will try to hack It:
1 - I entered in this website to convert base64 string into readable JSON format:
2 - Now I got readable JSON format with it's contents:
3 - To adjust the JSON format, I used this website to better viewing:
I changed the money variable to a desirable number
Note that right at the end there is the HMAC hash!
4 - Now I will encode that modified JSON string to the base64 again, but now in this website. (I removed the JSON white space):
5 - I will put that base64 string into the original game data:
6 - Running the game and loading I got it:
Okay, I couldn't hack the game, but what to do now? I forgot something?
.
.
.
Yes...
In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authenticity of a message.
As you know, to recreate a hash that is compatible with the file I need the secret key, but how do I get the secret key?
I found a very strange way but considered famous by programmers or hackers, I opened the .apk game file containing the final binary code of the game with the "WinRAR" software, I searched for "hmac", then I get the string value of the variable:
1 - The game file containing all the whole code:
2 - I used Notepad++ for this (Windows Notepad should work too). As you can see, all I had to do was locate the word HMAC to obtain the secret key!
In my GMS2 Project:
It is now super easy to create a new file using the HMAC key, all I need to do is copy the entire game previously saved by removing the hash, after that, I create another hash using the same key obtained from inside the file previously.
To create a script that can create a HMAC hash, this tutorial is necessary. More about.
~~ After creating the hash using the original key, now just add it to the end of the JSON string and convert to Base64, after that put it inside "gamedat.dat" file and open the game:
What to do to reduce the risks above:
- Compile in YYC;
- Use less obvious variable name, example: global.Q1WE8R5T6YUIOP;
- Use the least obvious variable value, example: global.Q1WE8R5T6YUIOP = "AZ0ER5TYA8BC9DE".
I hope you guys or girls liked it
Last edited: