Tuesday, November 20, 2012

Save File Hacking MLP For iDevices

After my initial success writing a save-file hacker for the Android version of the MLP game, I eventually got my friend to lend me her iPad so that I could get to work on an iOS version of the hack.

Unfortunately, the iPad is running iOS 6, which means I couldn't jailbreak it to get a decrypted dump of the MLP app. This means I couldn't disassemble it and reverse engineer the derivation of the GLUID, but fortunately the iOS version saves the complete GLUID in a plist file and the rest of the save-file format is the same.

Unfortunately, non-jailbroken iDevices don't let you sideload non-market apps, which means I can't just write an easy-to-use app as I did with Android. Further, even if I did write an app just for jailbroken devices, it's not clear to me that it could modify the save-game file which exists outside of its own sandbox. Consequently, we must resort to extracting the save-file from the device, modifying it on our computer, and then pushing it back.

So without further ado, here's how you can hack your save-file on any iOS device (no jailbreaking required).

Security? In My Phone?

After a few days of having my Android MLP Hacker App in the wild, I received quite a few reports of it working successfully, while I received several more of it not working at all. After looking through the comments, the common problem was that the app was unable to open the game's save file, and all of the effected users had devices running Android 4.1 or 4.2 (at the time of writing, 4.2 is the most current version of Android).

With that information in hand, I quick Google search unveiled what was happening. As security researcher Zach Lanier points out, it is a common security pitful in Android apps to save files with world-writable permissions since the default umask in Android is 000. This is precisely the pitfall the MLP game fell in to, and is the vulnerability my app was exploiting since world-writable permissions enabled it to rewrite the game's save file.

However, in the above post, Lanier cites a message from Nick Kralevich on the Android security team informing him that Android 4.1 changes the default umask 077. Thus on such devices the game's save file is no longer world-writable (or even readable); hence why there were people unable to use my app.

At the end of the day, this is a good thing for security (for example, you don't really want every application you run to exploit this and discover all the contacts you've added to your MLP game, do you?), even if it does make it more difficult to run my app.

The manage this problem, I've updated the app (link in the original blog post has been updated) to use root permissions to reset the save game file to world-writable permissions (only in the event that the save file is not already writable, so those running Android 4.0 and earlier should be unaffected). This does, however, of course require a rooted device.

Those with an un-rooted device running Android 4.1 or newer will unfortunately not be able to use the native app. However, it is still possible to hack your save file by manually pulling it off the device with ADB, modifying it, and pushing it back again with ADB. Detailed instructions to come.

Thursday, November 15, 2012

Reverse Engineering With Ponies

While it is quite apparent that I don't use this blog with any frequency or regularity, every so often I take on a technical project which I feel is worth documenting, and this is one such case.

TL;DR? Watch the video demo: