After my initial success writing a save-file hacker for the Android version of the MLP game, I eventually got my friend to lend me her iPad so that I could get to work on an iOS version of the hack.
Unfortunately, the iPad is running iOS 6, which means I couldn't jailbreak it to get a decrypted dump of the MLP app. This means I couldn't disassemble it and reverse engineer the derivation of the GLUID, but fortunately the iOS version saves the complete GLUID in a plist file and the rest of the save-file format is the same.
Unfortunately, non-jailbroken iDevices don't let you sideload
non-market apps, which means I can't just write an easy-to-use app as I
did with Android. Further, even if I did write an app just for
jailbroken devices, it's not clear to me that it could modify the
save-game file which exists outside of its own sandbox. Consequently, we must resort to extracting the save-file from the device, modifying it on our computer, and then pushing it back.
So without further ado, here's how you can hack your save-file on any iOS device (no jailbreaking required).
Core Dump
Tuesday, November 20, 2012
Security? In My Phone?
After a few days of having my Android MLP Hacker App in the wild, I received quite a few reports of it working successfully, while I received several more of it not working at all. After looking through the comments, the common problem was that the app was unable to open the game's save file, and all of the effected users had devices running Android 4.1 or 4.2 (at the time of writing, 4.2 is the most current version of Android).
With that information in hand, I quick Google search unveiled what was happening. As security researcher Zach Lanier points out, it is a common security pitful in Android apps to save files with world-writable permissions since the default umask in Android is 000. This is precisely the pitfall the MLP game fell in to, and is the vulnerability my app was exploiting since world-writable permissions enabled it to rewrite the game's save file.
However, in the above post, Lanier cites a message from Nick Kralevich on the Android security team informing him that Android 4.1 changes the default umask 077. Thus on such devices the game's save file is no longer world-writable (or even readable); hence why there were people unable to use my app.
At the end of the day, this is a good thing for security (for example, you don't really want every application you run to exploit this and discover all the contacts you've added to your MLP game, do you?), even if it does make it more difficult to run my app.
The manage this problem, I've updated the app (link in the original blog post has been updated) to use root permissions to reset the save game file to world-writable permissions (only in the event that the save file is not already writable, so those running Android 4.0 and earlier should be unaffected). This does, however, of course require a rooted device.
Those with an un-rooted device running Android 4.1 or newer will unfortunately not be able to use the native app. However, it is still possible to hack your save file by manually pulling it off the device with ADB, modifying it, and pushing it back again with ADB. Detailed instructions to come.
With that information in hand, I quick Google search unveiled what was happening. As security researcher Zach Lanier points out, it is a common security pitful in Android apps to save files with world-writable permissions since the default umask in Android is 000. This is precisely the pitfall the MLP game fell in to, and is the vulnerability my app was exploiting since world-writable permissions enabled it to rewrite the game's save file.
However, in the above post, Lanier cites a message from Nick Kralevich on the Android security team informing him that Android 4.1 changes the default umask 077. Thus on such devices the game's save file is no longer world-writable (or even readable); hence why there were people unable to use my app.
At the end of the day, this is a good thing for security (for example, you don't really want every application you run to exploit this and discover all the contacts you've added to your MLP game, do you?), even if it does make it more difficult to run my app.
The manage this problem, I've updated the app (link in the original blog post has been updated) to use root permissions to reset the save game file to world-writable permissions (only in the event that the save file is not already writable, so those running Android 4.0 and earlier should be unaffected). This does, however, of course require a rooted device.
Those with an un-rooted device running Android 4.1 or newer will unfortunately not be able to use the native app. However, it is still possible to hack your save file by manually pulling it off the device with ADB, modifying it, and pushing it back again with ADB. Detailed instructions to come.
Thursday, November 15, 2012
Reverse Engineering With Ponies
TL;DR? Watch the video demo:
Friday, June 15, 2012
Once upon a time I had a blog that I used rather irregularly (the last post from then was over four years ago). At some point I may try to import those old posts, but in the mean time I think it's time for something new. Last Tuesday I received my Raspberry Pi in the mail, which I have been gleefully toying with since. Giving the number of different configurations I've already toyed with, I decided I ought to document some of what I've done.
My first attempt was to reproduce my HTPC configuration, a Debian-based box running XBMC on Nvidia ION hardware. There are plenty of ways to get XBMC running on such a system (it's x86 after all) and there are plenty of distributions even built for such a thing. However, my setup has some unique requirements.
My first attempt was to reproduce my HTPC configuration, a Debian-based box running XBMC on Nvidia ION hardware. There are plenty of ways to get XBMC running on such a system (it's x86 after all) and there are plenty of distributions even built for such a thing. However, my setup has some unique requirements.
Subscribe to:
Posts (Atom)