Cheaters Gonna Cheat Battling Fake High Scores Nataly Eliyahu CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015.

Slides:

Advertisements

Similar presentations

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Advertisements

FUTURICE. FUTURICE: 3 TOPICS Mikko Viikari

Cheat-Proof Playout for Centralized and Distributed Online Games By Nathaniel Baughman and Brian Levine (danny perry)

Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.

Anti-Cheating Mechanisms for Computer Games Michael Rudolph Jason Cook.

Computer Science 101 Data Encryption And Computer Networks.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Digital Signatures. Anononymity and the Internet.

Web Site Manual. The LDYSL Web Site Overview The LDYSL will rely extensively on their web site to operate We need all teams to play their part in keeping.

Department of Computer Science University of the West Indies.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Video Streaming in Flash CSCI 4220 – Network Programming Kacper Harabasz.

Servlets and a little bit of Web Services Russell Beale.

Secure Poker Post PC project Motivation Games have been pushing computer industry Many people carry gadgets, but hardly a pack of cards. (even during.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Reverse Engineering Ian Kayne For School of Computer Science, University of Birmingham 2 nd February 2009.

Introduction to HASP ® Software DRM Solutions, Products, Benefits All Rights Reserved © Aladdin Knowledge Systems.

OpenInfreno An Open Source RootWars Platform Dennis W. “LittleW0lf” Mattison

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Harvesting Developer Credentials in Android Apps

Application Security Tom Chothia Computer Security, Lecture 14.

Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat

 International  UCSB Sponsored  Application security  ! network security  ! os security  Custom services 2.

Introduction CSE 1310 – Introduction to Computers and Programming Vassilis Athitsos University of Texas at Arlington 1.

Introduction CSE 1310 – Introduction to Computers and Programming Vassilis Athitsos University of Texas at Arlington 1.

How tos, dos and please don’ts Landing the Interview.

Binary Auditing Geller Bedoya Michael Wozniak. Background  Binary auditing is a technique used to test the security and discover the inner workings of.

EEmployers check your Facebook or twitter page to look at way you talk about colleges or customer. they are looking at your privy and binness. And never.

CodeVita Season III (2014 – 2015 Season).

Created By: Kevin Jiang, Cullen Wong, Stephen Halter.

Android Security Auditing Slides and projects at samsclass.info.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Flipping coins over the telephone and other games.

SSL. Why Is Security Important ●Security is important on E-Commerce because it makes sure that your information gets from your computer to their server.

Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.

King Mongkut’s University of Technology Network Security 8. Password Authentication Methods Prof. Reuven Aviv, Jan Password Authentication1.

Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Introduction CSE 1310 – Introduction to Computers and Programming Vassilis Athitsos University of Texas at Arlington 1.

Picking Apples. Subtraction game. Turn over two cards from 0-10 Work out the difference. If you have an apple with this amount put a counter on it. First.

CSE 4939 Alex Riordan Brian Pruitt-Goddard. Design an interactive source control application that works between an android phone and a project located.

Online Banking. Learning Objectives To learn how society has been affected by online banking.

JokerStars: Online Card Playing William Sanville Milestone 5.

/16 Final Project Report By Facializer Team Final Project Report Eagle, Leo, Bessie, Five, Evan Dan, Kyle, Ben, Caleb.

Information Systems Design and Development Security Precautions Computing Science.

[FUNCTIONALITY AND SAFETY OF A MODERN TECHNOLOGY] [CLOUD COMPUTING FOR INDIVIDUAL CONSUMERS]

 Group 6 Project Presentation. Application Overview  The idea of the Android application is to use the Gale–Shapley algorithm that will match Medical.

Encryption with Keys and Passwords

Swords and shields: A study of mobile game hacks and existing defences

Swords and shields: A study of Mobile Game Hacks and existing defenses

Cash Me Presented By Group 8 Kartik Patel, Aaron Zhong, Wen-Kai Chen,

Introduction CSE 1310 – Introduction to Computers and Programming

Buy Skin Lightening Cream UK | Everything4you

Fight Game Brian Kessler.

IT Security awareness Training.

CS4622: Computer Networking

SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES

Uses Of Encryption Algorithms

MATH TALK Power of 0 and 1.

MATH TALK POWER EXTREMES.

MATH TALK POWER NUMBER 64 Set 1.

MATH TALK POWER NUMBER 27.

MATH TALK POWER NUMBER 36.

MATH TALK POWER NUMBER 25.

MATH TALK POWER NUMBER 64 Set 2.

MATH TALK POWER NUMBER 16.

Presentation transcript:

Cheaters Gonna Cheat Battling Fake High Scores Nataly Eliyahu CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Intro – About Me Freelance Game Developer (NatalyCreates) Indie Card Game and Video Game Designer Technological Unit Army Service Background in Security and Reverse Engineering CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

What we’ll talk about Back and forth between developer and hacker Approaches and considerations for the developer Think like a hacker CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Step 1 – Naive Score Saving Developer POV Save the score locally Use Player Preferences Hacker POV Rooted phone Use tool – Player Preferences Editor CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Edit Preferences CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Step 2 – Manipulate the Score Developer POV Encode the score (base64 / hex / custom encoding) Math manipulations Hacker POV Blackboxing Guessing Find the Pattern CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Step 3 – Encrypt the Score Developer POV Encode the score (base64) Encrypt the score with a secret key (a string) Also: use an obfuscator on the compiled apk Hacker POV Decompile the apk, rename functions and organize code Find the encryption code to see which algorithms is used Find the string for the encryption key Decrypt and encrypt your own scores CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Decompile APK CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Decompile APK CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Decompile APK CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Step 4 – Non-standard encryption Developer POV Encode the score (base64) Encrypt the score with a secret key (a string) Change the code of the encryption function to non standard implementation Hacker POV Previous method fails! Score isn’t saved correctly with your script Read the encryption code Look for the differences from the standard implementation Alternative – use dynamic debugging CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Step 5 – Server side Developer POV Encode the score (base64) Call a function on the server to encrypt and decrypt the score Secret key is no longer in the apk Always Online issue! Hacker POV Attack the server, look for loopholes Alternative - Use dynamic debugging, change the score in memory before it’s sent to the server CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

The Heuristics Approach Recognize suspicious scores Is the score possible in the amount of time the player played? Patterns in the score (apple = 5 points, banana = 3 points) Send constant updates on player status in the game CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

To Sum Up With enough determination, the hacker will always win But - if cheating at your game is really hard, most people won’t bother Going always online helps make it much harder to cheat, but at a cost for the majority of players Choose the most cost-effective solution depending on your game CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015

Questions? Contact me: Facebook: Nataly Eliyahu CASUAL CONNECT TEL AVIV 19 – 21 OCTOBER 2015