mino260806
1/3 Games Approved
Game: Asphalt 9
Engine: custom engine from gameloft
Goal: trying to reverse network communication, so I can connect with the server and do actions without opening the game
What I found so far:
When client connects to the server, server sends a certain "nonce", which apparently is used by client to encrypt access_token and send it.
How I found this ? Reproducing the same client request gets a "incorrect nonce in access_token" response from the server, because it sent me a different nonce.
From that on I set up to find the code in the game that encrypts the access_token so I can reproduce the encryption, and that's where I'm stuck.
What I tried:
- dumping objdump -d libAsphalt9.so and looking through code but the library is huge (170mb) and doesn't contain any readable symbol
- using Frida API to hook some libc.so functions (sendmsg, strlen), this method actually yielded a a function offset that gets called when client is crafting the response with access_token, but what's next ? (Setting a breakpoint on that offset in gdb makes the TCP connection timeout with only the first server message being received).
TLDR
I have a function offset that gets called somewhere before the target encryption function offset but I don't know how to retrace it to the encryption function because all symbols are stripped!
Engine: custom engine from gameloft
Goal: trying to reverse network communication, so I can connect with the server and do actions without opening the game
What I found so far:
Blue: server
Red: client
Red: client
When client connects to the server, server sends a certain "nonce", which apparently is used by client to encrypt access_token and send it.
How I found this ? Reproducing the same client request gets a "incorrect nonce in access_token" response from the server, because it sent me a different nonce.
From that on I set up to find the code in the game that encrypts the access_token so I can reproduce the encryption, and that's where I'm stuck.
What I tried:
- dumping objdump -d libAsphalt9.so and looking through code but the library is huge (170mb) and doesn't contain any readable symbol
- using Frida API to hook some libc.so functions (sendmsg, strlen), this method actually yielded a a function offset that gets called when client is crafting the response with access_token, but what's next ? (Setting a breakpoint on that offset in gdb makes the TCP connection timeout with only the first server message being received).
TLDR
I have a function offset that gets called somewhere before the target encryption function offset but I don't know how to retrace it to the encryption function because all symbols are stripped!