Knowing things from learning | How can game developers calmly deal with the risks of Unity mobile games?

This article is published by NetEase Cloud .

"Knowing things by learning" is a brand column created by NetEase Yunyidun. The words come from Han Wang Chong's "Lun Heng · Real Knowledge". People have different abilities. Only by learning can they know the truth of things, and only afterward can they be wise. If you don't ask, you won't know. "Knowing things by learning" hopes to bring you gains through technical dry goods, trend interpretation, character thinking and precipitation, and also hopes to open your eyes and achieve a different you. Of course, if you have good knowledge or sharing, you are also welcome to contribute by email ([email protected]).

The following is the text:

On March 25th, the first stop of the 2018 Unity Technology Roadshow: Mobile Game Technology Sharing Day was held in Guangzhou. This event aims to build a better communication platform for mobile game developers, learn the latest tools and application skills of Unity in the field of mobile game development, share the coolest game development and industry application cases, and learn about mobile game development. It helps developers to perceive security risks in advance and avoid losses.

Chen Shiliu, NetEase Cloud Yidun Mobile Game Security Technology Expert

Chen Shiliu, an expert in mobile game security technology from NetEase Yunyidun, attended the exchange event and gave a technical speech on "Risks and Security Issues of Unity Mobile Games - Escorted by NetEase Yunyidun". In the sharing, he introduced the many risks and popular plug-ins faced by Unity mobile games today, and focused on explaining the technical principles and practical cases of Yidun security solutions.

1. Risks faced by Unity mobile games

According to statistics, in 2017, there were about 9,000 active mobile game APP applications in China, most of which have security problems such as cracking, malicious code insertion, advertisement insertion, plug-in, and secondary packaging. These security problems bring hidden dangers to enterprises, such as increased R&D difficulty, increased R&D costs, decreased willingness of players to pay, games lose fairness, players are lost, and revenue is directly lost. Therefore, breaking the risk of Unity mobile games is for developers. very important.

Common Unity mobile game risks mainly include cracking risks and plug-in tools.

crack risk

The cracking risks mainly include Unity mono script decryption, Unity il2cpp script parsing, and Assetbundle resource tampering.

Unity mono script decryption

The following two figures show the binary form and source code conversion of the mono script file.

Unity il2cpp script parsing

With libil2cpp.so and global-metadata.dat as input, use Il2CppDumper to parse:

The parsed effect is as follows, the class name, function name and corresponding offset can be parsed out:

At present, there is no tool that can be parsed into source code in iOS, but if it can decrypt or parse Android scripts, it will greatly facilitate the cracking of iOS. Therefore, effective script encryption for Android is very necessary.

Assetbundle resource tampering

Perspective allows players using the modified version to gain an asymmetrical advantage. For a shooting game as shown below, modify the material property in the Assetbundle resource to be transparent to achieve the effect of perspective.

In addition to the risk of resources being tampered with, there is also the risk of resources being stolen and analyzed by competing products.

Archived data is modified

Some game save data exists in plaintext. If the data is not verified on the server, or if it is a stand-alone game, there will be huge security risks, and various attributes of the game can be directly modified.

Plug-in tool

game modifier

Using the modifier can change the damage multiplier from 18% to 999.9%, increasing the attack damage dozens of times. Similar principles can also achieve effects such as invincibility, instant kill, infinite blue, and no CD for skills, so modifiers are quite harmful to game balance.

Commonly used modifiers are Shaobing Modifier, Bamen Artifact and GameGuardian (GG Modifier and its various modified versions), among which GG Modifier (GameGuardian) is popular in real-time battle games (such as chicken-eating games).

The above picture shows the search value interface, and the following picture shows the calling lua script interface

GG lua script sold by a QQ group

No ROOT modifier

Root-free modifier refers to obtaining Root permissions through third-party software, which can access and modify almost all files in the mobile game, but this operation may affect the stability of the game and cause human failures such as crashes, freezes, and restarts.

The ROOT-free modifier that comes with the eight artifact

The ROOT-free modifier that comes with GG big players

Game accelerator

There are two types of accelerators, one is mobile phone accelerators, such as biscuits accelerators and GG accelerators; the other is simulator accelerators, such as Tiantian accelerators. The accelerator can not only speed up, but also slow down. As shown in the figure below, using the biscuits accelerator, the background speed will increase with the increase of the acceleration multiple.

Game cracked version

The cracked version provides a lot of perverted features to attract players. The picture below shows a station that specializes in cracking game sales for profit. In addition to having a sales website, they also opened a Taobao store. As long as the monthly payment is 150 yuan, it has already exceeded the ARPU value of many games. The existence of such a cracked version will seriously affect the experience of ordinary players and cause great losses to game revenue and reputation.

Including GG big players, halo assistants, etc., there are various cracked versions for sale on the market.

GG big player game crack version, the picture above is the list of the modified version, and the picture below is the function of the modified version

Halo Assistant game crack version, the picture above is the list of the modified version, the picture below is the function of the modified version

analog button hang

The picture above is a simulated button hook. Although it is only a simulated click, it can be used for automatic games, and various gold coins and points can be swiped, which will have a greater impact on the balance of the game. Common analog button hangers include touch wizard, touch wizard, button wizard, fork assistant, game honeycomb and so on.

2. How does Yidun do it?

NetEase Yidun can provide encryption solutions such as Unity mono DLL script encryption, IL2CPP encryption, Assetbundle encryption, etc., as well as anti-modifier, anti-acceleration, anti-emulator, anti-debugging and other general protection functions for mobile games and mobile game risk perception.

Unity mono DLL script encryption

The DLL script can be encrypted and decrypted by modifying or HOOK mono_image_open_from_data_with_name. mono_image_open_from_data_with_name is the loading function of the CSharp script. If the CSharpDLL script is encrypted, it needs to be decrypted before this function is executed. Therefore, as long as a breakpoint or HOOK is placed in this function, the original DLL can be decrypted without the need for a reverse encryption algorithm. It should be noted that there is a memcpy copy operation, and mono will keep a copy of the decrypted DLL in memory.

Unity mono DLL script encryption has undergone three generations of technological evolution.

The first generation of encryption directly encrypts the DLL file and decrypts it at the beginning of the mono_image_open_from_data_with_name function. The cracking method for this is very simple, the PE structure file uses the four bytes of 4d 5a90 00 as the magic head, which can be used as the feature of the CSharp DLL script, just search for the value of 0x905a4d, because the sesame cake modifier is Using a decimal value, convert it to a decimal value: 9460301. Therefore, the threshold for decryption is very low, and it can be decrypted as long as the modifier is used.

The second-generation encryption builds on the obvious weaknesses of the first-generation encryption with enhanced protection against decryption. After decryption, erase the PE header shown in the figure below, so that the modifier cannot locate the script position. Therefore, the threshold for decryption is relatively high, and very strong reverse development capabilities are required to crack.

The third-generation encryption is encrypted for the Csharp function, that is, method-level encryption, which requires dynamic decryption.

Raw unencrypted dnspy function parsing result

dnspy function parsing error after function encryption

IL2CPP encryption

The Il2cpp script information exists in the form of lib2cpp.so, which can be parsed by combining the symbol information in the global-metadata.dat file. Therefore, it is necessary to pack libil2cpp.so with so. As shown in the figure below, the original libil2cpp.so can be used with IDA. See 475 exported functions:

The reinforced libil2cpp.so export function is empty:

Assetbundle encryption

When the Assetbundle is not encrypted, Unity Studio can parse out various resources:

After the Assetbundle is encrypted, Unity Studio cannot parse it:

Universal protection for mobile games

In addition to encryption solutions such as Unity mono DLL script encryption, IL2CPP encryption, and Assetbundle encryption, NetEase Yidun can also provide general mobile game protection functions, including anti-modifier, anti-acceleration, anti-simulator, anti-debugging, anti-simulation click, File verification, anti-secondary packaging, archive encryption, engine SO customized packing, etc. Generally speaking, any game engine supports these general functions, and one or more can be selected according to the needs of the game. At present, the games supported by NetEase Yidun mainly include Unity3d, COCOS, NEOX and UE4.

anti-modifier

The modifier can achieve many functions, such as infinite blue, skills without CD, invincibility, spike, double attack, etc. It is the favorite of the tool party and one of the tools commonly used by professional crackers. In addition to the common biscuits, eight artifact, gourd man, GG (GameGuardian), there are many custom modified versions.

Among them, the GG modifier is the most professional modifier, and it has specially made anti-detection measures (randomize the package name, use the system process name for the child process, etc.), so the conventional process detection is invalid for GG. However, Yidun mobile game protection adopts modification behavior detection, which can kill all modifiers, including all known and unknown modifiers. The following figure is an example of the detection effect:

anti-acceleration

The accelerator can accelerate or decelerate, and it is mainly divided into two categories: one is the accelerator in the Android system, such as the biscuits accelerator, the fork accelerator, and the general modifiers have an acceleration function; the second is the accelerator that accelerates the simulator process. The acceleration of the end game is the same. The essence is to accelerate the entire emulator. There is no accelerator running in the Android system. The typical one is the Tiantian accelerator that comes with the Tiantian simulator.

The use of accelerators will give individual players an advantage in the game and affect the balance of the game. However, Yidun mobile game protection has detection schemes for the above two kinds of acceleration, and it is a detection scheme for behavior, not for specific accelerators, and it is more versatile-for process accelerators such as Tiantian Accelerator, even if it only accelerates 0.1x can also be detected.

The picture above is a reinforced parkour game. After the acceleration takes effect with the Tiantian Accelerator, it will flash back after a second or so.

Anti-simulated click

Strictly speaking, simulated click is not an illegal plug-in, and it is in a gray area. Therefore, simulated clickers are all corporate actions and are widely used. However, the functions provided by simulated click scripts will also have a great negative impact on game balance. At present, the more well-known analog clickers include fork assistant, touch wizard, touch wizard, button wizard, game honeycomb and so on.

As shown in the figure below, after the touch wizard starts, and then start the game, the protection will flash back when it detects the existence of the simulated clicker:

However, Yidun mobile game protection uses a combination of process + behavior detection to detect simulated clickers.

The above-mentioned general protection functions for mobile games have their own characteristics, and developers can choose according to their actual needs:

Mobile game risk perception

NetEase Yidun can also provide mobile game risk perception functions, including detection of cracked packages, non-perceptual confrontation with crackers, risk assessment of malicious users, and support for privatized deployment.

3. Features of Easy Shield Protection Program

The NetEase EasyShield protection solution has the performance characteristics of pure native protection, packing the engine SO, high compatibility and stability, small performance impact, and support for Windows, Linux, and Mac platform reinforcement.

Pure Native protection

Inside the game dex are third-party SDKs and SDKs that do not involve game logic inside the game. If you pack Dex, on the one hand, it is easy to cause Android fragmentation, which will reduce the compatibility of the app; on the other hand, Android has two virtual machines, Dalvik and Art, so Dex packer will be added to be compatible with the two virtual machines. Processing costs, resulting in a significant increase in startup time. Both Ali and Tencent have Dex packing services, but Alipay and WeChat have not done Dex packing. The security problems of Alipay and WeChat should be the most serious among all APPs. They have not done Dex packing, which is very indicative of the problem. In addition, all Tencent games have not been Dex packed. Therefore, if mobile game protection needs to rely on Dex packing, compatibility and security are difficult to guarantee. Therefore, it is recommended not to use Dex packers for games.

The following figure is an example of a third-party game, using jeb to analyze the modules contained in its Dex:

NetEase EasyShield can provide pure Native protection, so that game protection does not depend on Dex packers. The advantages and disadvantages of Dex packing and pure Native protection are compared as follows:

Pack the engine SO

Basically, all cracks rely on the reverse analysis of the engine so. If the so is protected by a shell, it will greatly increase the threshold for the game to be cracked. In addition to packing the engine SO, NetEase Yidun will also verify the sensitive function code.

High compatibility and stability

The principle of strong compatibility is that all protections are in the SO layer, and DEX will not be modified, which effectively avoids compatibility problems caused by Android fragmentation. NetEase Yidun is highly compatible, and can be compatible with all versions of systems from Android 2.3 to Android 9.0, all emulators and instruction sets used by all game engines.

The stability of mobile game protection needs to follow the release process as follows:

QA test: Tested on 200 mobile phones and various simulators;
Pre-online test: Integrate the security module into the APP with 1,000 daily active users and test it for 2 weeks;
Version release: After the first two rounds of testing are stable, it will be officially released;
Online regression: First test online with smaller internal games to ensure stability.

Low performance impact

The Yidun protection solution also has the characteristics of small performance impact, whether the impact of CPU usage, memory usage, startup time, power consumption, etc. is almost negligible.

Support Windows, Linux, Mac three platform reinforcement

In addition, the Yidun protection solution also supports the reinforcement of Windows, Linux, and Mac platforms. The reinforcement tool is provided in the form of a jar package. It not only comes with the speed signature function, but also fully optimizes the reinforcement, making it faster.

The interconnection process of hardened access includes:

Determine game reinforcement items;
Easy shield technology supports cloud configuration of reinforcement items;
Get appkey;
Download the reinforcement jar package tool and configure the appkey according to the instructions.

4. What customer approvals have Yidun's solutions received?

NetEase's E-Shield protection solution is widely used in practical cases, including mobile games such as A Chinese Ghost Story and Terminator 2: Judgment Day within NetEase.

Externally, there are also many game companies that have adopted the Easy Shield mobile game protection scheme.

Finally: Yidun also held a security diagnosis session on the spot, and users on the spot asked about the reinforcement process. Li Peiran, a full engineer of NetEase customers, said that in the reinforcement process, one command line can be accessed without affecting the development process.

"It is very convenient to use." Li Peiran emphasized. Click here for a free trial of EasyShield .