Hacking iPhone game savegames: Game Dev Story

Years ago I wrote about editing in-memory values with tools like Cheat Engine, to hack your game as you were playing it.
But there is another way to hack games: To edit their savegames.

I will use the great Game Dev Story game, which you should buy inmediatly if you have an iPhone. It is a simulation of a videogame creation company; we will hack/modify the company money.

I will do it on this smartphone because having so much games from varying skilled developers, probably not much of them will have online-only storage or synchronization of the game state, plus jailbreaking is an option but not too widely extended, so many developers might think access to phone files is forbidden.

So... I started a new game, saved as soon as I could, took note of those 500.0K and exited.

Screenshot of initil state

With a Jailbroken iPhone that has OpenSSH installed you just need to connect to it. I use WinSCP under Windows to connect.

In my iphone, the path that we want to navigate to is:
/private/var/mobile/Applications/1E64F579-3EEC-495C-9C31-B179BEB06E0F/Library/Preferences
But the GUID in the path will change for each device, just search for 'gm08E' inside.

Once in that folder, copy to your PC the file 'com.kairosoft.gm08E.plist', and open it with a hexadecimal editor (I use the great Hex Workshop).

Remember the initial money amount? The 500.0K?
As it has decimals, we can assume it can just shift the comma and use an integer number, there is no need of floats just for one digit...
Also there is no need for negative numbers, so we'll try with an unsigned.


That trailing K can perfectly be a literal, to enforce the fake feeling of managing high sums of money (simple trick, instead of x1, make everything cost x1000). For the example, we will directly ignore it (because I know he solution) but usually you would have to search for both values.

So, as the iPhone is Little endian we want to search for the values 0x 8813 (unsigned int 16 bits) or 0x 8813 0000 (unsigned int 32 bits).

I was correct and in my savegame I found it at address 0x0000ACDF (After two tests, it is an unsigned int 32 bits).

We can just change the value for 0094 3577 (2000000000 in hex, a bit below int 32 max. value), and save.

We copy back the file to the device's folder, and run the game:

Screenshot of the game after hacking

Check the money again in the upper-right part, it doesn't even fully fit so renders all 9s :)

Remember that money doesn't equal to happiness, so try not to cheat until you have finished your games first at least once, or you will spoil the fun!

With this small post we've went back to the early 90's where hex. editing strategy games saves was as easy as now it is editing an offline iPhone game!

The best solutions to avoid this editing are usually:

  • Encryption of the full savegame
  • Checksums stored somewhere else, to detect tampering with the savegame and reset it
  • Full online storage of saves (getting more common with "the Cloud")
  • Online storage of sensible data (like money) so critical stuff is safer

Safer, but if sync. code is not properly done you could sniff the data and inject your values anyway!

Comments?

Posted by Kartones on 2011-12-02