WAIL icon indicating copy to clipboard operation
WAIL copied to clipboard
verified publisher icon Qwokka

[QUESTION] Unity game

Open Nucito opened this issue 3 years ago • 4 comments

First I would like to thank you immensely for this tool, and second I would like to ask if you have any example of game modifications made by unity. I have a problem because 90% of games are using RSA or AES to protect requests, is there any way to hook these functions?

Nucito avatar Aug 30 '22 21:08 Nucito

Hi @Nucito

So far I've had pretty good luck using these tools for Unity games (And games using other engines as well). In general, even if these games employ some level of encryption on the network traffic, you can typically modify the important values before they're sent over the network.

So for example, even if you can't easily modify the packet that says you have 1337 points, if you modify this value in memory you don't need to worry about the encryption at all. This is the methodology that Cetus uses. In the tutorial I used a single player game, but the same techniques apply to most multiplayer games I've encountered.

As far as actually defeating the encryption, that's a bit more difficult. Cetus' watchpoints and memory inspection can be helpful with reverse engineering, but it's still not a full reverse engineering framework. Unfortunately at this point there's just no equivalent to tools like IDA, Ghidra, etc for WASM.

However, if you're able to identify the functions responsible for encryption and decryption, you can hook them or call them arbitrarily using WAIL. A few days ago I put together an example of calling internal WASM functions using WAIL.

I hope some of this was helpful. Let me know if you have other questions. Jack

Qwokka avatar Aug 30 '22 22:08 Qwokka

Thank you for responding so quickly 😁 I thought it would take a lot longer, I have a question regarding the injection:

1 - Unity games make use of a .js file that contains the game's memory in addition to some functions that the game needs to work, how could I use this file along with its lib?

image

Nucito avatar Aug 31 '22 01:08 Nucito

Here's a brief summary of how we handle WASM binaries in Cetus:

We start by hooking all functions that can be used to create a WebAssembly module. This includes: * WebAssembly.Module * WebAssembly.compile * WebAssembly.compileStreaming * WebAssembly.instantiate * WebAssembly.instantiateStreaming

When any of these functions are called, we save the memory instance from the import object and run the binary through WAIL to make any changes to it. Then we call the "real" function we hooked with the modified binary and return that to the caller. This way, we can intercept WASM binaries without having to know anything about how the launcher is implemented.

Once the game has started running, we can use our stored reference to the memory instance to modify the game's memory.

You can find an example of all this in https://github.com/Qwokka/Cetus/blob/master/content/init.js

Qwokka avatar Aug 31 '22 02:08 Qwokka

Thx, i will see the code and again thanks for this beautiful library 😁

PS: I sent a pull request correcting the searchParam in cetus

Nucito avatar Aug 31 '22 17:08 Nucito