mobile-security
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseMobile Game Security
移动游戏安全
Overview
概述
This skill covers mobile security resources from the awesome-game-security collection, focusing on Android and iOS game security research, reverse engineering, and protection bypass techniques.
本技能涵盖了来自awesome-game-security合集的移动安全资源,聚焦于Android和iOS游戏安全研究、逆向工程以及防护绕过技术。
Android Security
Android安全
APK Analysis
APK分析
Tools
工具
- apktool: Decompile/recompile APKs
- jadx: DEX to Java decompiler
- APKiD: Identify packers/protectors
- Frida: Dynamic instrumentation
- APKLab: VS Code integration
- apktool: 反编译/重新编译APK
- jadx: DEX转Java反编译器
- APKiD: 识别打包器/保护器
- Frida: 动态插桩工具
- APKLab: VS Code集成工具
Workflow
工作流程
bash
undefinedbash
undefinedDecompile APK
反编译APK
apktool d game.apk
apktool d game.apk
Analyze DEX files
分析DEX文件
jadx -d output game.apk
jadx -d output game.apk
Identify protection
识别防护手段
apkid game.apk
undefinedapkid game.apk
undefinedNative Library Analysis
原生库分析
IL2CPP Games (Unity)
IL2CPP游戏(Unity)
1. Extract libil2cpp.so from APK
2. Use IL2CPP Dumper to generate headers
3. Analyze with IDA/Ghidra
4. Hook using Frida or native hooks1. 从APK中提取libil2cpp.so
2. 使用IL2CPP Dumper生成头文件
3. 用IDA/Ghidra进行分析
4. 使用Frida或原生钩子实现挂钩Native Games
原生游戏
1. Identify target libraries (.so files)
2. Analyze with reverse engineering tools
3. Pattern scan for functions
4. Apply hooks/patches1. 定位目标库(.so文件)
2. 使用逆向工程工具分析
3. 对函数进行模式扫描
4. 应用钩子/补丁Memory Manipulation
内存操纵
Tools
工具
- GameGuardian: Memory editor
- Cheat Engine (ceserver): Remote debugging
- Custom memory tools: Direct /proc/pid/mem access
- GameGuardian: 内存编辑器
- Cheat Engine (ceserver): 远程调试工具
- 自定义内存工具: 直接访问/proc/pid/mem
Access Methods
访问方式
c
// Via /proc filesystem
int fd = open("/proc/pid/mem", O_RDWR);
pread64(fd, buffer, size, address);
pwrite64(fd, buffer, size, address);c
// 通过/proc文件系统
int fd = open("/proc/pid/mem", O_RDWR);
pread64(fd, buffer, size, address);
pwrite64(fd, buffer, size, address);Hooking Frameworks
挂钩框架
Frida
Frida
javascript
// Basic function hook
Interceptor.attach(Module.findExportByName("libgame.so", "function_name"), {
onEnter: function(args) {
console.log("Called with: " + args[0]);
},
onLeave: function(retval) {
retval.replace(0);
}
});javascript
// 基础函数挂钩
Interceptor.attach(Module.findExportByName("libgame.so", "function_name"), {
onEnter: function(args) {
console.log("Called with: " + args[0]);
},
onLeave: function(retval) {
retval.replace(0);
}
});Native Hooks
原生钩子
- Substrate: Inline hooking framework
- And64InlineHook: ARM64 inline hooks
- xHook: PLT hook library
- Dobby: Multi-platform hook framework
- Substrate: 内联挂钩框架
- And64InlineHook: ARM64内联钩子
- xHook: PLT钩子库
- Dobby: 多平台挂钩框架
Root Detection Bypass
Root检测绕过
Common Checks
常见检测方式
- /system/bin/su existence
- /system/xbin/su existence
- Build.TAGS contains "test-keys"
- ro.build.selinux property
- Magisk files/folders
- Package manager checks- 检查/system/bin/su是否存在
- 检查/system/xbin/su是否存在
- Build.TAGS包含"test-keys"
- ro.build.selinux属性
- Magisk文件/文件夹
- 包管理器检测Bypass Methods
绕过方法
- Magisk Hide: Built-in root hiding
- LSPosed/EdXposed: Xposed framework hooks
- Frida scripts: Hook detection functions
- APK patching: Remove detection code
- Magisk Hide: 内置Root隐藏功能
- LSPosed/EdXposed: Xposed框架挂钩
- Frida脚本: 挂钩检测函数
- APK补丁: 移除检测代码
Zygisk Modules
Zygisk模块
cpp
// Zygisk module structure
class Module : public zygisk::ModuleBase {
void onLoad(zygisk::Api *api, JNIEnv *env) override {
this->api = api;
this->env = env;
}
void preAppSpecialize(zygisk::AppSpecializeArgs *args) override {
// Before app loads
}
void postAppSpecialize(const zygisk::AppSpecializeArgs *args) override {
// After app loads - inject here
}
};cpp
// Zygisk模块结构
class Module : public zygisk::ModuleBase {
void onLoad(zygisk::Api *api, JNIEnv *env) override {
this->api = api;
this->env = env;
}
void preAppSpecialize(zygisk::AppSpecializeArgs *args) override {
// 应用加载前执行
}
void postAppSpecialize(const zygisk::AppSpecializeArgs *args) override {
// 应用加载后执行 - 在此处注入
}
};Android Protections
Android防护手段
Common Protectors
常见保护器
- Tencent ACE: Chinese market protection
- AppSealing: Commercial protection
- DexGuard/ProGuard: Obfuscation
- Arxan: Enterprise protection
- Tencent ACE: 国内主流游戏防护
- AppSealing: 商业防护方案
- DexGuard/ProGuard: 混淆工具
- Arxan: 企业级防护
iOS Security
iOS安全
Analysis Tools
分析工具
- Hopper: Disassembler
- IDA Pro: Industry standard
- class-dump: Objective-C header extraction
- Frida: Dynamic instrumentation
- Clutch/dumpdecrypted: App decryption
- Hopper: 反汇编器
- IDA Pro: 行业标准工具
- class-dump: Objective-C头文件提取工具
- Frida: 动态插桩工具
- Clutch/dumpdecrypted: 应用解密工具
Jailbreak Tools
越狱工具
- H5GG: iOS cheat engine
- Flex: Runtime patching
- Cycript: Runtime manipulation
- ceserver-ios: Cheat Engine for iOS
- H5GG: iOS作弊引擎
- Flex: 运行时补丁工具
- Cycript: 运行时操纵工具
- ceserver-ios: iOS版Cheat Engine
Hooking (Jailbroken)
挂钩(越狱环境)
objc
// Using Logos (Theos)
%hook TargetClass
- (int)targetMethod:(int)arg {
int result = %orig;
return result * 2; // Modify return
}
%endobjc
// 使用Logos(Theos)
%hook TargetClass
- (int)targetMethod:(int)arg {
int result = %orig;
return result * 2; // 修改返回值
}
%endNon-Jailbreak Techniques
非越狱技术
- Sideloading: Modified IPAs
- Enterprise certificates: Custom signing
- AltStore: Self-signing tool
- 侧载: 修改后的IPA包
- 企业证书: 自定义签名
- AltStore: 自签名工具
Unity Mobile Games
Unity移动游戏
IL2CPP Analysis
IL2CPP分析
1. Locate libil2cpp.so (Android) or UnityFramework (iOS)
2. Find global-metadata.dat
3. Run IL2CPPDumper
4. Generate SDK/headers
5. Hook target functions1. 定位libil2cpp.so(Android)或UnityFramework(iOS)
2. 找到global-metadata.dat
3. 运行IL2CPPDumper
4. 生成SDK/头文件
5. 挂钩目标函数Mono Analysis
Mono分析
1. Extract managed DLLs
2. Decompile with dnSpy/ILSpy
3. Modify and repackage
4. Or hook at runtime1. 提取托管DLL
2. 使用dnSpy/ILSpy反编译
3. 修改并重新打包
4. 或在运行时挂钩Common Targets
常见篡改目标
- Currency/coins values
- Player stats (health, damage)
- Inventory manipulation
- Premium unlocks
- Ad removal- 货币/金币数值
- 玩家属性(生命值、伤害值)
- 道具栏操纵
- 付费内容解锁
- 广告移除Unreal Mobile Games
Unreal移动游戏
Analysis Approach
分析方法
1. Identify UE version
2. Dump SDK using appropriate tool
3. Locate GObjects, GNames
4. Find target functionality
5. Apply memory patches or hooks1. 识别UE版本
2. 使用对应工具导出SDK
3. 定位GObjects、GNames
4. 找到目标功能
5. 应用内存补丁或挂钩Overlay Rendering (Android)
悬浮层渲染(Android)
Surface-Based
基于Surface
cpp
// Native surface overlay
ANativeWindow* window = ANativeWindow_fromSurface(env, surface);
// Render using OpenGL ES or Vulkancpp
// 原生Surface悬浮层
ANativeWindow* window = ANativeWindow_fromSurface(env, surface);
// 使用OpenGL ES或Vulkan渲染ImGui Integration
ImGui集成
- Zygisk + ImGui modules
- Surface hijacking
- Direct framebuffer access
- Zygisk + ImGui模块
- Surface劫持
- 直接访问帧缓冲区
Network Analysis
网络分析
Tools
工具
- mitmproxy: MITM proxy
- Charles Proxy: Traffic analysis
- Frida SSL bypass: Certificate pinning bypass
- mitmproxy: MITM代理
- Charles Proxy: 流量分析工具
- Frida SSL bypass: 证书绑定绕过
Certificate Pinning Bypass
证书绑定绕过
javascript
// Frida universal SSL bypass
Java.perform(function() {
var TrustManager = Java.registerClass({
implements: [X509TrustManager],
methods: {
checkClientTrusted: function() {},
checkServerTrusted: function() {},
getAcceptedIssuers: function() { return []; }
}
});
// Install custom TrustManager
});javascript
// Frida通用SSL绕过脚本
Java.perform(function() {
var TrustManager = Java.registerClass({
implements: [X509TrustManager],
methods: {
checkClientTrusted: function() {},
checkServerTrusted: function() {},
getAcceptedIssuers: function() { return []; }
}
});
// 安装自定义TrustManager
});Anti-Cheat on Mobile
移动反作弊
Common Systems
常见系统
- Tencent ACE: Chinese games
- NetEase Protection: NetEase games
- Custom solutions: Per-game implementations
- Tencent ACE: 国内游戏常用
- NetEase Protection: 网易游戏防护
- 自定义方案: 游戏专属实现
Detection Methods
检测方式
- Root/jailbreak detection
- Frida detection
- Emulator detection
- Integrity checks
- Debugger detection
- Hook detection- Root/越狱检测
- Frida检测
- 模拟器检测
- 完整性校验
- 调试器检测
- 挂钩检测Bypass Strategies
绕过策略
1. Static analysis of detection code
2. Hook detection functions
3. Hide injection footprint
4. Timing attack consideration
5. Clean environment emulation1. 对检测代码进行静态分析
2. 挂钩检测函数
3. 隐藏注入痕迹
4. 考虑时序攻击
5. 模拟干净环境Emulator Considerations
模拟器注意事项
Android Emulators
Android模拟器
- LDPlayer: Gaming focused
- BlueStacks: Popular emulator
- NoxPlayer: Game optimization
- MEmu: Android gaming
- LDPlayer: 游戏专用模拟器
- BlueStacks: 主流模拟器
- NoxPlayer: 游戏优化模拟器
- MEmu: Android游戏模拟器
Emulator Detection
模拟器检测
- Build.FINGERPRINT checks
- Hardware sensor verification
- File system characteristics
- Performance timing- Build.FINGERPRINT检测
- 硬件传感器验证
- 文件系统特征
- 性能时序检测Resource Organization
资源整理
The README contains:
- Android hooking frameworks
- iOS jailbreak tools
- Memory manipulation utilities
- Root/jailbreak bypass tools
- Mobile anti-cheat research
- Emulator resources
本README包含:
- Android挂钩框架
- iOS越狱工具
- 内存操纵工具
- Root/越狱绕过工具
- 移动反作弊研究
- 模拟器资源
Data Source
数据源
Important: This skill provides conceptual guidance and overview information. For detailed information including:
- Specific GitHub repository links
- Complete project lists with descriptions
- Up-to-date tools and resources
- Code examples and implementations
Please fetch the complete data from the main repository:
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/README.mdThe main README contains thousands of curated links organized by category. When users ask for specific tools, projects, or implementations, retrieve and reference the appropriate sections from this source.
重要提示:本技能仅提供概念性指导和概述信息。如需以下详细内容:
- 具体GitHub仓库链接
- 带描述的完整项目列表
- 最新工具与资源
- 代码示例与实现
请从主仓库获取完整数据:
https://raw.githubusercontent.com/gmh5225/awesome-game-security/refs/heads/main/README.md主README包含数千个按类别整理的链接。当用户询问特定工具、项目或实现时,请从此源获取并引用相应章节内容。