Security analysis of network Unity3D games on VKontakte

Hey. I hope this post will not lead to bad consequences and everything will be fine and the world will be filled with light! Why is everything so bad in social games?

I had a free weekend and I dedicated them to one interesting case - to identify weak points in application security . Since I work mostly with a unit, I took the games created on this engine. Immediately, I note that I am not a professional and I didn’t have experience of such analysis. There was knowledge about how the user is authenticated and his id validation is checked (there is one in the documentation) + c # (without it in any way). 4 applications fell into the hands, and in all four there were holes, and in the latter such that one could get access to the " server methods ". How did it happen?
')

1. Tools

Wandering through the expanses of the web, I met the Unity 3D Obfuscator program, which has the following features:
-protection against decompilation;
- obfuscation (renaming to a meaningless set of characters) of object names (classes, functions, properties, etc.);
-tangling the flow graph;
- Unpacking Unity3D projects;
- removal of event metadata and properties.

Just unpacking .unity3d (web build) of the file will allow you to get .dll files that will come in handy later. So first of all I downloaded and installed Unity 3D Obfuscator.

For disassembly dug ILSpy (free). The ability to watch C # <-> IL codes is very useful, but more on that later ...

Unity3d + VS2012 allowed to quickly write a small application for tests.

2. The process

First of all, I got the viewer_id and auth_key pages from the HTML source for a specific application. The latter, by the way, is unique for each pair of user + application. You can also find the url for the iframe, where you can find the path to the .unity3d file. Copy / Paste to NotePad ++.

(html source)

Then I ran into the fact that in one application the extension was replaced with .pdf. Why this was done for me is a mystery, but it was easy to deflate using DownloadMaster and rename it to its original format (if anyone knows what the profit from pdf is, write in the comments plz, very interesting).

Then, using Unity 3D, Obfuscator unpacked the build and got dll files at the output. Assembly-CSharp.dll is what we need! Having made 0.5l of coffee, I continued to study the handcuffs ...

(Unity 3D Obfuscator)

Now the task was to be found in the code of the data transfer point. If there is a signature, then in the mechanism for signing content.

ILSpy swallowed the assembly very quickly and issued a canvas of classes. Connecting ingenuity, scored in the search Network, but the search led only to the classes belonging to the Photon Cloud. Not that, go ahead. A few minutes later I found someone's pair id-auth_key (as it turned out, the admin of the application). After some time - the address of the server to which you want to send requests.

I use the "Used By" links to find the place of application - methods pulling the game server api.

If everything was simple with the first application (take it and substitute your data), then you had to tinker with others more, because an attempt to send a request ended with the server side “Hello Mazafacka” response.

Something is missing ... I look at a method called Md5Sum and I understand that there is not enough hash! But how to build it? We look into the code:

private IEnumerator UpdateScor(string vid, ...)
{
df.c__Iterator20 c__Iterator = new df.c__Iterator20();
c__Iterator.viewer_id = vid;
...
return c__Iterator;
}


. ...

- yield return , , , . df.c__Iterator20 ... . IL . , . , (string.concat) (MD5(string.concat)). !

, , , - ( , 0).

:
0. - ~6 .
1. 3 - , ..
2. App_Secret! , ...

? ( )
1. - . . .
2. . : ( ), .
3. , -.


. . , -(>1 000 000 ), , , .

, . - ? , . , ArtMoney ?( ) -?( 5)

, , ?

private IEnumerator UpdateScor(string vid, ...)
{
df.c__Iterator20 c__Iterator = new df.c__Iterator20();
c__Iterator.viewer_id = vid;
...
return c__Iterator;
}


. ...

- yield return , , , . df.c__Iterator20 ... . IL . , . , (string.concat) (MD5(string.concat)). !

, , , - ( , 0).

:
0. - ~6 .
1. 3 - , ..
2. App_Secret! , ...

? ( )
1. - . . .
2. . : ( ), .
3. , -.


. . , -(>1 000 000 ), , , .

, . - ? , . , ArtMoney ?( ) -?( 5)

, , ?

private IEnumerator UpdateScor(string vid, ...)
{
df.c__Iterator20 c__Iterator = new df.c__Iterator20();
c__Iterator.viewer_id = vid;
...
return c__Iterator;
}


. ...

- yield return , , , . df.c__Iterator20 ... . IL . , . , (string.concat) (MD5(string.concat)). !

, , , - ( , 0).

:
0. - ~6 .
1. 3 - , ..
2. App_Secret! , ...

? ( )
1. - . . .
2. . : ( ), .
3. , -.


. . , -(>1 000 000 ), , , .

, . - ? , . , ArtMoney ?( ) -?( 5)

, , ?