HomeArticlesCommunity ProductsPremium ProductsGitHubTalsec Website

Preventing Piracy and Cheating in Games: A Guide to Countering GameGuardian with Talsec

What is GameGuardian?

Game cheating has long been a thorn in the side of mobile game developers, undermining the very integrity of their creations. While the PC gaming landscape has evolved with sophisticated, kernel-level security like Riot's Vanguard and Valve's Anti-Cheat, the Android ecosystem faces its own persistent threats. On this front, notorious tools like GameGuardian continue to hand attackers a God mode allowing them to rewrite the rules of any vulnerable game. Instead of earning their victories through skill, users deploy this tool to scan a game's live memory and directly manipulate critical values such as coins, health, or experience points, completely shattering the intended game balance.

How GameGuardian Shatters Fair Play

GameGuardian's method of attack is deceptively simple yet profoundly damaging: it latches onto a live game process, acting as an unauthorized window into its memory. Once attached, it can read and rewrite data at will, leading to a cascade of devastating consequences that compromise a game on financial, social, and technical levels.

Economic Collapse

Financially, the tool triggers an economic collapse by rendering in-app purchases (IAPs) worthless. When attackers can grant themselves infinite premium currency or exclusive items, the entire revenue model that funds the game's development and maintenance is destroyed, as there is no longer any incentive for legitimate purchases.

Erosion of Fair Play

Socially, it erodes the foundation of fair play . The tool devalues the time and dedication of legitimate players, causing immense frustration. This is especially catastrophic in multiplayer games, where cheaters with manipulated stats can dominate competitions, making the experience unplayable for the honest community and leading to a mass exodus of players.

Compromised Integrity

Technically, it compromises the game's core integrity . The danger goes far beyond simple currency cheats. Attackers can alter any unprotected memory value to grant themselves impossible speed, create one-hit-kill weapons, or bypass entire questlines by changing a single variable. In essence, it turns the game's carefully designed rules into a broken and exploitable sandbox.

From Zero to Infinite: A Practical GameGuardian Demonstration

  • Upon launching the GameGuardian application, tapping the Start button initiates its core service. The application operates in one of two modes, depending on the device's privileges:

    • On a rooted device, GameGuardian leverages superuser permissions to directly attach to the target game's process. This allows it to read and modify memory, states, and variables with high-level privileges.

    • On a non-rooted device, it relies on a virtual environment. This involves using an app cloning or multi-instancing application (like Parallel Space) to run both GameGuardian and the target game inside a contained sandbox. Within this virtual space, GameGuardian can gain the necessary permissions to hook and modify the game process.

For this demonstration, I have developed a demo game called Cosmic Clicker The core mechanics is straightforward: players tap the planet on screen to generate clicks, which function as the in-game currency.

The game's core loop involves a simple, client-side resource accumulation. This type of repetitive mechanic, where the currency value is managed locally, is highly vulnerable to memory editing. Let's now illustrate this vulnerability by using GameGuardian to manipulate the clicks value directly:

Now that we've successfully isolated the memory address for the clicks variable, we have complete control over its value. For now, I will modify it and set it to 101:

And just like that, our click count is now 101, achieved instantly by bypassing the game's core mechanic of repetitive tapping.

Crucially, this modification is completely invisible to the game's logic. The application now trusts this illegitimate value as authentic, meaning my new high score of 111 will be treated as a valid achievement.

Let's take this a step further and modify the clicks value again to further increase the high score:

Now it would be quite difficult to get us out of the global leaderboard. :P

But what to do if we want to buy something from the store ? The store purchase fails even with our hacked score, revealing that the game's display value is separate from its functional currency:

Let's just modify the value of total available clicks in the store:

Now we have enough to buy the first planet and that too without any hardwork:

And we got what we wanted:

This demonstration highlights the critical vulnerability of client-side authoritative games. A memory editing tool like GameGuardian can easily manipulate local data to provide unfair advantages, and in doing so, it effectively breaks the logic governing in-app purchases, rendering the monetization system obsolete.

Under The Hood

GameGuardian works on the principle of Hooking by ptrace. It modifies the /proc/<pid>/mem virtual file to modify the process's memory as well as open its memory as a file descriptor to read the memory in real-time.

GameGuardian also supports Lua scripting which is used to inject advanced hacks in the target process.

  • This is the debug library for the lua engine embedded games. It is used to hook these type of games and modify the values as wanted:

This class section provides the feature of persistence of values of the addresses or freezing of values in different instances of the game, so that the attacker doesn't have to apply the same hacks again and again:

This section is responsible for opening the target game's process as the file descriptor so it can be operated on in real-time:

Here GameGuardian is trying to hook the native code library of the target process' application to be able to modify it or load it virtually and read it in real-time:

This is the main hooking section of the tool that modifies the states and the values at various addresses of the target process. It is able to overwrite or do operations on any datatype present in the memory of the game:

This is the class responsible for Speedhack and Time jump features of the GameGuardian tool that either increases the speed of the game or makes it see a modified time value inside the system as the user wants:

How Talsec's RASP Fights Back ?

Developers around the globe pour immense time and resources into crafting balanced and successful games. Unfortunately, tools like GameGuardian can dismantle that balance by providing unfair advantages and breaking the fundamental integrity of the gameplay. This is where in-app protection becomes crucial.

Let's see what happens when a game is fortified with Talsec's RASP SDK (threat callbacks implemented as Toast messages used for a demo):

Talsec's Runtime Application Self-Protection (RASP) actively monitors the device for security risks, using real-time callbacks to inform the application of any detected threats. Its detection capabilities go beyond standard checks for rooting and debuggers to include the identification of app cloning and multi-instancing frameworks. This ensures comprehensive protection across various attack vectors, blocking malicious tools from operating whether they are on a `rooted device` or within a cloned environment on a non-rooted device.

written by Akshit Singh

PreviousAppiCrypt Against Time Spoofing: From Free Trial Abuse to License Fraud and Audit Log CorruptionNextIntroducing Multi-Instancing Detection for freeRASP

Last updated

Was this helpful?