Android Software Reverse Engineering & Decompilation

Reverse Engineering Android Games: Finding Cheats in ARM64 NDK Code with IDA Pro

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction to Android Game Reverse Engineering

Modern Android games often leverage the Native Development Kit (NDK) to compile performance-critical game logic into native libraries (.so files). This approach significantly enhances performance but also obfuscates the game’s core mechanics, making traditional Java/Kotlin decompilation insufficient for reverse engineering. For cheaters and security researchers alike, understanding how to analyze these native ARM64 binaries is crucial. This article delves into using IDA Pro to dissect ARM64 NDK code, specifically focusing on identifying potential cheat vectors in Android games.

Prerequisites for Native Code Analysis

Before diving into IDA Pro, ensure you have the following tools and a basic understanding of ARM64 assembly:

  • IDA Pro (Interactive Disassembler Professional): Essential for static analysis of native binaries.
  • Android SDK & Platform Tools: For ADB (Android Debug Bridge) to interact with devices.
  • Target Android Game APK: The application you intend to reverse engineer.
  • ARM64 Device or Emulator: To run and test findings, preferably rooted for dynamic analysis (though this article focuses on static analysis).
  • Basic Understanding of ARM64 Assembly: Familiarity with registers (X0-X30, W0-W30), common instructions (MOV, LDR, STR, ADD, SUB, CMP, B, BL), and calling conventions.

Acquiring and Analyzing the APK

The first step is to obtain the game’s APK and extract its native libraries. Most APKs are just ZIP archives.

  1. Download the APK: Use a tool like APKPure, APKMirror, or your device’s package manager (e.g., adb shell pm path your.package.name followed by adb pull <path>) to get the APK file.
  2. Extract Native Libraries: Rename the .apk file to .zip and extract its contents. Navigate to the lib/arm64-v8a/ directory. Here, you’ll find shared object files (e.g., libunity.so, libgame.so, libmain.so). These are the native ARM64 binaries we’ll analyze.
  3. Load into IDA Pro: Open IDA Pro and choose “New” or “File > Open”. Select the relevant .so file (e.g., libgame.so). IDA Pro will automatically detect the ARM64 architecture and begin analysis.

Navigating IDA Pro and ARM64 Basics

Upon loading, IDA Pro presents various views. The primary one is the “Disassembly View”, showing the raw ARM64 instructions. The “Functions Window” (Ctrl+F) lists all identified functions, and the “Strings Window” (Shift+F12) displays all detectable strings within the binary.

ARM64 Register Conventions

Understanding ARM64 registers is fundamental:

  • General-purpose registers: X0X30 (64-bit) or W0W30 (32-bit lower half of X registers).
  • Function arguments: Passed in X0X7 (or W0W7 for 32-bit values).
  • Return values: Returned in X0 (or W0).
  • Link Register (LR/X30): Stores the return address for function calls (BL instruction).
  • Stack Pointer (SP): Points to the top of the stack.

Common ARM64 Instructions

MOV X0, X1          ; Move value from X1 to X0 (64-bit)MOV W0, W1          ; Move value from W1 to W0 (32-bit)LDR X0, [X1]        ; Load 64-bit value from memory address in X1 into X0LDR W0, [X1, #0x4]  ; Load 32-bit value from X1+4 into W0STR X0, [X1]        ; Store 64-bit value from X0 into memory address in X1STR W0, [X1, #0x8]  ; Store 32-bit value from W0 into X1+8ADD X0, X0, X1      ; X0 = X0 + X1SUB X0, X0, #0x10   ; X0 = X0 - 16CMP X0, #0          ; Compare X0 with 0B.EQ loc_xxxx        ; Branch if equal to loc_xxxx (conditional branch)B loc_xxxx          ; Unconditional branch to loc_xxxxBL sub_xxxx         ; Branch with Link to function sub_xxxx (function call)RET                 ; Return from function

Identifying Game Logic and Interesting Functions

In a stripped binary (common for release builds), function names are often generic (e.g., sub_123456). We need to rely on other clues:

  1. Strings Window (Shift+F12): Look for game-related strings like “health”, “score”, “coin”, “damage”, “game over”, “level”, “currency”. Double-click on a string to jump to its reference. From there, identify the function that uses it.
  2. Cross-References (XREFs): Once you find a potentially interesting instruction or data reference, use IDA’s cross-reference feature (highlight and press X) to see where it’s used or modified. This helps trace data flow.
  3. API Calls: Many games interact with system APIs (e.g., for graphics, input, networking). Look for calls to standard library functions or Android NDK specific APIs. If symbols are present (rare for game logic), these can provide direct hints.
  4. Function Sizes and Complexity: Large, complex functions with many branches and loops often contain core game logic. Use the “Functions Window” to sort by size or complexity.

Deep Dive: Finding Cheats in ARM64 Assembly

The goal is to locate code that handles critical game values like health, currency, damage, or score. We’re looking for patterns of loading, modifying, and storing these values.

Example 1: Manipulating Health or Attributes

Consider a scenario where a player’s health is stored in memory. When damage occurs, the health value is decremented. Cheating might involve preventing this decrement or setting health to a fixed high value.

Search for code patterns involving LDR (load), arithmetic operations (SUB for damage, ADD for healing), and STR (store). Look for constant values used in conjunction with these operations. For instance, a fixed damage amount, or a health regeneration rate.

Here’s a simplified ARM64 snippet for health decrement:

; Assume X19 holds a pointer to the player object/struct.LDR W8, [X19, #0x40] ; Load current health (32-bit) from X19+0x40 into W8SUB W8, W8, W20       ; Decrement health by damage amount in W20CMP W8, #0            ; Compare health with 0B.LT loc_player_dead    ; If health < 0, branch to player_dead logicSTR W8, [X19, #0x40] ; Store updated health back to memory

Cheat Opportunity: You could target the SUB W8, W8, W20 instruction. If you were to patch this instruction to NOPs (No Operation) or MOV W8, W8 (effectively no change), the player would take no damage. Alternatively, changing SUB to ADD could turn damage into healing.

Example 2: Discovering Currency/Resource Cheats

Games often have in-game currency. Finding where this currency is awarded or spent is a prime target.

Look for functions that are called when a player collects an item or completes a task. These functions will likely involve LDR, ADD, and STR operations on a specific memory location.

Consider this pattern for adding currency:

; Assume X19 points to player's wallet structureLDR W0, [X19, #0x10] ; Load current currency amount (32-bit) from X19+0x10ADD W0, W0, W1       ; Add amount in W1 (e.g., coin value) to currencySTR W0, [X19, #0x10] ; Store new currency amount

Cheat Opportunity: If W1 is the amount added, finding where W1 is set allows you to potentially manipulate the awarded amount. For instance, if W1 is loaded from a constant #10 (for 10 coins), you could change that constant to a much larger value.

Alternatively, identify the location where W1 is loaded or computed. If W1 is derived from some calculation, you might find a hardcoded value being multiplied. Changing a multiplier from #1 to #100 (e.g., MUL W0, W0, #100) would give 100x currency.

Using IDA Pro’s Pseudo-code (F5)

For more complex functions, IDA Pro’s pseudo-code view (press F5) can be invaluable. While not always perfect, it provides a C-like representation of the assembly, making it easier to grasp the logic. Once you identify an interesting operation in pseudo-code, you can switch back to assembly to pinpoint the exact instructions for analysis or patching.

Ethical Considerations and Further Steps

Reverse engineering for personal use or security research is common. However, remember that modifying game binaries to gain an unfair advantage in online games typically violates terms of service and can lead to bans. Always practice responsible disclosure if you find vulnerabilities.

This article focused on static analysis. For more advanced cheat development, dynamic analysis using a debugger (like GDB or Frida) attached to the running game on a rooted device is the next logical step. This allows you to set breakpoints, inspect memory, and modify values in real-time, confirming your static analysis findings.

Conclusion

Reverse engineering ARM64 NDK code in Android games using IDA Pro is a powerful technique for understanding game mechanics and identifying potential cheat vectors. By familiarizing yourself with ARM64 assembly, effectively navigating IDA Pro’s features, and recognizing common code patterns for value manipulation, you can uncover the hidden logic within native game binaries. This foundational knowledge opens doors to deeper security research, vulnerability assessment, and, for some, the quest for unconventional gameplay experiences.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Reverse Engineering #ARM64 Assembly #Game Hacking #IDA Pro #NDK

Related Technical Guides

Cracking Protected MIPS/x86 Android Native Code: A Step-by-Step Unpacking Tutorial

May 30, 2026

Android RE Lab: Achieving RCE via Smali Code Patching in a Sample Application

May 29, 2026

Advanced Analysis: Pinpointing Compiler Optimizations in MIPS/x86 Android Executables

May 30, 2026