Capturing Whiteout Survival traffic

How to get http traffic from Whiteout Survival

I am using a bluestacks emulator with Android 9, but this can be also done on a physical rooted phone.
This guide may not work on emulator of Android 11

Needed software

Preparing bluestacks

  1. Find bluestacks.conf on your PC
    it should be in Bluestacks_nxt folder, either:

    • C:\Program Files\BlueStacks\BlueStacks_nxt\bluestacks.conf or (I had it here)
    • C:\ProgramData\BlueStacks_nxt\bluestacks.conf or
    • C:\ProgramData\BlueStacks_nxt\Engine\bluestacks.conf

  2. Change 2 options from “0” to “1” to enable root access
    (Those 2 settings can have different prefixes)

    • feature.rooting=“1”
    • enable_root_access=“1”

  3. Enable ADB. Go to emulator options and enable ADB
    adb

Preparing PCAPdroid

  1. Install and open the app
    PCAPdroid icon

  2. Go to the settings
    PCAPdroid settings

  3. Setup the pcap certificate for tls decryption

  • Find the TLS decryption setting and click to switch it on.
    PCAPdroid tls
    • It will open a Mitm setup wizard and ask you to download PCAPdroid mitm app.
    • Download it normally using the given APK file
  • After downloading, click next on the bottom, then it would ask you to install the PCAPdroid CA certificate.
    It is a user certificate, which we will have to later move to root certificates.
    PCAPdroid Certificate
    • Install the certificate using the Install button on the bottom

Moving PCAPdroid CA certificate to root certs.

This part can lead to bricking of your bluestacks emulator. Do it carefully!

Now comes the worst part. PCAPdroid cert is normally installed as User Certificate, and if you try to start the capture as is, Whiteout will refuse connections, because the certificate is not trusted enough. Thats why we need to move it to root certificate to tell the game that it can trust the certificate and send packets through the PCAPdroid VPN.

  1. Close Bluestacks

  2. I used This guide to move the user certificate to root certs, but it came with read/write problems, so here’s my guide on it:

    • Go to your Bluestacks_nxt folder, then to Engine, and there find your emulator’s folder. If you have installed the Android 9 version it would be most likely called Pie64.
      pie64 folder
    • Inside you’ll find two .bstk files, one is main file, second one is backup
      pie64 folder inside
    • Delete the Pie64.bstk-prev file and open Pie64.bstk with file editor. (There might be also HyperVM.json file with similar config. It should be safe to delete it, having it in files messed with my setup, so I deleted it and it works)
    • Inside the Pie64.bstk file you’ll find a HardDisks tag with Hard Disks listed. Like this: 
      <MediaRegistry>
    <HardDisks>
        <HardDisk uuid="{20131fc8-e33c-43ec-bb32-24b184a349f7}" location="fastboot.vdi" format="VDI" type="Readonly"/>
        <HardDisk uuid="{8e0166f0-8566-4448-a32b-b7142ff58539}" location="Root.vhd" format="VHD" type="Normal"/>
        <HardDisk uuid="{52439b89-88eb-4dfa-92c0-1f7bdc85fc0f}" location="Data.vhdx" format="VHDX" type="Normal"/>
    </HardDisks>
    </MediaRegistry>
      There you’ll find a HardDisk with location Root.vhd with type set to Readonly, change this type to Normal save file and start the bluestacks.
      After Bluestacks opens, close it and check if the file has been successfully saved without any backups overwriting it. If not, try to change it again.

  3. After successfully changing the file, open the Terminal app or just a simple CMD/PS and connect with your bluestacks via ADB.
    Keep the bluestacks open for ADB to work.
    Use the following commands to successfully move the certificate

    > adb connect 127.0.0.1:5555                    # connect to bluestacks using adb
connected to 127.0.0.1:5555
> adb devices -l                                # check if emulator is connected and what's it's transport_id
127.0.0.1:5555         device product:p3sxxx model:SM_G998B device:p3s transport_id:1
emulator-5554          device product:p3sxxx model:SM_G998B device:p3s transport_id:3
> adb -t 1 root                                 # restart adb connection as root
> adb devices -l                                # check if transport_id has changed
127.0.0.1:5555         device product:p3sxxx model:SM_G998B device:p3s transport_id:2
emulator-5554          device product:p3sxxx model:SM_G998B device:p3s transport_id:4
> adb -t 2 shell                                # open adb shell
p3s:/ $ su                                      # login as root
p3s:/ # mount -o rw,remount /system             # set system partition as read/write
p3s:/ # ls /data/misc/user/0/cacerts-added/     # Check if certificate is installed for user
81c450f1.0                                      # this is the name of certificate
p3s:/ # mv /data/misc/user/0/cacerts-added/81c450f1.0 /etc/security/cacerts/81c450f1.0 # move the cert to root
p3s:/ # chmod 664 /etc/security/cacerts/81c450f1.0      # change the certificate permissions to 664 (same as others)
p3s:/ # mount -o ro,remount /system             # remount the system partition as readonly IMPORTANT!!!
p3s:/ # ls -la /etc/security/cacerts/           # check if everything is right
p3s:/ # exit                                    # log off from root
p3s:/ $ exit                                    # close the adb shell

    After that you can restart Bluestacks

Usage of PCAPdroid

After moving the certificate to root. Open PCAPdroid on bluestacks
PCAPdroid ready

  1. Click on Target apps, find and activate Whiteout Survival there (com.gof.global)
    wos in target apps

  2. Then come back and click on the burger menu in top left corner
    PCAPdroid menu

    • There click on decryption rules.
    • After that, click on the plus icon ( + ) in top right, there “App” and add Whiteout Survival (com.gof.global) to decryption rules

  3. After adding the target and decryption rule. you can click either the Ready button or little triangle in top right corner to start the capturing.

    • This app can work in the background
    • Open your Whiteout Survival app, maybe click on some thing, wait a bit and you’ll have all the traffic captured in CONNECTIONS tab on the top of PCAP droid.
    • You can stop the capture with little square in top right corner.

Reading the traffic

After you start the capture and open the game. All of the traffic comes through the VPN proxy.
This is mostly tracking data, but I found there also some info about player and the state, login info, chat history and profile images.

GZipped connections

There is some data that is additionaly compressed using Gzip, which you can decompress using any gzip text decompressor. Like this one https://codebeautify.org/gzip-decompress-online
GZipped json

A few extra words

It is possible to open the TCP or UDP server from the PCAPdroid app and push the traffic through the ADB to your own pc and listen to the live traffic on eg. Wireshark. I couldn’t manage to open the TCP server, so I’m using either No dump and check traffic in Connections tab or dump the PCAP file to open it later with Wireshark using the exported sslkeylogfile.txt to decrypt https and TCP traffic.

Quick fixes (or at least tries)

  1. Can’t set up a lock screen.

    • find Activity Launcher app on google play or on the browser, install and open it
    • find ScreenLockSuggestionActivity and launch the activity to setup the screen lock

  2. Can’t copy / paste after doing this.

    • turn off the Screen Lock. Having any form of Screen Lock messes with copy / paste

  3. My emulator can’t launch after the process

    • Most probably you left /system partition on read/write mode instead of changing back to readonly. I don’t thing theres anything you can do except for reinstall.