Pretty much how I started cracking game copy protections in the late 80's/early 90's. I already owned the games I was cracking, it just became more interesting to me how these protections were implemented and how I'd defeat them. Sometimes I think that was more fun than the game itself. I just didn't want to have to look up pages in manuals or read maroon colored paper with dark blue ink.
I didn't have the luxury of Ida Pro back then, but I did find a disassembler. Using that I'd read through the game code until I found the conditional jumps and then patched the original file with 0xE8 (JEZ?), 0xEB (JMP?), or 0xCD 0x90 (NOP?). At one time I used to be able to recognize just the Opcodes in hex, so I might have those wrong today.
When I started working at Egghead, I was granted time by my manger to crack games for our demo station, so we wouldn't have to jump through hoops on the sales floor. For various professional reasons I've had the pleasure of bypassing my company's own protections. Most recently I used Smali/Baksmali to demonstrate how our company's Android beta timebomb was pretty easy to circumvent.
Once a hacker, always a hacker. I have no doubt that this low level tinkering was why I got into computers in the first place and why they still hold my fascination.
Patching an APK like this would break parts of the app, specifically the parts that are arguably the most crucial to be followed by pinned API calls. For example, in-app purchases via Google Play that validate the app's signing would all fail. Similarly restoring any previous in app purchases would also fail. Finally, you wouldn't be able to install this APK without uninstalling the valid production APK first, again due to signature/signing mismatch.
Very cool workaround in the article, but it feels like it's just another hole that is going to be closed off. It's impossible to balance because on the one hand we want these fortresses to protect us from prying eyes (see apple vs fbi), but manufacturers are also using these fortresses to keep out owners who just want to hack on their own things.
I'm glad Apple is working to keep backdoors out of iOS, but I still prefer Android because I can get into it anyway I want, and do things like the OP without having to resort to backdooring my own device.
> It's impossible to balance because on the one hand we want these fortresses to protect us from prying eyes (see apple vs fbi), but manufacturers are also using these fortresses to keep out owners who just want to hack on their own things.
I think it's very easy to balance: it's my fortress, because I bought it; I should therefor be allowed and enabled to make it do anything I like. The recent changes which Google have announced — which mean that apps will no longer respect the keys I have installed on my devices — are a move in exactly the wrong direction.
> but manufacturers are also using these fortresses to keep out owners who just want to hack on their own things.
I'll play the devils advocate:
1. From manufacturers perspective, it is very difficult to differentiate if the modification are being intentionally done by the owner of the device, or if the owner is being attacked by a 3rd party (e.g. via malware or JTAG)
2. Ownership ends with the device and the app - you cannot 'own' a service that Google/Niantic/Apple/Steam are providing. They can dictate the terms for providing that service and for an online game like Pokemon, not having access to the service makes the ownership the app and the device pointless.
I think 98% of people are really better off in a closed system (excluding piracy). The real issue IMO is getting developer access to any Android or iOS device should be a straightforward and free process.
This seems like overly complicated. He could have made the public key extremely small by just placing 0x00s in it so that he could crack it. Easy patching.
Xposed module patching only works when SSLPinning is performed in the Java code of the application, as Xposed provides a mechanism for intercepting Java method calls only. Unlike in this case, the code is in C/C++ layer, hence can't be used.
What's the added value of using imgur's embed code rather than a good ol' <img>? Is this a trend? I would understand it for albums, but why would you do it for individual images? </rant>
"Also, don't use Imgur to host image libraries you link to from elsewhere, content for your website, advertising, avatars, or anything else that turns us into your content delivery network."
Hey guys, author here. I used the embed code because some of the images are large and WordPress wasn't resizing them correctly for some reason. I also was unaware of the policy in Imgur's ToS. I will look into these issues and update the article accordingly.
> What's the added value of using imgur's embed code rather than a good ol' <img>?
Well, you can shaft users who browse without JavaScript turned on and help destroy the Web, all in one fell swoop!
I particularly hate how imgur requires JavaScript to use. We have had images in HTML for over twenty years now, and for some reason imgur has decided that they are above all that.
As mentioned in the comments, this doesn't work when you try to sign in via Google because it checks the signature of the app. The PTC signon doesn't do this so it's currently allowed, but I'm sure Niantic will patch it soon.
[+] [-] chinpokomon|9 years ago|reply
I didn't have the luxury of Ida Pro back then, but I did find a disassembler. Using that I'd read through the game code until I found the conditional jumps and then patched the original file with 0xE8 (JEZ?), 0xEB (JMP?), or 0xCD 0x90 (NOP?). At one time I used to be able to recognize just the Opcodes in hex, so I might have those wrong today.
When I started working at Egghead, I was granted time by my manger to crack games for our demo station, so we wouldn't have to jump through hoops on the sales floor. For various professional reasons I've had the pleasure of bypassing my company's own protections. Most recently I used Smali/Baksmali to demonstrate how our company's Android beta timebomb was pretty easy to circumvent.
Once a hacker, always a hacker. I have no doubt that this low level tinkering was why I got into computers in the first place and why they still hold my fascination.
[+] [-] paste0x78|9 years ago|reply
[+] [-] ParadoxOryx|9 years ago|reply
[+] [-] EatonZ|9 years ago|reply
[+] [-] dozy|9 years ago|reply
[+] [-] maxerickson|9 years ago|reply
[+] [-] conradev|9 years ago|reply
[+] [-] ethanhunt_|9 years ago|reply
I'm glad Apple is working to keep backdoors out of iOS, but I still prefer Android because I can get into it anyway I want, and do things like the OP without having to resort to backdooring my own device.
[+] [-] zeveb|9 years ago|reply
I think it's very easy to balance: it's my fortress, because I bought it; I should therefor be allowed and enabled to make it do anything I like. The recent changes which Google have announced — which mean that apps will no longer respect the keys I have installed on my devices — are a move in exactly the wrong direction.
[+] [-] sangnoir|9 years ago|reply
I'll play the devils advocate:
1. From manufacturers perspective, it is very difficult to differentiate if the modification are being intentionally done by the owner of the device, or if the owner is being attacked by a 3rd party (e.g. via malware or JTAG)
2. Ownership ends with the device and the app - you cannot 'own' a service that Google/Niantic/Apple/Steam are providing. They can dictate the terms for providing that service and for an online game like Pokemon, not having access to the service makes the ownership the app and the device pointless.
[+] [-] Retric|9 years ago|reply
[+] [-] dpflan|9 years ago|reply
[+] [-] alfon|9 years ago|reply
[+] [-] baby|9 years ago|reply
[+] [-] ajnin|9 years ago|reply
You'll also notice that the code checks for the certificate length so I'm not sure replacing it with zeroes would have worked.
[+] [-] dagwaging|9 years ago|reply
i haven't personally tried this route yet though
[+] [-] jor-el|9 years ago|reply
[+] [-] mkagenius|9 years ago|reply
[+] [-] kamikizzle|9 years ago|reply
[+] [-] ajnin|9 years ago|reply
[+] [-] beckler|9 years ago|reply
Certificate pinning would prevent you from sniffing the requests, and if they made API changes, you would be unable to analyze them.
So I think the reason Pokevision stopped working is because they may have made API changes, but they've been unable to see what the changes were.
[+] [-] thewarpaint|9 years ago|reply
[+] [-] nomel|9 years ago|reply
"Also, don't use Imgur to host image libraries you link to from elsewhere, content for your website, advertising, avatars, or anything else that turns us into your content delivery network."
[+] [-] EatonZ|9 years ago|reply
[+] [-] zeveb|9 years ago|reply
Well, you can shaft users who browse without JavaScript turned on and help destroy the Web, all in one fell swoop!
I particularly hate how imgur requires JavaScript to use. We have had images in HTML for over twenty years now, and for some reason imgur has decided that they are above all that.
[+] [-] bitmapbrother|9 years ago|reply