Jump to content

Cartridge Security

GeoRaptor

By GeoRaptor
in Wherigo

Followers 2

Recommended Posts

matejcik

matejcik

Posted
Posted

sure: don't include them. calculate from some answer to question or something. that's the only reliable way ... unless your question's answer can be guessed...

for less reliable ways, it depends on what you call "hacking". you could for example set up the cartridge in a way that prevents playing in the emulator and colorado's demo mode. (there's a bunch of threads about that, just list through the forum for relevant topics)

 

...anyone know why would anyone want to have the coordinates without playing? :/

Link to comment
a_snail

a_snail

Posted
Posted (edited)

Not including them is about the only way, but if anyone enters the wrong answers, they will be given a false location which might be somewhere unsafe.

 

Preventing people playing the game in the emulator or demo modes prevents people having a quick look, or play test. Personally I like to have a look at new wherigos for places I am unlikely to ever get the chance to visit, and in one case having had a look at the Wherigo (as far as i could get) looks like a great place to visit in Germany, so I may well find a reason to visit now.

 

I admit some people will cheat, a bit like reading the last page of a book, but in both cases most people I think then go on to play the Wherigo or read the book.

Edited by a_snail
Link to comment
Ranger Fox

Ranger Fox

Posted
Posted

Preventing hacking almost means you need to be able to hack yourself.

 

Making the final zone the cache or including a picture of the cache coordinates is a good idea. However, you need to be able to prevent people from playing it in the emulator. Doing that, at the moment, can only be accomplished by writing some custom code. You can't just check for "desktop" because I can hack that. Instead, perhaps, another way could be to encode the player ID into a number and comparing the number (you can't usually see numerical values when looking at the source).

 

Unless you're trying to prevent something extremely important, it might not be worth the effort. Very few people know how to hack.

 

I'm qualified enough to speak for the FTF and number run crowds, but I don't think you want the full answer. I will say, though, that for local FTFs, I'll play the cartridge normally, though I will have the answers and final coordinates written down just in case something goes wrong in the field. As for anything farther away, the possibility for hacking is directly proportional to the amount of time it takes to play the cartridge. After all, if I'm pretty far away, my time is even more precious.

Link to comment
sTeamTraen

+sTeamTraen

Posted
Posted

Earwigo lets you obfuscate most of the strings in the cartridge. I use the term"obfuscate" rather then "encrypt" because it sounds cooler although it's better than ROT13, it's not uncrackable, but it would put most people off trying to read answer strings from the binary file. It also means that it's easier to build a no-emulator cartridge which can't be patched by simply changing (with a binary editor, say) the string which is used to detect the emulator.

Link to comment
GeoRaptor

+GeoRaptor

Posted
  • Author
Posted

Earwigo lets you obfuscate most of the strings in the cartridge. I use the term"obfuscate" rather then "encrypt" because it sounds cooler although it's better than ROT13, it's not uncrackable, but it would put most people off trying to read answer strings from the binary file. It also means that it's easier to build a no-emulator cartridge which can't be patched by simply changing (with a binary editor, say) the string which is used to detect the emulator.

 

What do I need to do to build a No-Emulator cartridge?

Link to comment
sTeamTraen

+sTeamTraen

Posted
Posted
What do I need to do to build a No-Emulator cartridge?

The easiest way to check for the emulator is to ask, say in the cartridge onStart function, if Env.DeviceID is equal to "Desktop", and stop if so. Or you could check for altitude equal to zero (careful if the might, in fact, be at sea level).

Link to comment
JJG10101

+JJG10101

Posted
Posted (edited)

sure: don't include them. calculate from some answer to question or something. that's the only reliable way ... unless your question's answer can be guessed...

 

Yep, that's approach I take. I'll include a zone where I instruct the player to "count the letters in the name. Call it A." I repeat this approach five more times. At the end of the cartridge, I say "the cache is at 33 41.ABC..." Even if someone hacks the cart and tries it in the emulator, they still won't have the final coords."

 

Long story short, I guess I've got a three-step approach: 1) make the coords a puzzle that can only be solved in the field, 2) include the "desktop" emulator check, and 3) don't allow people to download the source code. Yes, it means folks in other states/countries won't see my work, but it prevents the locals from taking shortcuts (and several have admitted they tried). :rolleyes:B):blink:

Edited by JJG10101
Link to comment
DeRock & The Psychic Cacher

+DeRock & The Psychic Cacher

Posted
Posted

3) don't allow people to download the source code. Yes, it means folks in other states/countries won't see my work, but it prevents the locals from taking shortcuts (and several have admitted they tried).

 

So how do you plan to have anyone play your cartridge?

Will this also be a Wherigo geocache?

 

Deane

AKA: DeRock & the Psychic Cacher - Grattan MI

Link to comment
Tequila

+Tequila

Posted
Posted

3) don't allow people to download the source code. Yes, it means folks in other states/countries won't see my work, but it prevents the locals from taking shortcuts (and several have admitted they tried).

 

So how do you plan to have anyone play your cartridge?

Will this also be a Wherigo geocache?

 

Deane

AKA: DeRock & the Psychic Cacher - Grattan MI

 

He said "source code" not executable.

Link to comment
JJG10101

+JJG10101

Posted
Posted

3) don't allow people to download the source code. Yes, it means folks in other states/countries won't see my work, but it prevents the locals from taking shortcuts (and several have admitted they tried).

 

So how do you plan to have anyone play your cartridge?

Will this also be a Wherigo geocache?

 

Deane

AKA: DeRock & the Psychic Cacher - Grattan MI

 

He said "source code" not executable.

 

Right you are. Once you upload a cart, there's a series of "Creative Commons Settings." For my first two cartridges, I allowed players to download my source code. I don't do that anymore, primarily to prevent non-Colorado/Oregon/PPC geocachers from taking shortcuts. Around here, folks would play the game in the emulator, then run out and get the cache. That's not the point of Wherigo. Had they asked me, I would've *gladly* loaned them my Colorado. The way I see it, early adopters should get some benefit for taking the plunge and buying Wherigo-compatible hardware. :mad::D:huh:

Link to comment
Tequila

+Tequila

Posted
Posted

I had the exact same problem. I had people mad at me because it wouldn't run in the emulator. Even when I offered the use of my OR. They are count hounds and just wanted the found smiley and the icon. Not the experience.

 

That is why I do all sorts of things including having fake zones, using nondescript names for zones and media.

Link to comment
DeRock & The Psychic Cacher

+DeRock & The Psychic Cacher

Posted
Posted

3) don't allow people to download the source code. Yes, it means folks in other states/countries won't see my work, but it prevents the locals from taking shortcuts (and several have admitted they tried).

 

So how do you plan to have anyone play your cartridge?

Will this also be a Wherigo geocache?

 

Deane

AKA: DeRock & the Psychic Cacher - Grattan MI

 

He said "source code" not executable.

 

Right you are. Once you upload a cart, there's a series of "Creative Commons Settings." For my first two cartridges, I allowed players to download my source code. I don't do that anymore, primarily to prevent non-Colorado/Oregon/PPC geocachers from taking shortcuts. Around here, folks would play the game in the emulator, then run out and get the cache. That's not the point of Wherigo. Had they asked me, I would've *gladly* loaned them my Colorado. The way I see it, early adopters should get some benefit for taking the plunge and buying Wherigo-compatible hardware. :mad::D:huh:

 

I'm obviously confused. This is new ground for me. Let me see if I've got this right now.

 

The source code be used in the emulator and played by anyone? And that is how they were getting the shortcuts JJG10101?

 

If this is the case, that is something I didn't know!

 

Deane

AKA: DeRock & the Psychic Cacher - Grattan MI

Link to comment
Tequila

+Tequila

Posted
Posted

If someone has the source code, they can compile it and run it in the Emulator. However, if they have the source code they can just read the code to figure out what to do.

 

The cartridge that you download from Wherigo.com is already compiled although a large portion of the text is still visible if you open it with a text editor.

 

To prevent someone from playing the cartridge in the Emulator, you can do a device ID test for the Emulator and disable the zones/cartridge if it is being played in the Emulator.

 

To prevent someone from reading too much in a text editor, you can put messages such as coordinates or puzzle questions/answers in a jpg picture and display the picture.

 

Hope this answers your question.

Link to comment
Captain Gore-tex

+Captain Gore-tex

Posted
Posted

If someone has the source code, they can compile it and run it in the Emulator. However, if they have the source code they can just read the code to figure out what to do.

 

The cartridge that you download from Wherigo.com is already compiled although a large portion of the text is still visible if you open it with a text editor.

 

To prevent someone from playing the cartridge in the Emulator, you can do a device ID test for the Emulator and disable the zones/cartridge if it is being played in the Emulator.

 

To prevent someone from reading too much in a text editor, you can put messages such as coordinates or puzzle questions/answers in a jpg picture and display the picture.

 

Hope this answers your question.

 

JPEG Extractor will strip out all JPEGS from a cartridge and display them on a desktop, including all hidden data put on in photoshop or similar, hence not a secure method of hiding data.

Link to comment
JJG10101

+JJG10101

Posted
Posted

I'm using what I'll call the "ABCDEF" approach. Essentially, it's a series of six questions that must be answered in the field. A brief explainer: while in the first zone, an item appears. I call the item "Puzzle A", and it features a character image and text. The text follows.

 

* * * * *

 

Your cell phone rings. "Newton here," the conversation starts. "Just to get things going, how many mini-spotlights are mounted in the ground INSIDE "Connector"? SUBTRACT three from this number, and call it A.

 

* * * * *

 

There are 10 spotlights in the ground, so subtracting three means that A = 7. "Connector," by the way, is the name of a HUGE artwork with lights mounted in the interior. As far as I can tell, there's no way to get this number without being in the field. At the end of the cartridge, I'll say something like, "The geocache, by the way, can be found at N33 41.ABC, W117 39.DEF." I'm thinking this prevents any sort of emulator play, extracting graphics, or hacking the files.

 

Naturally, there are ways to get around my approach. Since I've posted "Connector" on the Waymarking.com site, it's possible someone could post a photo of the lights. Hopefully not. Folks could also try to use the Internet to find some image or reference, although I doubt that would work. Finally, there's the remote possibility that someone who's found the cache could tip off other players, but again, I doubt that.

 

Just doing what I can to prevent cheating. :P:):)

Link to comment
kvhollis

kvhollis

Posted
Posted

Right you are. Once you upload a cart, there's a series of "Creative Commons Settings." For my first two cartridges, I allowed players to download my source code. I don't do that anymore, primarily to prevent non-Colorado/Oregon/PPC geocachers from taking shortcuts. Around here, folks would play the game in the emulator, then run out and get the cache. That's not the point of Wherigo. Had they asked me, I would've *gladly* loaned them my Colorado. The way I see it, early adopters should get some benefit for taking the plunge and buying Wherigo-compatible hardware. :P:):)

 

That is exactly how I feel about it too. I have had a few comments on why I block the emulator - my reasoning is simple. I took the time to design, develop, and test the cartridge - it should be played the way it was designed. However, I see their point too - I just don't agree with it!

 

With my first cartride - I have taken multiple groups on multiple occassions on a "guided tour" so they can experience the cartridge. Everyone in the area has had the opportunity - some have chosen to do it. Hopefully others will have the opportunity too.

Link to comment
Ranger Fox

Ranger Fox

Posted
Posted

Well, there's an emulator check thread from 2008 that talks about what to do.

 

Here's a full answer, perhaps a little more complete than you might want. You're primarily testing against the "Env.DeviceID" property. The emulator's DeviceID is usually "desktop", and that's what you should be testing for. You'll now also have to test for "webwigo", "emscripten", and "browser" if you'd like to cover everything. There's also the "Env.Platform" property. As for those values, "Vendor 1 ARM9" is usually a Garmin GPSr, starting with "PocketPC" is the antequated Pocket PC platform, starting with "WhereYouGo" is the player app of the same name, I forgot what "J2SE" is, "MIDP-2.0/CLDC-1.1" is OpenWIG, and starting with "iPhone" is the iPhone app. (The reverse cache cartridge has one of the most complete lists I've ever seen, and it's a fairly well thought out cartridge.)

 

But, really, there's a simple way to prevent people from using the emulator. For one of your questions, just ask something really obscure that's impossible to guess without being there. For example, some signs have a make a model number in very tiny print at the bottom (something like "11-562"). You could ask the person for that. Just make sure it's a number, but don't say it's a number when you ask for it--and store it as a number within your cartridge. That way, no one can see the number if they attempt to open the compiled cartridge in a text editor.

 

Or you could just use Urwigo or Earwigo as they have an option to prevent emulators from running your cartridge and they obfuscate all your text. That's also one of the easiest ways.

Link to comment
Vooruit!

+Vooruit!

Posted
Posted

That does work, however, people over here go to any lengths to go the easy way and try to hack the cartridge. It appears that some cachers are actually deobfuscating the Urwigo text obfuscating functions, which of course isn't really that hard.

 

We could it take one step further by using a hashing function, so that we only store the hash of the answer inside the cartridge. This basically turns it into a brute force search. I would say one needs some more programming skills for this scenario. I've used this approach with some success in my latest cartridge. It also features a honeypot in the form of a zone named 'Geocache', at which would encounter an empty petling holder. :P

Link to comment
Ranger Fox

Ranger Fox

Posted
Posted

Ultimately, the answer to all this would be to keep the cartridge file out of the person's hands. In other words, only the player apps could download the cartridge from an API. The player apps would also have to encrypt the cartridges if they store the files on disk. This, by the way, would be the end of support for Garmin, for as long as the Garmin player is around, the cartridge file has to be made available to the person who wants to play the cartridge.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Followers 2
Go to topic listing
×
×
  • Create New...