Jump to content

Are Wherigos Hackable?

stinger503

By stinger503
in Wherigo

Followers 4

Recommended Posts

stinger503

+stinger503

Posted
Posted

I'm thinking of doing a series of geocaches that ends with a Wherigo where you have to enter a number from 3 different caches which would then direct you to the final. My question is how hackable are Wherigos? Could someone open up the cartridge file in another program and somehow get the final coordinates? Thanks.

 

Link to comment
Ranger Fox

Ranger Fox

Posted
Posted

Yes. So are mystery caches.

 

Let's take your example. You build a cartridge that allows you to enter three numbers. If a number is wrong, you ask the player until he or she gets it right. When all three numbers are right, the final zone appears. This can be hackable. A player could start at the number one and go up until the right number is guessed. Repeat this three times and you get the final coordinates. Also, if the person is good enough--we're talking extremely good--the person could build his or her own Wherigo player application with which to extract the final zone's coordinates (for the amount of work this needs, I'd say just let the person have it).

 

Now, let's take a mystery cache. I need to put three numbers into either blanks or a formula to find the final. I could try a few combinations and see if the final coordinates lead me anywhere interesting. I've done this before on several mystery caches. If the area is populated enough with other caches and the hint telling enough, it's just as possible for me to hack the mystery cache. Even when the cache owner put a four digit combination lock on the cache, I simply took a few hours and spun the numbers until I got the combination. There's also a way to reduce the possibilities on a spinning lock (or you could open the ammo can from its hinge if you bring the right tools). So nothing is secure.

 

Here's what you can do to make things more secure. It does involve a little author script, though. Use Urwigo to encrypt the text. Accept any text for the "numbers" and have some "numbers" in your caches be alphanumeric. Create an author script to convert this text into numbers using whatever way you please (add case sensitivity for added measure). Use these numbers to create a final zone from scratch so that you're not even storing the final zone within the cartridge. You could, at some point, perform some sort of mathematical operation to tell the player the answers are wrong. This is pretty must the most secure thing I can suggest.

 

Of course, when I play around with cheat prevention, I could go one step further and am downright malicious. I add several red herrings all through the cartridge. A dialog you can't get to during normal cartridge play will tell the person--in plain text in the compiled cartridge--the wrong coordinates. I include a picture with wrong coordinates. There's a little emulator protection that is somewhat easy to get around. But if you do that, there's something else that is not obvious that runs another check and provides wrong coordinates. There's a zone titled "Final Cache" with wrong coordinates (instead, the zone is adjusted as the player goes through the cartridge). I ask an obvious question if you're in the area; if you answer incorrectly, I don't tell you and I continue the cartridge and make it end at the wrong coordinates. So these are all possibilities, a few of which I've used in my cartridges as experiments. And what do my experiments yield? It's funny: no one in my area tries to hack cartridges, so I'm just wasting my time.

 

Bottom Line - The easiest way to hack anything is to call someone who knows where the final is. You cannot stop the phone a friend network. You might prevent two people from hacking your cartridge, but you're not doing anything to prevent two dozen people from emailing the final's coordinates. I think you're ignoring the real problem in favor of something smaller.

Link to comment
thebruce0

+thebruce0

Posted
Posted (edited)

Ranger Fox covered a lot...

 

The problem is, if you have the final of anything stored anywhere in the cartridge - encrypted or not - it can be reverse engineered.

I have a programmer friend who knew this, and created his Wherigo with an inline LUA script that would execute; but the text was highly encrypted mathematically, knowing that a decompiler could easily extract the text. He also included a number of red herrings.

 

The problem was that the iOS Wherigo player can't run inline script; it doesn't have that capability. So my only option was to go for the hack. I got to the point of seeing the execution process, spotting the red herrings, and this big block of encrypted text. I ended up reverse-engineering the decryption algorithm in order to retrieve the original LUA script, and thus locate the final. He was on board with that, as it was interesting for both of us to see the machine language version of his mathematical encryption algorithm. My decryption wasn't perfect, but it was enough to calculate the final coordinates.

 

So yeah, anything can hacked in the Wherigo cartridge, if it exists in the cartridge. Even if there's any kind of "checker" algorithm - one can decompile it and then test any numbers one wishes until success.

 

My thoughts for making something virtually unhackable (it's never unhackable, since it's really a matter of how determined a hacker is to be successful :P) are this...

 

Similar to Ranger's idea, encode a message using some encryption technique (for example, vigenere), but do not include the key or any checker in the script. Merely ask for a word or phrase, which would be used as the decryption key. If the user is presented with gibberish, then it's incorrect. Once they've provided the correct answer, the solution will be clear. The only problem with this is that a hacker will be presented with another decryption step if they locate the cipher text in the cartridge. But at least the solution isn't attainable simply by decompiling the cartridge. Even so, any form of key-based encryption could be used, if the decryption key is based on input from a text field.

 

You could go one step further and do the inline LUA script, but perhaps base64 encode the script first, THEN apply the key-encryption to that text :) That would make it MUCH harder for a web-based vigenere cracker tool to guess a solution if based on english language. A hacker could deduce that if the cipher decodes to base64, then only certain characters would be valid at the beginning, but you could include a set of commented gibberish at the beginning of the LUA script to throw even that off...

 

Ok so I'm really thinking out loud now, haha.

 

But you get the point - being a self-contained 'program', in a sense, if the answer is in any way verifiable in the self-contained cartridge, then it's much more easily hacked.

 

The question ultimately is - how much work is it worth to make it harder for 'cheaters' to 'cheat'? Especially if, as Ranger said, the easiest way to 'cheat' is to call someone for the final.

(personally, I find reverse engineering to be highly enlightening, so I'd likely go through great lengths to make something hard to hack, sort of a favour to those whom I know would enjoy the challenge ;) ) Most would not bother and just go for the experience you intended them to have by actually playing the Wherigo :)

Edited by thebruce0
Link to comment
thebruce0

+thebruce0

Posted
Posted

Keep in mind, the vast majority of cachers wouldn't consider hacking the cartridge, let alone be capable of doing so. It's really only the fringe tech-savvy engineering-minded cheaters and/or curious who might entertain the idea. There are tools that make it easy, and of those who might consider hacking, only another fraction of those might attempt it manually beyond pre-designed tools. But I think generally people know that 'hacking' a Wherigo takes the fun out of doing it, of course!

 

Personally, I'd say don't worry about hacking if the Wherigo is easy, quick, or entertaining, or you don't really know of any cheaters or techie brainiac geocachers in the area. :laughing:

Link to comment
Geo-Magician

Geo-Magician

Posted
Posted (edited)

Personally, I'd say don't worry about hacking

 

I have a low tech approach for this. Don't write the coordinates in the cartridge at all. We do have the real world to work with B) . Do your WIG and guide the user to a location that has several items that are easy to identify. Use items that fit your cartridge. Ask for the second digit of a phone number, the number of letters in the first word on a sign, the number of trees, the ...

 

Use the results to create the coordinates. Use no calculations if possible. Do not re-use numbers, find the same number on a different item instead.

 

If you do this wisely you can geo-code locations with little trouble for yourself and the cache hunters. In order to make this enjoyable do not geo-encrypt to many numbers. You can typically give away the degrees and minutes of the final without trouble (this is more than a mile by typically half a mile). The last digit of the coordinates is also not useful for hacking a cache (but essential for finding). This leaves you with 4 digits (which equals 9801 possible cache locations for the hackers) that you have to geo-code.

 

This will not beat the mobile phone cheaters but why should we even talk about them. They are not even close to geocachers and that's it for me.

Edited by Geo-Magician
Link to comment
thebruce0

+thebruce0

Posted
Posted

Well I think the problem is, if the Wherigo doesn't provide a destination GPS to navigate too, then it's effectively become a puzzle cache (though you're using the cartridge to get needed information). in the context of a proper Wherigo that provides a destination waypoint for the cache and/or a zone, the coordinates would need to be provided somehow. I have done some where the final cache coordinates are simply provided in a plain text message, but again they're in the cartridge.

 

If simply providing a puzzle with empty number slots you need to fill, but not providing some method of verification, I'd worry that the player might get a wrong answer and get frustrated if they go on a wild goose chase. But I guess that more depends on the 'puzzle' itself and how obvious the correct answers are :P

 

Anyway, point being, there are obviously ways to make hacking and/or cheating more difficult :) but how much effort is protection worth? *shrug*

Link to comment
Geo-Magician

Geo-Magician

Posted
Posted (edited)

Well I think the problem is, if the Wherigo doesn't provide a destination GPS to navigate too, then it's effectively become a puzzle cache

 

By the book (the last time I read it) "any cache using a Wherigo should be listed as a Wherigo Cache". This is a quote from memory, help me if I have it wrong. :)

 

But I see that this is not your main point. My Wherigo geo-coding approach requires a real, full blown cartridge that puts the player through the whole Wherigo experience. I would not want to call it a Wherigo if I would use the Wherigo solely for encoding the coordinates.

 

This is what I do: at the end of the Wherigo I ask the player for the numbers and I will print the resulting coordinates for him. I will however not calculate or check them in the cartridge. I am using easy to find, preferably large objects/numbers. You can show a blotted out image to help with the identification. This is, as you say, definitely not the place to count leaves on a twig. I have seen caches that ask for things that are hard to count like you have. This is not what I have in mind. I go out and hunt for 4 obvious numbers. If you can not find them at the end of the cartridge, find them en route and weave them into the game.

 

There is always room for messing up a cartridge, but I have done this and can say it works well. (I have other trouble with the cartridges due to the incompatible hardware situation :lol: ).

Edited by Geo-Magician
Link to comment
Fugads

+Fugads

Posted
Posted

I just learned at an event today that Wherigo's could be hacked, because someone told me that the folks who found my 17 mile Wherigo hiking module (GC58JY1) simply found a way to see the final coords. I don't have any proof, but it seems like something that might have happened, so i decided to see how easy it is to do this. The answer was, really really easy. I am pretty disappointed, especially since I put a nice FTF prize in the cache. I have another 12 mile hiking Wherigo that I am planting tomorrow, and I suspect the same thing might happen. No prize going in that one. dry.gif

 

Is anyone else chuffed that it is so easy to get final coords for the module from the lua file? (as an aside I used the Rangerfox Wherigo\\kit for my builds).

Link to comment
Ranger Fox

Ranger Fox

Posted
Posted

Looking at your cartridge, the anti-emulator code is located after the dialog with the final coordinates. This means people using an emulator could see the final coordinates before they were kicked out. That's one reason.

 

Another reason is Kit does not encrypt text like Urwigo. I've considered doing this, but there's a catch. One of Kit's strong points is you can lay the groundwork for a cartridge, then export your cartridge to another builder to add more complex things. If I were to add text encryption, Kit would lose that ability. I suppose I could add that as an option for exporting. (Did you have Kit send the cartridge to Wherigo.com for you or did you download the GWZ and upload it yourself to Wherigo.com?) Anyway, one common sense thing for people to do is load the cartridge in a text editor. Unencrypted text will be readable. It's better to add a final zone for the geocache than show the geocache's coordinates in text.

 

So there are two things to work on right off the bat. Addressing these two will prevent most people from hacking a cartridge.

 

In your next cartridge, I could help you to send people off on a four mile round trip hike to the wrong place if they attempt to hack the cartridge. That is, if you feel you'd like to do be a little extra evil to your previous players.

 

By the way, the only truly unhackable cartridge is one where people answer questions with numbers from signs or the environment along the way, the answers aren't verified, and the final zone is built from the answers provided. If the answers were correct, the zone is placed where the cache is. If anything was incorrect, the cartridge will send them somewhere else--perhaps somewhere dangerous (which is why this tactic tends to be risky).

 

(As for hikes, I placed a 43 mile hiking multi just because I needed to get out and hike one summer. The first three teams/individuals that completed it got a $40 bounty prize.)

Link to comment
Ranger Fox

Ranger Fox

Posted
Posted

 

In your next cartridge, I could help you to send people off on a four mile round trip hike to the wrong place if they attempt to hack the cartridge. That is, if you feel you'd like to do be a little extra evil to your previous players.

 

That's freaking awesome!

A little fun side story, if you'd like.

 

Usually, when I place a cartridge in my area, there's an experiment I'm running. One such experiment was in hacking prevention. The cartridge looked innocent enough, something that asked you to name animals in wood carvings spread throughout a very small park. I came up with false coordinates and provided them to the player every way I thought the cartridge would be hacked. I did a couple emulator checks in the background and encrypted the animal names. If you looked at the cartridge in notepad, you'd see a dialog message telling you the false coordinates; you'd never see that message during normal game play. If you extracted the cartridge's images, you'd see an image with the false coordinates; you'd normally never see that as well. If you tried to plug the cartridge into something that gave you a list of zones, the false coordinates would be used in zoneGeocache. If you played the cartridge in an emulator, it would refuse one of your answers due to an emulator check. You could see the words "desktop" and "win32" in plain text in notepad; if you had a hex editor, you could change those words and get past the check, making you think you're so smart. However, just before the final zone was shown, I'd do another emulator check, this time against the encrypted words. If this failed, you'd be sent to the false coordinates. The false coordinates looked right on a map because there was empty space there, too. Heck, if you looked at the cartridge's source code and got to the part about zoneGeocache, you wouldn't tend to look further, so I got you there as well. In short, I was an absolute arse about the whole thing.

 

So one day, I get a DNF log that looked legitimate, but something seemed off about it. The player then contacted me and asked if the cache was all right, said he was from out of town, and asked if he could claim a find. (If one of my caches is missing and the person is not local, I usually let that person log a find. I love rewarding effort.) I asked about the final coordinates he had, and my request seemed innocent enough. I was provided with the false coordinates. In my reply, I stated, "The best hint I can provide you is to play the cartridge in the field. You'd get the real coordinates at that point." The funny thing is almost all of my cartridges are open source. You can download the source code and look for the final coordinates. I'm surprised very few people in my area have done that.

 

Before I sound too much like a saint, I do need to remind people that I do hack cartridges myself. If you don't hack, how are you expected to be able to circumvent others' attempts? So I play a little game with some cartridges. I can only use what's available to everyone: notepad, hex editor, and emulator. Have I ever skipped playing a cartridge in the field if I was successful in my hacking game? Oh, yes. But if the cartridge requires an achievement, such as to hike to a few summits, I won't sign the log unless I've played in the field. You can't skip out on that.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Followers 4
Go to topic listing
×
×
  • Create New...