Jump to content
Sign in to follow this  
Followers 1
Muppet95

Can you bypass a Wherigo experience?

Recommended Posts

Hi all,

 

I had some questions for the Wherigo & Tech-Savvy Gurus out there.


I plan on building a simple Wherigo experience using Wherigo//Kit. To complete the Wherigo, users need to answer a difficult open-ended question. 

 

1. Can people work around the difficult question by looking at any cartridge files?
Like, if you open a gwc file in Notepad to see the data for the final answer/message/location?
Same with the lua file, can the final answer/message/location be viewed?

I'm guessing that lua files (and Author script) are only accessible if I opt for the cartridge to be 'open source'.

 

2. Do any of the answer for the above questions change by adding a 'Stop Emulator' function to the cartridge (either before or after the 'difficult open-ended question')
I was told that it is possible to work around a 'Stop Emulator' function, but I'm sceptical...
 

Thanks for any help you can provide,

Hayden

Share this post


Link to post
Posted (edited)

Hi Hayden,

 

I'm afraid to confirm that, by opening the cartridge file with some software, you'll get access to this kind of informations (answer to a question, location of the final waypoint, spoiler image if any...)

 

Stopping the emulator(s) won't stop someone to open a cartridge the way I mentioned.

 

Some Wherigo builders offer to encrypt the strings of your cartridges (I don't remember if Wherigo\\kit does that) but, since Wherigo players are able to decrypt them, so are the hackers.

 

If you don't want anybody to find your final waypoint's coordinates in your cartridge, the only effective way is to not putting them in. You'll have to give some kind of riddle to the (human) player, like "get the number written on this nearby sign, multiply with..."

 

Anyway, after a certain amount of time, there would be geocachers giving away the final coordinates to their (lazy) friends. These one won't even have to download the cartridge to go and sign the logbook.

Edited by Tungstène
Typo
  • Upvote 1

Share this post


Link to post
6 hours ago, Muppet95 said:

Hi all,

 

I had some questions for the Wherigo & Tech-Savvy Gurus out there.


I plan on building a simple Wherigo experience using Wherigo//Kit. To complete the Wherigo, users need to answer a difficult open-ended question. 

 

1. Can people work around the difficult question by looking at any cartridge files?
Like, if you open a gwc file in Notepad to see the data for the final answer/message/location?
Same with the lua file, can the final answer/message/location be viewed?

I'm guessing that lua files (and Author script) are only accessible if I opt for the cartridge to be 'open source'.

 

2. Do any of the answer for the above questions change by adding a 'Stop Emulator' function to the cartridge (either before or after the 'difficult open-ended question')
I was told that it is possible to work around a 'Stop Emulator' function, but I'm sceptical...
 

Thanks for any help you can provide,

Hayden

Yes, people could get into a cartridge . Aware of that, when I set a Wherigo with the excellent 'kit' I took users to zones,  asked a question to trigger the next zone, but also gave them a digit to find ( first number on the post etc) for the final co-ordinates , just as you might with any multi. With no interaction with the cartridge other than it telling you to find that information, then the last zone giving you how to use the information to build the co-ordinates, no-one can just crack the final location by looking inside. I'm using the same scheme on a 'lights out' style cartridge I'm building.

 

Strangely locals round my area seldom seem to hand out Wherigo final locations as they do puzzle solutions: perhaps they see inability to log a puzzle as a loss of face ( not clever enough  ... ) while not doing a Wherigo is explainable by saying you are not interested in wherigos ...

Share this post


Link to post

Handing out finals doesn't seem to happen much in my part of the USA.  Nor does hacking carts. Even the trivially simple technique of opening the cart and seeing  text as text in

just about any text editor (including final coords, if provided) is rarely done.

 

That said, the "build coords" technique describe above will work in Wherigo Kit.  The other cart builders Earwigo and Urwigo are much harder to hack, but also harder for a novice builder to use.

 

 

Share this post


Link to post

There are a couple of other options as well.

Still embeded in the Wherigo, it is possible to create inline encrypted code that can be executed - but the smartphone app doesn't support that command.  A friend created an app with red herring content for the hackers, but embedded a secure encryption algorithm that would decrypt his inline LUA code to execute. It's still hackable, but you'd have to reverse engineer the custom encryption code to determine the LUA source that contains the actual solution.  That's pretty advanced stuff though, for creating and hacking.

 

Another is to use other common puzzly encryption methods.  You could encrypt instructions or solutions in the Wherigo using a method like a one time pad, the key for which you could only get by playing through the Wherigo and gathering information on site. No 'solution' is stored in the Wherigo.  To 'hack' the answer, you'd have to solve the encrypted message.  In this way you are basically embedding a puzzle in the Wherigo, and the Wherigo doesn't have to include any direct reference to the final location.

That's basically what hal-an-tow did above, having the Wherigo tell you how to find the information to build the final coordinates yourself.

 

Another alternative is to have the Wherigo resolve to instructions to determine a keyphrase you can use, say, certitude to verify and provide the final cache location. That would allow people to brute force without doing the Wherigo of course, but that still takes the hack-the-answer method off the table.

 

None of this applies to the Wherigo 'completion' state though, and there's no way to get around that. The completion code will always be hackable, but that's really only for people who care about logging their completed wherigos on Wherigo.com :P

Share this post


Link to post

It’s harder to hack a cartridge if a question’s answer is a number and formatted like that. You could also design a cartridge that takes people around, pointing out things that could be converted to numbers (e.g. number of letters in the third word of a sign, third number in a date, etc.) and at the end shows a simple formula. Those are impossible to hack because the information isn’t in the cartridge to begin with. 

 

Moderate hacking prevention deters most attempts. Just make sure whatever you do doesn’t compromise the experience of those playing your cartridge normally. 

  • Upvote 1

Share this post


Link to post

Yep, as long as a solution needs to be determined externally rather than being effectively spelled out in the code/plaintext.

Whether it's formulas, encoded text (even a solid vigenere where the key is not itself in the cartridge, could be enough).

Don't "check" answers in the cartridge, that's hackable.

Share this post


Link to post

Oh, and if it's going to require the same amount of time to get to the final as to play the cartridge, such as walking down a trail, I'd say don't bother making it hack-proof.

 

And I don't think I've ever mentioned something about people making cartridges hack-proof: if you try to do so and mention it, there might be a sliver of your audience (one or two people) who might take that as a challenge.  I certainly would, so that would have the opposite of your intentions.  If you just quietly put in some cheat deterrence, that should be all you need.  If you try to go overboard and mention it, I would instead try to hack it just to see if I could.

  • Upvote 1

Share this post


Link to post
7 hours ago, Ranger Fox said:

And I don't think I've ever mentioned something about people making cartridges hack-proof: if you try to do so and mention it, there might be a sliver of your audience (one or two people) who might take that as a challenge.  I certainly would, so that would have the opposite of your intentions.  If you just quietly put in some cheat deterrence, that should be all you need.  If you try to go overboard and mention it, I would instead try to hack it just to see if I could.

 

*raises hand in agreement* :cool::laughing:

Share this post


Link to post
On 4/28/2019 at 6:34 AM, Ranger Fox said:

I would instead try to hack it just to see if I could.

 

Couldn't agree more. I fit into that category - I'm up for a challenge; pushing limits, and exploring possibilities.

Now that we have discussed the point in question, perhaps it would be ideal to delete this thread as not to encourage people to go looking...

Thanks for your replies everyone.

Share this post


Link to post
Posted (edited)

All cartridges are hackable, even the ones that use obfuscation routines.

Edited by bflentje

Share this post


Link to post
On 5/7/2019 at 4:11 AM, bflentje said:

All cartridges are hackable, even the ones that use obfuscation routines.

Not if the information isn't there they are not.

 

Share this post


Link to post

I wrote one in 2008 which took the cacher to four different zones and asked a question at each. The answers were selected from drop-down lists and the selected answer would be stored as a digit. Once all zones had been visited, the final location was calculated from the stored digits and the final zone plotted dynamically

If any questions were incorrectly answered the final zone would be drawn in the wrong location and the cache would never be found.
Un-hackable  - apart from I included a spoiler picture hint but you'd have to know the area very well to locate the cache by picture alone. :)

Simply outputting calculated final co-ords for the cacher to then enter into a gps is a bit naff and so is including a geochecker on the cache page

Edited by Delta68
  • Upvote 1

Share this post


Link to post
3 hours ago, Delta68 said:

Not if the information isn't there they are not.

 

 

ALL cartridges are hackable. Getting the final coordinates to the cache is something altogether different.

 

Best way to make the final cache coords unhackable is to utilize an algorithm that includes information from the wild that cannot be attained by sources without visiting the actual zone. And even then, most people I know have a VAST phone-a-friend network. So, the cache coords are still hackable. 🙂

  • Upvote 1

Share this post


Link to post
9 hours ago, Delta68 said:

I wrote one in 2008 which took the cacher to four different zones and asked a question at each. The answers were selected from drop-down lists and the selected answer would be stored as a digit. Once all zones had been visited, the final location was calculated from the stored digits and the final zone plotted dynamically

If any questions were incorrectly answered the final zone would be drawn in the wrong location and the cache would never be found.
Un-hackable  - apart from I included a spoiler picture hint but you'd have to know the area very well to locate the cache by picture alone. :)

Simply outputting calculated final co-ords for the cacher to then enter into a gps is a bit naff and so is including a geochecker on the cache page

 

Exactly this. No confirmation in the Wherigo, no 'solution' in the Wherigo. A cacher can only infer a final location based on how they played the cartridge. If they're wrong, they're wrong. Now you could add a geochecker to remove the potential annoyance of a wasted trip with a wrong answer (though old puzzles never really had that option we're kind of spoiler by the benefit of geocheckers these days).

 

6 hours ago, bflentje said:
9 hours ago, Delta68 said:

Not if the information isn't there they are not.

ALL cartridges are hackable. Getting the final coordinates to the cache is something altogether different.

 

I don't think delta68 ever meant that Wherigo cartridges themselves aren't hackable merely by the non-existence of coordinates. Especially given the post right above your comment. I'm sure the implication was more like the "Wherigo cache isn't hackable", as in a person can't cheat, to get the coordinates.  So yes, the manner in which the user obtains final coordinates is the issue at hand, not merely hacking a cartridge.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 1

×