Jump to content

Fake Gps Wherigo Cartridges


javilo99

Recommended Posts

Hi everyone, I have been creating a huge and complete cartridge in my neighbourhood, but today I realized people can make traps by using apps to move their phone GPS location from their homes...

 

(And of course, I have made all the work for people to enjoy it, not just sitting on their sofas)

 

So, is there any way to detect or eliminate a use of a fake gps on the Wherigo app with programming?

 

(I'm doing it on Urwigo)

Link to comment

I've come across cartriges that throw a "this cartridge is meant to be played in the field" "error" when I try them on the webwigo emulator. I use the emulator to know where the cartrigde would take us while preparing a caching day, solving it at home has no use as you don't get a completion code.

So it can be detected to halt the cartridge.

 

Link to comment
9 hours ago, javilo99 said:

So, is there any way to detect or eliminate a use of a fake gps on the Wherigo app with programming?

 

Yes, there is. But builders (Urwigo and Earwigo) only know how to detect and deal with emulators (Webwigo and others).

 

I've been told that a French Wherigo author wrote a cartridge able to detect fake GPS in top of that. He used LUA author code.  He doesn't want to share his code (but there is at least one cartridge using this "in the wild").

Link to comment

The only way is...

1. Don't write the final coords in the cartridge. Nowhere. (No text, no image, no final zone).

2. Ask a question which can only be answered in the field AND make the cartridge (or the player) calculate the final coords by using the answer found in the field.

 

But, whatever you'll do, there always could be someone who finished the cartridge and gave the coords to their friends, who would share in turn...

Link to comment

There are all sorts of fun things you can do:

  • Have invisible zones someone will end up walking through.  If the person doesn't (and the associated flag isn't set), you'll know the person is spoofing a GPS signal.
  • Ask questions that can simply and only be solved in the field.
  • I like that other thing: calculate the final coordinates via answers given.  Or at least do A=, B=, C= with the answers.
  • Create a fun little function that grabs coordinates for five or ten seconds while the player is reading some text on the cartridge.  If the coordinates are the same, the GPS signal is spoofed.  However, it's likely the spoofing app will also imitate coordinate bounce, so this might not be as good as I thought.
  • You could time how long it takes someone to reach a zone.  If it takes 10 seconds where riding a bike would take 40, you know they're spoofing the coordinates.

Of course, there's an easier way for people to get the final coordinates: just ask someone who has completed the cartridge.  The only thing you could do about that would be to have on the cache an electronic lock that changes its combination every day and the cartridge provides the day's combination.  (Then again, someone might come up with a solver for it just for fun.)

 

Most people will play the cartridge the right way.  The best thing is to give them a rewarding experience those who just want to go to the final won't have.  If you craft an experience everyone wants to play, you won't have to worry about many people going right to the final.

  • Upvote 1
  • Love 1
Link to comment

I've tried solving this problem, many times, but am yet to succeed—this is evidenced by the fact that I own zero Wherigos. However, I have thought about it, and here are some of the idea's that I've devised/ripped off someone else.

 

  • Craft the questions and answers such that they cannot be researched. Even better, ask multiple questions—one to prove you are there, and one for the coordinates (ie. "In what year did..." ⇒ "Congratulations! Now count the flagpoles for <A>".)
  • You could grab the player's location on a looping timer (once every five seconds, say), and calculate their speed/velocity to try and catch those moving in super-human ways. Even better, keep track of the last (say) two minutes of activity, and perform analysis on the extended data. This would likely catch a good majority of the spoofers.

 

Of course, that won't stop those who take it "a step beyond spoofing" (I won't elaborate on how, but am happy to explain.)

 

I've seen some cartridges that also manage to solve that problem by hosting the entire "experience" on a remote server. Upon launch, they direct you to a website—from that point forward, everything else is done via the website. The server serves unique location(s)/question(s) to each player and keeps track of progress on the server-side. "A glorified Adventure Lab" is the only way I could describe it.

 

My "dream" solution, though, is to "design" a fictional microprocessor (think 6502) and write an emulator of it. Then, I could write cartridges, but as a binaries for the (emulated) microprocessor. I find it extremely unlikely that there are many cachers out there who have experience configuring custom binary formats in ida/radare2... :lol::laughing:

 

————————

 

(and to answer @Ranger Fox's not-question...)

 

On 9/1/2020 at 9:01 AM, Ranger Fox said:

Create a fun little function that grabs coordinates for five or ten seconds while the player is reading some text on the cartridge.  If the coordinates are the same, the GPS signal is spoofed.  However, it's likely the spoofing app will also imitate coordinate bounce, so this might not be as good as I thought.

 

...yeah, I have found that most apps have an option to imitate coordinate bounce. :sad:

 

Edited by Hügh
Link to comment
6 hours ago, Hügh said:

My "dream" solution, though, is to "design" a fictional microprocessor (think 6502) and write an emulator on it. Then, I could write cartridges, but as a binaries for the (emulated) microprocessor. I find it extremely unlikely that there are many cachers out there who have experience configuring custom binary formats in ida/radare2... :lol::laughing:

Well, I'm afraid I have no idea about that :laughing::laughing::laughing:

 

Thanks to all, I will put questions that can only be answered in the place and trust everyone (or almost everyone) to do the cartridge correctly.

 

Even if they want to make traps, is their fault....

  • Upvote 1
Link to comment

Fun, true story:

 

Many of my cartridges started out as experiments.  One such experiment was in hacking deterrence.  If the emulator was detected through normal means, the cartridge would omit some zones, going into a sort of trial version so people can see what the cartridge is about, but not enough to complete it.  In my code, I used unencrypted strings for answer validation and one encrypted string right next to an unencrypted one.  I also had coordinates unencrypted if people were to open the cartridge file in notepad.  I had an image with those same coordinates within the cartridge so people who extracted images would see it.  I had a zone labeled "geocache" in case people either decompiled the cartridge or plugged it up to something that read zone information.  The thing was, that was not the geocache's final coordinates.  Instead, I had some math going on later in the cartridge.  I believe I even left the cartridge open source.

 

So, one day, I received an email from someone who said he went through my area and tried to find the cartridge's final, but couldn't.  He asked permission to log a find since he put in the effort to play through the cartridge.  For my caches that involve effort to do, I don't have a problem with someone from far away logging a find if there's a maintenance problem.  I consider that courtesy or compensation.  Prior to allowing the log, I asked him for the final coordinates just to check to see if he played through the cartridge.  He supplied me with the bogus coordinates.  I replied, stating had he played the cartridge in the area, he would have received the real coordinates since the cartridge was an experiment in cheat protection and those were the bogus coordinates.  We both had a good laugh at his being caught.  We talked for a while after that.  I also stopped by where my cartridge's final was and made sure it was still in place, too.

  • Upvote 1
  • Funny 2
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...