Jump to content

Hide a Zone - unhackable


Wühlmaus86

Recommended Posts

Hello WIG-Fans and Programmers,

 

I started creating a Wherigo cartdrigde with a hidden Final Zone which will be activated and visible after completing some tasks. Standard so far.

 

Then I found out how easy it is to extract data like zones, characters, dialogs, messages and more with GC Wizard.

 

For that case I decided to place the zone somewhere else and move it to it's final location at runtime. Functions to this are discussed here many times. Everything works fine so far.

 

Then I found the Log-file which is created when starting the cartdrigde. The move of the zone is logged inside including the final coordinates (zone point).

 

I know unlikely a normal Cacher would go so far, but finally the zone which position should be unknown could be found out.

 

So my next thought was to disable logging. There is an option in Urwigo for that (standard is disabled), but logging to owl-file keeps active.

Changing the line myCartridge.UseLogging = true to false didn't change anything.

 

Hope anybody here has a solution for absolutely make it impossible to get zone coordinates or disable logging in Wherigo.

 

I'm using Urwigo for creating and Android WhereYouGo App for running cartridges.

Link to comment

I haven't had problems with people looking through log files.  Usually, they just load the cartridge onto their phones and don't know how to access the log files it produces.

 

I believe the easiest thing to do is just have a zone called "geocache" or "final" that you move upon the cartridge's completion.  Speaking from my own experience at hacking cartridges (I can see the source code), if I see a zone labeled that, I don't even look at the rest of the cartridge's code to see if it's doing anything.  If I get it wrong, I just play the cartridge in the field (I usually play them, but I like having the coordinates ahead of time so I can sign the log if wander close while playing the cartridge--or in case something happens).  So, in my opinion, just moving a zone called that is enough to deter.

 

If you would like an unhackable cartridge, have the player's answers determine the coordinates for the final.  For example, if a player enters "4" for how many benches are in an area, don't validate that, but instead use the number four in assembling the final zone's coordinates.  If the player got it wrong, they'd be taken to the wrong place.  You could also just use the cartridge to show the player what numbers to find and let the player assemble the final coordinates manually.

 

In the end, though, just mild deterrence is enough.  You want to encourage people to play your cartridge instead of do a lab cache.  Don't make it too difficult or complicated for them and don't take too much of their time.  And you can do nothing to deter the most effective means at hacking a cartridge: people talking and and sharing the final's coordinates.

Link to comment

Thank you ranger fox. And yes your're right. The myist people load the cartdrigde and play it in field.

For myself, I don't know any Geocacher who goes as far as I described above.

 

But the question was, if it is possible to make it safe against the usual tools (GC Wizard e.g.) and ways to find out more information than wanted from the creator.

The question is strictly technical 😉

 

To get to the point: Is it possible to disable the Log-file, or disable logging single actions? In Urwigo there is a checkbox for that, but it changes nothing in bahviour of logging actions in the .owl.

Is it an Urwigo bug? Does there exist another Wherigo function or command which disables it?

Link to comment
5 hours ago, Wühlmaus86 said:

But the question was, if it is possible to make it safe against the usual tools (GC Wizard e.g.) and ways to find out more information than wanted from the creator.

 

Generally, no, it is always possible to extract everything (images, music, data, logic) from the cartridge. Of course, few have the skills/tools for this, but you will never be able to stop them.

 

5 hours ago, Wühlmaus86 said:

Is it possible to disable the Log-file, or disable logging single actions?

 

In theory, yes, but if the Groundspeak compiler is enabling it again you likely do not have a choice. 

Link to comment
1 hour ago, Hügh said:

In theory, yes, but if the Groundspeak compiler is enabling it again you likely do not have a choice. 

 

That sounds interesting but how does it work in your opinion?

When the Groundspeak compiler enables it again, than it is so. I would give it a try.

Link to comment
5 minutes ago, Wühlmaus86 said:

That sounds interesting but how does it work in your opinion?

When the Groundspeak compiler enables it again, than it is so. I would give it a try.

 

The issue is that every cartridge is ultimately compiled on Groundspeak's servers. If something is wrong there and it is enabling logging when it shouldn't then there is nothing you can do. 

 

That reminds me, make sure that this option is set off on the website. 

 

Screenshot_20220602-111229.thumb.png.8ed267fabe7c03637a18298c7030f60a.png

Link to comment
23 hours ago, Hügh said:

 

The issue is that every cartridge is ultimately compiled on Groundspeak's servers. If something is wrong there and it is enabling logging when it shouldn't then there is nothing you can do. 

 

That reminds me, make sure that this option is set off on the website. 

 

Screenshot_20220602-111229.thumb.png.8ed267fabe7c03637a18298c7030f60a.png

Where can I find this option?

Link to comment

While I was creating my first big WIG-project I experienced something similar, how easy it is in some cases to cheat. And there will always be these, who will do it. Best example ist the "Reverse Cache Solver": you can get the answer to all of the -Waldmeister- based Wherigo reverse caches from different tool- pages/apps without even installing a WIG-Player on your device (that's why many cachers have trouble to play a Wherigo for real, 'cause the assume WIG is "three numbers to get the coords").

And you (as developer of a cartridge) can't fully control who's taking a shortcut.

 

I do check my cartridges with a crumbler before publish, if there are informations so obvious provided, that everyone can find it. e.g. the coords. For my play anywhere cartridge I do offer the location for the container, when the task of the cartridge is completed. But I try to avoid that the coords could be found in the plain text file just by searching for "N50" or "N 5 0"... this is no guarantee, but that keeps a few opportunists and their "Quick find T4TCA$H" (and then a mile long standard signature with tons of emojis, just to keep the "diamond author badge"-state in project GC up) logs away - it's always those. Sometimes I do add fake messages just for the lulz (and even once I hang a wooden "cheater" sign at one of these wrong spots).

 

The other thing is: create a cartridge on one hand and give players a task that only could be fulfilled outside of the cartridge where the answer is not in the cartridge at all.
For example: If you want a player to visit the last stage, give them an extra task there: "There's a sign with 2 words. Send an email to word1word2@example.com." Create an auto reply for this mailbox with the coords of the final location or give them just the latitude in the cartridge and the longitude via the mail (reviewer approved).
If someone uses a crumbler, at least they have to visit the lasts stage before the final. Of course you can add up different tasks this way - but be aware, that too many extra tasks will not be accepted. Maybe it fit's somehow in your story to have to send an email at the end ..?

 

In my opinion - if the cartridge sounds fun and doable in the cache listing - it will be played by those who appreciate a good WIG.

  • Upvote 1
Link to comment

There's no way to truly secure a static piece of information in the Wherigo cartridge, as it's completely self contained. And if an app can play it through to determine the final, ultimately so can a human hack it. You could encrypt the code, but the functionality to decrypt is also there.

 

One option you could use is to not actually have any verification of the 'correct' final (whether it's static code or a built in checker of some kind).

 

That is to say: You could use a word or number the user has to learn by performing a task or answering a question.  If you used that answer to encode the final coordinates or zone, then as long as there's no checker to verify the correct answer, whatever they choose can be used as the key and the app would navigate there. Obviously, wrong answer means wrong final location. Only the correct answer would lead to the correct location.

Downside is there's no clear way for the user to know it's correct. However depending on how the info is encoded, any wrong answer could, say, lead to the other side of the world. The user would need to judge if the decoded final seems feasible.

 

The hackability of that Wherigo is only as good as the ability for the question to be answered correctly without doing the needed task (much like questions for earthcaches and virtuals).

 

 

In short:

Find a code or number you can require the user to find, and encode the final location with it - don't include the final location in the cartridge, only the encoded text. Don't provide a validity check, just have the cartridge decode the cipher with the whatever the user enters. If there is only one right answer, the user will only know if they enter it AND find the geocache.  (you could offer a checksum of some kind, but that does make brute forcing a little simpler). The hardest part would probably be finding an encoding function that minimizes the chance of guessing the right answer. (eg, using a simple vigenere on a string can easily be brute forced with decryption tools)

 

Alternatively it could be as simple as doing what a puzzle cache might do, determining the 3 decimal digits of the lat and lon coordinates, just without a verification check in the Wherigo. That could be mean though. I wouldn't do that without a checksum on the key they use.

Edited by thebruce0
Link to comment
On 8/3/2022 at 8:33 AM, kiwiflip said:

In my opinion - if the cartridge sounds fun and doable in the cache listing - it will be played by those who appreciate a good WIG.

 And those who will cheat and hack rather than do the WIG for the smilie, are going to do that anyway.  :::shrug:::  A CO can make it more difficult to hack, but  a die-hard hacker will put the effort into hacking rather than actually doing the WIG and probably get more satisfaction from that than the geocaching aspect of it.  To each his/her own, and YMMV and all that.

Link to comment
On 8/11/2022 at 7:39 PM, CAVinoGal said:

 A die-hard hacker will put the effort into hacking rather than actually doing the WIG and probably get more satisfaction from that than the geocaching aspect of it.

Actually, if I come across a cartridge that is supposed to be difficult to hack, I'll derive more enjoyment from the hacking challenge than I would playing through it normally.  I'll still try to play through it normally, but by then I'll just consider it a formality.  I believe the best defense against hacking is crafting an experience that makes people want to play through it. 

 

Given a multi's final coordinates up front, what would decide whether I do the final or visit each stage is my expectation of the experience I'd have in doing it the normal way.  Just this year, in fact, I had the coordinates to each stage in a multi.  I didn't think much of the multi, so I went to the final stage first.  I liked what I saw and was curious, so I went to the next to last stage and liked that, so ended up doing the entire cache in reverse because I enjoyed the stages and they weren't a pain to get to.  This is what you want to happen with a cartridge you create: though someone hacked it, they saw the fun experience you laid out, so they play through it anyway and pick up the final cache whenever they're near to it.  Make it be worth someone's time to play your cartridge.  Time is a resource more precious than money.  Make me be willing to pay you with my time for the experience you're offering.  Give me a reason to find your cache, cartridge, virtual, or whatever compared to another one nearby.  If you create a worthwhile experience most people enjoy, who cares if one or two people deprive themselves of that and just go to the final?  At their point, it's their loss.

  • Upvote 5
Link to comment
On 8/12/2022 at 9:11 PM, Ranger Fox said:

Actually, if I come across a cartridge that is supposed to be difficult to hack, I'll derive more enjoyment from the hacking challenge than I would playing through it normally.  I'll still try to play through it normally, but by then I'll just consider it a formality.  I believe the best defense against hacking is crafting an experience that makes people want to play through it. 

I had a friend put out a Wherigo that used a function which the phone player didn't support. So, being unable to complete his Wherigo, I hacked it. And discovered he had made it intentionally difficult to hack, placing red herrings in code that one would see from a 'basic' decompile. But there was a very long string, encrypted, suspicious. I traced the code and determined the function that decrypts the string.  Rewriting it, I managed to reverse engineer the code and discover the inline source code that gets executed as the "real" Wherigo. The function the app didn't support was the JIT compiler command to run the decrypted source code.  But inside that code was the real final location.

I was quite proud of my reverse engineering of his code and decryption algorithm.  Like you said, I derived far more enjoyment from that exercise, and he enjoyed watching me dig at it :)

 

That said, I wouldn't simply give out the answer to other people. I worked for it. And the cartridge itself if you run it on a supported device is quite a reasonable 'game'.  But sometimes ya gotta do what ya gotta do!

  • Love 1
Link to comment
13 hours ago, thebruce0 said:

Rewriting it, I managed to reverse engineer the code and discover the inline source code that gets executed as the "real" Wherigo.

 

Heh; I love that I know exactly which Wherigo you're talking about -- I did the same thing.

Link to comment
On 8/24/2022 at 2:58 PM, Hügh said:

Heh; I love that I know exactly which Wherigo you're talking about -- I did the same thing.

Reeeeealllly??  Curious!  It was actually the first Wherigo I ever found back in 2009. If you know of it, I am super curious how you came to know it! heh

 

EDIT: No wait, I'm thinking of the wrong one... not my first Wherigo found, but it is by the same CO :P And question still stands! hehe

Edited by thebruce0
Link to comment
28 minutes ago, thebruce0 said:

Reeeeealllly??  Curious!  It was actually the first Wherigo I ever found back in 2009. If you know of it, I am super curious how you came to know it! heh

 

EDIT: No wait, I'm thinking of the wrong one... not my first Wherigo found, but it is by the same CO :P And question still stands! hehe

 

Getting Warmer?

 

I believe that I mentioned that I'm off to UW, when I met you at Geowoodstock? Last October, I visited the campus with some friends. While there, I took a look at the Geocaching map, noticed that one, and gave it a go (heh; I "gave it a go") :bad:.

 

Knowing that you're in the KW area, I knew that your previous post had to be about Getting Warmer.

 

(That reminds me, there was a question I wanted to ask you. I'll send you a private message later.)

Edited by Hügh
Link to comment
58 minutes ago, Ranger Fox said:

By the way, I was halfway tempted to create a cartridge where the entire point is to try to hack it.  I decided against it, though, because it'd be teaching people the wrong thing.

 

You know, I've considered something like that too. But I'm yet to actually follow through.

 

If you need ideas, you may enjoy GC7EX5X et seq.

Link to comment

You could do that, and list it as a mystery. If you can't 'complete' the Wherigo by playing as an actual Wherigo - because the intent is to hack the Wherigo instead - then it would be classified as a puzzle/mystery rather than a Wherigo. But there's no reason, I'd say, why you can't make a puzzle cache with hack-the-Wherigo as the puzzle.

Except, as said, "it'd be teaching people the wrong thing" ;P

But there are other file types you could make use of to teach people to reverse engineer the specs. We had one like that for a PNG file. Play with GC27N8Z :)

  • Love 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...