This week’s Big Bugs podcast is near and dear to my heart, combining three of my favorite things: mobile hacking, gaming, and security in general. In this episode, I’ll start by giving a brief history of Niantic and Pokemon Go and review some of the few technical issues that the game has experienced. The bulk of this podcast will be focused on how the hacking scene found ways to reverse engineer the game, and of course some tips and tricks so you can catch ’em all.
It’s a bit longer than the usual Big Bugs podcast, but I feel like it’s well worth it, as the Pokemon Go phenomenon has been amazing to experience and be part of. Below the recording, I’ve included some notes to accompany this episode, and resources referenced as well.
Subscribe to our Bugcrowd Podcast RSS feed here: bgcd.co/bcpodcastrss
Technical Issues:
- The New Screen Savers Podcast with Leo Laparte on Mapping Pokemon Go
- One outage was claimed by a hacking group called “PoodleCorp”, who said they used a DDoS attack to take them down. John Hanke issued an apology for the server issues at Comic Con 2016, stating “we weren’t provisioned for what happened.” Read the full article.
- “Some early iOS installs ofPokémon Go required users to provide the app with full access to their Google accounts, thereby allowing the app to “access players’ Gmail-based email, Dan Guido found that this did enable Niantic to access people’s email addresses and phone numbers unintentionally.” Read the full article.
Reverse Engineering:
1. Client:
- Game coded in C#, uses Unity framework
- “The game is shipped using at least unity code stripping level 2. That means all .NET bytecode is compiled into native assembler code and packed up with everything else using IL2CPP. You can read more about the process here. Of course, that makes it much more tedious to reverse than just having a .dll you can pipe into ILSpy or dotnetReflector. In short, this means you won’t find the Unity script files as .NET bytecode, unless some debug version containing it pops up.”
- Current state of reverse engineering
- Reverse-engineer of the Android app
- What we know so far
- Does anyone know where the compiled Unity script assemblies can be found?
- Decoded GAME_MASTER protobuf file v0.1 – all Pokemon, move, item stats
- Unbundling Pokémon Go
- Reversed/reflection pastebin
- Looks like Niantic forgot to clear a few scripts on evolution
- Pokemon GO App Assets and Images
- Using proxy libraries to intercept JNI and Unity<->Native code calls.
- F# scripts to unsplit & split Unity asset files.
Follow ups from research:
- Unity Blog: An Introduction to IL2CPP Internals
- Unity Documentation: Optimizing the Size of the Built iOS Player
- Alan Zucconi: A practical tutorial to hack (and protect) Unity games
- Pyromuffin: Reverse Engineering Unity Games
- “.NET Reflector is a magical program written by timeless space wizards that takes .NET assemblies and turns them into C# code.”
- Pen Test Partners: Tearning down and reverse engineering Android (toys)
2. Network:
- Most traffic is not SSL. PoGo uses Protobuff. Protobuf is a binary object compression protocol by Google. It’s difficult to interpret the structures. All you get are numbered fields. You need the .proto file (a kind of map). Proto definitions unknown if came from using reflection out of a dll or someone had access to the old version of the app from beta that revealed the proto definitions.
- Still parts of the traffic are actually encrypted, remains to be seen if this is anti-cheat or analytics.
- Guide to Pokémon Go Server Responses
- How was the RPC binary protocol determined?
- Protocol Buffer reverse engineering
- PokemonGo Decoder For BurpSuite
3. Third Party Development:
- Mila42 made the 1st API parser. The current and most forked Pokemon map by AHAAAAAAA
- Which sites like Pokevison are using the core algorithms
4. Botting and patched clients:
- Botting Stats: 1 to 17 in 6 hours
- As mention several patched clients exist for teleporting, in-game maps, etc. be wary of these, thar be Dragons!
- Sideloading apps via shady enterprise app profiles for IOS
- Sideload via shady apks on android.
- /r/pokemongobotting
- OwnedCore forum on Pokemon Go
The future and securing PokemonGo:
- RPC/Protobuff could change, would ruin a lot of projects (please don’t Niantic!)
- Trading is going to have a huge impact due to bots. Maybe implement level requirement so Niantic has a data threshold to ban bots.
- Rate limiting dropped yesterday! Pokemaps inaccurate!
- Could use more obfuscation, SSL pinning, but ultimately those things will be bypassed.
- Cat mouse game.
Game Tips:
- Low-Leveling: Find a place with 3 stops close together, lured, catch PIdgeys, Weedles and Caterpies (all cost 12 candies to evolve into their next form, and they are also the most common encounters) when you have enough to fill 30 min of evolutions, go ham.
- Some more GREAT tips here:
- You can force an Eevee evolution by naming it before you evolve.
- Sparky = Jolteon
- Rainer = Vaporeon
- Pyro = Flareon.
- Incense spawn pokemon every 2 minutes or so when moving, as opposed to every 300 seconds (5 minutes) while standing still.
- Use this for evolution detail tables (candy amounts, ++)
- Overall stats of Pokemon
- Data mined but unconfirmed because of… context:
- The Trainer Level Cap is 40.
- Egg’s cap at Level 20, so if you get an Egg at Level 37 it’ll still hatch at the same quality as if you were level 20.
- Wild Pokemon cap at Level 30, meaning after Level 30 everyone will find the same max CP Pokemon and it’ll be a matter of spending the candy and stardust to upgrade them to your level’s cap based on their CP arc.
- Curveballs and Accurate Throws (Nice, Great, Etc) have been confirmed as helping with the capture chance of a Pokeball throw.
There may be future Incubators that reduce the amount of kilometers needed before they hatch. (There is an incubator called “distance” in the code) - Moves have an Accuracy and a Critical Hit Rate.
- Each unique Pokemon has it’s own Capture and Flee rate.
- Move Damage may go up with Trainer Level.
- Pokemon do become harder to catch as you level up.
- Mewtwo, Moltres, Zapdos, Articuno are Legendary.
- Mew is Mythic.
- Farfetch’d is out there… somewhere. As is Ditto.
- The Charge Meter is filled 0.5 for each 1 HP of damage dealt. This means a super effective move that does more damage will charge the special attack faster – that is actually really important to know.
- To level from 39 to 40 takes FIVE MILLION EXPERIENCE, and going from 1 to 40 takes Twenty Million. On my best day I can get about one hundred thousand exp, maybe 125k. So that’s like 3-4 months to go from 39 to 40. Won’t be seeing that any time soon! lol
- Pokemon have a base Attack, Defense and Stamina (HP) – thus they do not have a Attack and Special Attack stat like in the 3DS games.
- Dragonite has the strongest base attack for non-legends, at 250.
- MewTwo has a base attack of 284.
- Moltres has the highest base attack of the three legendary birds.
- Articuno has the highest base defense of the three.
- Zapdos is almost as high as Moltres in base attack but is likely lower due to Type Advantage.
- Pokemon have an evolution modifier AND a HP modifier when they evolve both CP and HP go up a set multiplier.
- Defending Pokemon at a Gym attack every 1.5 seconds.
- The Master Ball is in the game, no clue where it is found.
- The Legendary Pokemon do have a spawn rate – BUT – they have no capture rate, could this mean they require a Master Ball?
- STAB is present in the game, giving a 25% Bonus to an attack move. STAB stands for “Same Type Attack Bonus” and means if a Grass Pokemon uses a Grass move it will hit harder than if a Ground Pokemon used the same Grass move. This is a big deal confirmation.
Thanks everyone for tuning in for this episode of Big Bugs. Subscribe to the podcast to get new episodes as they become available each month. You can also subscribe to the Bugcrowd podcast RSS feed.