Aaron Ardiri
[Valid RSS] RSS/XML feed
198 entries available (show all)

 

Internet of Things (IoT)
   

PLEASE TAKE A MOMENT TO FOLLOW MY NEW VENTURE:
 
RIoT Secure AB
  
ALL SECURITY RELATED TOPICS ON IoT wILL BE POSTED THERE

2016-11-11
>> Pokémon GO - REVISITING THE "HACKING" SCENE (PART 3)

Another fortnight; another forced-update - and yet another round in the cat-mouse game.

Earlier this week, Niantic updated the Pokémon GO client to 0.45 and just a few days after the release, forced players to update to continue playing. The #re team plugged away at the new binaries, to find the elusive hash function, but ended up running into UC_ERR_INSN_INVALID error messages when utilizing the Unicorn CPU emulator while others start the painstaking effort of tracing the code to find those magic numbers used in the hash.

So; what changed exactly - was Niantic onto the fact hackers were utilizing a CPU emulator?

A closer look at the offending instructions: 

    __text:01B175D2 04 F9 ED 82 || VST1.64 ; {D8 - D11}, [R4@128]
__text:01B175D6 04 F9 EF C2 || VST1.64 ; {D12 - D15}, [R4@128]
...
__text:01B17CF4 24 F9 ED 82 || VLD1EQ.64 ; {D8 - D11}, [R4@128]
__text:01B17CF8 01 BF       || ITTTT EQ  ; If Then
__text:01B17CFA 24 F9 EF C2 || VLD1EQ.64 ; {D12 - D15}, [R4@128]

These instructions are actually part of the NEON and VFP instruction subset that is available within ARM CPU architecture. The instructions are specific for storing and loading a structure in memory, much like the typical push and pop opcodes that we saw in previous disassembled versions of the hash function within the pokemongo binary. It seems to have been a step made by Niantic to block the use of CPU emulators; I guess they never checked for a workaround if this is the case.

Instructions were quickly posted online explaining the new function offsets and a cryptic description of how to modify the existing pogohash routines to work around the NEON/VFP instructions - it seems a lot of people are having trouble with this (based on the private messages I get in discord).

A nice little work-around (love the "old skool" pun), but this morning I woke up early and thought there had to be a way to enable NEON/VFP instructions within the Unicorn CPU emulator. I ended up coming across a github issue that states you could enable NEON/VFP programmatically. A set of opcodes are provided in the discussion, but still failed with UC_MODE_THUMB - as it seems these were for UC_MODE_ARM. Further digging and another github issue brings home the bacon.

The secret sauce? 

    char neon[] = {
                0x4f, 0xf4, 0x70, 0x00, // mov.w r0, #0xf00000
                0x01, 0xee, 0x50, 0x0f, // mcr p15, #0, r0, c1, c0, #2
                0xbf, 0xf3, 0x6f, 0x8f, // isb sy
                0x4f, 0xf0, 0x80, 0x43, // mov.w r3, #0x40000000
                0xe8, 0xee, 0x10, 0x3a  // vmsr fpexc, r3
              };

Heck, even ARM documents how to enable VFP support within their online documentation.

With a few tweaks to the code; NEON/VFP mode is enabled and the hash function executes without any dramas and gives us hash values again. The opcodes only need to be executed once, placing it in POGO_init() is a great place for them. Executing the program with the test vector: 

    $ ./pogohash
PogoHash
--------

:: init()
pokemongo.45.0
387 patches
done
:: Hash(buffer, sizeof(buffer) [iOS code]
61 24 7f bf 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 len=28
0x5dc125ef6f8cb103
done
:: quit()
done

While I previously posted the full working server online - this one I will leave up to the reader to figure out how to make the changes. The last thing we need is to see the return of those Pokémon GO bots that simply mess up the game for those who actually want to play it. I will however put a small plug for pokefarmer.com - who I skyped in detail with to get it working again.

The ball is now in Niantics court again - I wonder how long they will continue this charade. I seems they are ignoring the fact that all these forced updates bring frustration to their user base - people who actually want to play the game. With every new update; the #re team is learning more and the turn around times will only get shorter. Niantic should simply give up at this point.

UPDATE: 2016-11-12
I just keep getting flooded by newbies who have no clue; so, here are the source files for the above hacks. Do not ask for support or clarification on how to get Unicorn bindings to operate - this stuff has been posted for informative purposes only. The magic numbers have also been found from the hard efforts of @marcel - removing the dependency on Unicorn.


 

advertisement (self plug):
need assistance in an IoT project? contact us for a free consultation.

 


Pokémon GO - Revisiting the "hacking" scene (part 4) 		 
RS232-TTL UART communication on Arduino using Max232

DISCLAIMER:
All content provided on this blog is for informational purposes only.
All comments are generated by users and moderated for inappropriateness periodically.
The owner will not be liable for any losses, injuries, or damages from the display or use of this information.