
Reverse engineering and removing Pokémon GO’s certificate pinning - mkane848
https://eaton-works.com/2016/07/31/reverse-engineering-and-removing-pokemon-gos-certificate-pinning/
======
chinpokomon
Pretty much how I started cracking game copy protections in the late
80's/early 90's. I already owned the games I was cracking, it just became more
interesting to me how these protections were implemented and how I'd defeat
them. Sometimes I think that was more fun than the game itself. I just didn't
want to have to look up pages in manuals or read maroon colored paper with
dark blue ink.

I didn't have the luxury of Ida Pro back then, but I did find a disassembler.
Using that I'd read through the game code until I found the conditional jumps
and then patched the original file with 0xE8 (JEZ?), 0xEB (JMP?), or 0xCD 0x90
(NOP?). At one time I used to be able to recognize just the Opcodes in hex, so
I might have those wrong today.

When I started working at Egghead, I was granted time by my manger to crack
games for our demo station, so we wouldn't have to jump through hoops on the
sales floor. For various professional reasons I've had the pleasure of
bypassing my company's own protections. Most recently I used Smali/Baksmali to
demonstrate how our company's Android beta timebomb was pretty easy to
circumvent.

Once a hacker, always a hacker. I have no doubt that this low level tinkering
was why I got into computers in the first place and why they still hold my
fascination.

------
paste0x78
Seems to be down, Google webcache version:
[http://webcache.googleusercontent.com/search?q=cache:https:/...](http://webcache.googleusercontent.com/search?q=cache:https://eaton-
works.com/2016/07/31/reverse-engineering-and-removing-pokemon-gos-certificate-
pinning/)

~~~
ParadoxOryx
Thanks! Here's a copy on archive.is as well:
[http://archive.is/gjgYx](http://archive.is/gjgYx)

~~~
kuschku
And here the archive.org version for the people in the countries where
archive.is is unavailable[1]:
[https://web.archive.org/web/20160801021520/https://eaton-
wor...](https://web.archive.org/web/20160801021520/https://eaton-
works.com/2016/07/31/reverse-engineering-and-removing-pokemon-gos-certificate-
pinning/)

    
    
        ________________________
    

[1] The author of archive.is blocked entire countries in a fit of rage

~~~
dimino
Can you elaborate on [1]?

~~~
lstamour
It might not be blocked any longer...
[https://m.reddit.com/r/KotakuInAction/comments/46sefz/archiv...](https://m.reddit.com/r/KotakuInAction/comments/46sefz/archiveis_no_longer_blocked_in_finland/d07l9h6)

------
dozy
Patching an APK like this would break parts of the app, specifically the parts
that are arguably the most crucial to be followed by pinned API calls. For
example, in-app purchases via Google Play that validate the app's signing
would all fail. Similarly restoring any previous in app purchases would also
fail. Finally, you wouldn't be able to install this APK without uninstalling
the valid production APK first, again due to signature/signing mismatch.

~~~
maxerickson
A normal user wouldn't do this, someone who cared more about examining the
network traffic than in app purchases would do this.

~~~
dozy
Agreed. I was commenting on this workaround's viability to be used by a bad
actor attempting to compromise the game and other players of it.

------
ethanhunt_
Very cool workaround in the article, but it feels like it's just another hole
that is going to be closed off. It's impossible to balance because on the one
hand we want these fortresses to protect us from prying eyes (see apple vs
fbi), but manufacturers are also using these fortresses to keep out owners who
just want to hack on their own things.

I'm glad Apple is working to keep backdoors out of iOS, but I still prefer
Android because I can get into it anyway I want, and do things like the OP
without having to resort to backdooring my own device.

~~~
zeveb
> It's impossible to balance because on the one hand we want these fortresses
> to protect us from prying eyes (see apple vs fbi), but manufacturers are
> also using these fortresses to keep out owners who just want to hack on
> their own things.

I think it's very easy to balance: it's _my_ fortress, because I bought it; I
should therefor be allowed and enabled to make it do anything I like. The
recent changes which Google have announced — which mean that apps will no
longer respect the keys I have installed on my devices — are a move in
_exactly_ the wrong direction.

~~~
jluxenberg
How do you prove to the device that _you_ are the one who bought it? You don't
want e.g. an FBI agent to be able to root your device.

~~~
zeveb
> How do you prove to the device that you are the one who bought it?

An arbitrarily-complex passphrase of my choosing plus a fingerprint seem
reasonable.

~~~
mavhc
Plus a set of long and complex commands to type to stop normal people being
tricked into enabling it

~~~
zeveb
Y'know, I honestly don't care all that much if normal people can screw up:
learning not to screw up should be part of the public school education all our
taxes pay for. We trust normal people not to stab themselves in the eye, not
to shoot themselves through the head, not to crash their cars into others: we
should trust them not to do stupid stuff on their computing devices.

And when they do, we should hold them liable for any damage their actions have
caused to others, just as we do with all those other tools. Yes, I think
liability for allowing one's computer to become part of a botnet is a Good
Idea™. Car crashes aren't accidents, and allowing one's computer to become
infected isn't accidental either.

~~~
mavhc
We ban guns, have extensive driving courses, and let anyone do anything with
computers.

Of course if your car crashed because you were driving down a street that a
criminal was standing on you'd probably take it back for being terrible.

~~~
zeveb
> We ban guns

Not in civilised countries.

> have extensive driving courses

That's what I'm arguing for. In this country the public pays for 12-13 years
of education and subsidises another four; I'm arguing that among the subjects
we should cover with that massive investment is 'don't be an idiot with
computers,' much as we have drivers' ed.

------
dpflan
Related:
[https://news.ycombinator.com/item?id=12204742](https://news.ycombinator.com/item?id=12204742)

------
alfon
In iOS though, SSLKillSwitch v2 does the job well.

------
baby
This seems like overly complicated. He could have made the public key
extremely small by just placing 0x00s in it so that he could crack it. Easy
patching.

~~~
ajnin
He patches two instructions, or 4 bytes, removing the check entirely. No need
to "crack" anything. Seems like a pretty simple solution to me.

You'll also notice that the code checks for the certificate length so I'm not
sure replacing it with zeroes would have worked.

~~~
baby
the key is still the same length, it just has a lot of zeroes.

------
dagwaging
it could also be done pretty trivially using an xposed module, such as:
[http://repo.xposed.info/module/mobi.acpm.sslunpinning](http://repo.xposed.info/module/mobi.acpm.sslunpinning)

i haven't personally tried this route yet though

~~~
jor-el
Xposed module patching only works when SSLPinning is performed in the Java
code of the application, as Xposed provides a mechanism for intercepting Java
method calls only. Unlike in this case, the code is in C/C++ layer, hence
can't be used.

------
kamikizzle
is this cert in the update the reason apps like pokevision stopped working?

~~~
beckler
I don't know for sure, but I'm going to say 'not entirely'.

Certificate pinning would prevent you from sniffing the requests, and if they
made API changes, you would be unable to analyze them.

So I think the reason Pokevision stopped working is because they may have made
API changes, but they've been unable to see what the changes were.

~~~
9999
Pokevision stopped working because they banned the whole ec2 IP range.

~~~
spdustin
I believe you, so please don't take this is a challenge. It's pure curiosity
that prompts me to ask: Do you have a source for more info on this IP range
ban?

~~~
seanalltogether
The pokemongo dev forums on reddit have been compiling a list of known hosts
that will result in a 403 response code when an api call is requested.

[https://www.reddit.com/r/pokemongodev/comments/4vhygk/vps_pr...](https://www.reddit.com/r/pokemongodev/comments/4vhygk/vps_providers_banned_from_accessing_apis/)

------
thewarpaint
What's the added value of using imgur's embed code rather than a good ol'
<img>? Is this a trend? I would understand it for albums, but why would you do
it for individual images? </rant>

~~~
nomel
Direct links are against imgurs TOS
([http://imgur.com/tos](http://imgur.com/tos)):

"Also, don't use Imgur to host image libraries you link to from elsewhere,
content for your website, advertising, avatars, or anything else that turns us
into your content delivery network."

~~~
slig
Funny how not long ago that was one of their selling point.

~~~
bpodgursky
Yeah, but then massive gifs became a thing.

~~~
mavhc
but then serving animated gifs as mp4 became a thing. Of course then using it
as a video host became a thing

------
bitmapbrother
As mentioned in the comments, this doesn't work when you try to sign in via
Google because it checks the signature of the app. The PTC signon doesn't do
this so it's currently allowed, but I'm sure Niantic will patch it soon.

