It was the summer of 2016, and like everyone else, I was out playing Pokémon Go. Except my rural location barely spawned anything interesting. Naturally, I dove into the game’s code, reverse engineered its protocol, and built a custom Pokémon scanner. But the story doesn’t end there. One day, a switch was flipped, enabling a fancy new anti-cheating feature that locked out any custom implementations. In this talk, I’ll begin by exploring how mobile games like Pokémon Go handle communication through specialized protocols—and how I replicated that behavior to build a scanner. Then, I’ll walk you through a 4-day hacking marathon where I teamed up with a group of like-minded enthusiasts to overcome the anti-cheating mechanism that nearly broke our scanners. We’ll examine how mobile games attempt to thwart such applications, unravelling the anti-cheating mechanism that was deployed by Pokemon Go. We’ll explore how we managed, through obsfuscated cryptographic functions, unexpected use of smartphone peripherals and hidden protobuf definitions, to break the anti-chetaing system and release a publicly available API for the game’s protocol. Almost a decade later, the full story is ready to be told. Join me for an inside look at the anti-cheating mechanisms of online mobile games—and how to hack them.
Room: Main hall
Tue, Oct 28th, 13:20 - 13:50