What's new
By:
  • Visit Rebornbuddy
  • Visit Panda Profiles
  • Visit LLamamMagic
  • Visit Resources
  • Visit Downloads
  • Visit Portal
RebornBuddy Forums

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Development community update

S

Square

Member
Joined
Sep 14, 2016
Messages
174
So, I see a lot of people thanking the developers for their hard work. I would say, rightfully so, and well deserved. But if you think that PF developers are doing it on their own, that will be crazy. My assumption is that; it is a collaborative effort of all bot makers, map makers, and other enthusiast, and this community of developers work together to ***** the API. Single handedly *****ing this is just insane. It is after they broke the API, when they go separate ways and apply it on their own bots.

So, to ease up some anxiety, so you can gauge where they are in the development, and maybe predict the date on your own here’s some insight on their progress (information obtained from another web site)

7 October 2016, GMT +0, 19:00 – Niantic now requires version 0.39 for any API requests (actually only getmapobjects). This means all scanners are broken. The devs were still working on the captcha-fix, and they will start the RE-effort tomorrow, after a good night sleep.
With the decline of popularity of pokemongo, so has the dev-community declined. There no longer are 100’s of people stumbling over each other to help. Also the difficulty of reverse engineering has gone up significantly between because of the different security updates by Niantic, especially the obfuscation. The entry barrier to start contributing to the RE-effort has gone up significantly

8 October 2016, GMT +0, 14:00 - Devs are working on getting debugging working. If they are able to insert breakpoints (stop-frames) they could start the actual reverse engineering.

9 October 2016, GMT +0, 23:00 - There is a lack of developers actively working on the RE. There is one dev making progress though.
The one guy who is still getting stuff done is the FPM-dev. (Fast Poke Map) He has found a way to reverse engineer despite the obfuscation. The obfuscation has made it that much more tedious, but he's got it working. He has stated on his Twitter that he won't share the API-break if his share of reverse engineering continues to be as big as it is, which makes sense.

10 October 2016, GMT +0, 20:00 - A couple of people have applied, things are looking a bit better again.
There is some action on the RE-front again, the FPM-dev is no longer the only one working on it, still has the biggest input, but steps are being taken to turn his solo-effort into a community-effort again. There are some more people who have applied but are still working to get their debuggingphones working. The devs are working to undo the obfuscation and they are hoping to find the start of the encryption (actually hashing) process.

11 October 2016, GMT +0, 11:00 - Niantic launched version 0.41.2. Devs have confirmed that this update did not bring about new security measures.

11 October 2016, GMT +0, 23:00 - Devs are making good progress, nothing spectacular though, because it is a slow process.
Right now it is just tedious debugging. The FPM dev is still taking the lead but more help is continuously flowing in. Experienced Reverse Engineers are still welcome. There are a few others looking to poke the IOS pokemongo client.
The devs are trying to understand the security/obfuscation. This requires that they make a map (codeflow) of the obfuscation/encryption. The securitymeasures taken by Niantic (or who their contractors) are designed to be difficult to map, they made it as tedious as possible to RE. The devs are confident that they will eventually beat the security though.

13 October 2016, GMT +0, 01:30 - The devs have (probably) found the beginnning of the encryption/hashing. They knew they were getting close, but actually finding it is nice (and a relief). This is a breaktrough. By now the devs are pretty used to the limitations the obfuscation forces upon them and they think they can do the remaining part of the RE quicker.

FastPokeMaps believes their site can be running again by friday/saturday he tweeted, there is a small catch with the ETA I believe though: The devs are taking for granted that the IOS encryption is the same as the android encryption. They have reverse engineered android with the intention to use that to make IOS API requests, to dodge Safetynet. There are no indications, nor a precedent that Niantic has made android encryption different from IOS, but they could have.
There is another catch, captcha is still a problem. this is just the FPM-dev his guess as to when he can complete the API. He can still be wrong.
There is a small but dedicated and extremely skilled devteam working on RE, and it is working. It is a lot smaller than the 30-man team that did the first API-break. There are up- and downsides but the amount of chaos during the first API-break is something noone misses.

13 October 2016, GMT +0, 01:30 Safetynet got updated again, sigh. There is probably a workaround but for now the devs need to find it. This can take a couple of hours.

FPM twitter said the following: "One of the reason i want to avoid making the api public is to avoid tools like bots to come back." The FPM-dev doesn't like everyone having the access to a bot.

14 October, GMT +0, 02:00 - The devs are making progress. They are mostly done with the obfuscation

15 October, GMT +0, 01:00 - It seems like little progress has been made today. In general it feels like everyone had a collective off-day. The devs are looking for the last piece of the puzzle. They are looking for the encryption (xxhash seed) that Niantic is using. It's buried somewhere...
Maybe friday is just the day everyone is busy, because last friday, when the API broke, there were little people working on it. Hopefully the devs can finish the job over the next couple of days, like the FPM-dev predicted.


Please don’t post any useless and senseless personal comments after this. Allow others to read this instead of burying it under multiple “intelligent” comments and useless bickering and insults.
 
Last edited:
If I had to guess a day anywhere from today till monday. I think they should be able to give a reasonable ETA now. FE maps predicts today and people are claiming some bots are working unstably. Which makes me believe it's *****ed and it's just a matter of implementing now.
 
"people are claiming some bots are working unstably". It was just a rumor. I went to the website of the bot that was rumored to be working. It is still down. Anyway. moving on...




16 October, GMT +0, 00:00 - Devs found the hash seed. They were looking for an xxhash, but it turned out Niantic was using a different hashing algorithm now (murmurhash). This was the last missing piece of the puzzle, but the puzzle isn't complete yet.

I want to disclaimer that it is difficult to understand what is going on, but I will give my guess. If my understanding is correct the security measures by Niantic have been theoretically beaten. There is nothing unknown or secret about them anymore. The solution has been found. However it would still take an age to go through all of the functions manually and apply this solution. I think that is why they are trying to automate it.

(More certain about this part) The devs are trying to automate the recognition of the securitymeasures and the process of reversing. First of all, manual debugging/RE would take ages. Second, Niantic could mix things up and the devs would be back to square one. Automated reverse engineering is beating Niantic to punch. To illustrate this: the devs have turned their attention from 0.39 to 0.41. The API-fix will probably be for the latest update.

-credit to Dutchdefender
 
Last edited:
It looks like this will take more time than what most people are expecting or hoping.


17 October, GMT +0, 00:00 - Devs are still looking to understand and then reverse the hashfunction.

I was a bit wrong yesterday. Not everything is figured out, they figured out an important part though (Initializing Vector generation). The devs are looking at 0.39 again, because there was a bit of confusion when devs were looking at different versions. They are still working on understanding and then reversing the hashfunction.

There is still a good couple of devs working on understanding the hashfunction and then reversing it. Progress is still being made.

I need to adress why the ETA set by FastPokeMaps was not met, and it looks like the API-fix is close, but not in immediate sight. The devs expected Niantic to be using the same hashfunction they had been (xxhash) and the devs are by now experienced at reversing it. Niantic using another hashfunction threw them off. I think FPM was so focussed on reversing the Initializing Vector generation, that he forgot that it could well not be the end of the reversing process.

Niantic might be using a custom hashfunction. This takes time on Niantics end to make, but the reverse engineers will need to make a custom solution for the hashfunction, so it also takes them time.


-credit to Dutchdefender
 
I am not very good at reverse engineering but i wonder if the pokefarmer would work with 0.39 version... It happened when Niantic was asking to update to 0.39 (there was a nag every time i tried to use the oldest versions, asking to upgrade to 0.39), so i used a trick to have 0.35 installed : i edited in hex the version 0.35 to 0.39 and the update nag dissapeared... There were 2 files where i had to make this change, and everything went well, so i had 0.35 version baptised as 0.39 and the update nag was gone... i wonder if we could do the same thing here, change the 0.39 version on the server into 0.41.2 (or 3) in hex... Just don't mind me if i am talking nonsense here, it was just a thought...
 
Last edited:
dorg said:
I am not very good at reverse engineering but i wonder if the pokefarmer would work with 0.39 version... It happened when Niantic was asking to update to 0.39 (there was a nag every time i tried to use the oldest versions, asking to upgrade to 0.39), so i used a trick to have 0.35 installed : i edited in hex the version 0.35 to 0.39 and the update nag dissapeared... There were 2 files where i had to make this change, and everything went well, so i had 0.35 version baptised as 0.39 and the update nag was gone... i wonder if we could do the same thing here, change the 0.39 version on the server into 0.41.2 (or 3) in hex... Just don't mind me if i am talking nonsense here, it was just a thought...
Click to expand...
I wonder if The hand shake still be The one of 0.35 meaning they would insta flag you? ?
 
"i just checked, on my wife's iphone is still 0.35 edited as 0.39 and it works..." - Only facts here, so let me quash this rumor before it spread. 0.35 IS DEAD!!!!! IT'S HISTORY. NO ONE CAN USE 0.35 ANYMORE, IT'S HISTORY, SO DON'T EVEN MENTION IT!!! Any claim that 0.35 works is false!!!!



Let me try to translate this in English (as much as I can)

Day 1 - Niantic's lounge door is using 35 inches door lock, and all clients have 35 inches door key. So far, so good.

Day 2 - Niantic built new door that has 39 inches door lock, and forced-issued everyone with new 39 inches door keys. However, they kept the old door that has 35 inches lock accessible, so the lounge is still accessible to those 35 inches key holders (bots). But there is a catch: because Niantic already forced issued 39 inches door keys, those who continued to use old door with 35 inches are spray painted with red paint and perfume that smells like rotten fish (FLAGGED).

Day 3 - Niantic finally shutdown the old door that has 35 inches door lock. The only door open now is the one with 39 inches door lock, and only those who got 39 inches door keys can get in.. So throw away those 35 inches door keys of yours, its history!!! FORGET ABOUT 0.35!!! AND LETS NOT SPREAD FALSE RUMORS!!!

API is the key. The app maybe installed on your cellphone, tablets, or pc, but those pokestops and pokemons are provided by NIANTIC's server. They are not in your devices. To get those information, your phone will request for those information from NIANTIC's server using your key (API). NIANTIC server will determine if you are using 39 inches or 35 inches key. If your key is 2 inches shorter, it will not open the door and you will not get those information, and that character on your screen will just stare at nothing for hours. Yes, you can bang on the door, but all you're going to accomplish is to piss off that grumpy security guard and you will get sprayed with compressed fart on your face(flagged or banned).

Bots are like illegal aliens, trying to get in without passport, and they are trying to manufacture their own fake passport, but need to make sure that they are not detected.

So, forget about 0.35, that door has been closed, padlocked, barricaded, welded, and buried under millions of tons of concrete and sunk at the bottom of the ocean.
 
Last edited:
The long wait continues...


18 October, GMT +0, 00:30 - Niantic force-updated 0.41. This is a minor setback, atleast all the devs will be working on the same version.

Niantic force-updated 0.41, which means the devs can't run tests on 0.39 anymore. They need to move to 0.41. This is like Safetynet, a minor setback. It is annoying but it won't stop the devs. The functions they found on 0.39 have different names in 0.41. So they need to find which function is which. They automated a good part of this process though.


-credit to Dutchdefender


So, how many of you are still playing this game?
 
Square said:
The long wait continues...


18 October, GMT +0, 00:30 - Niantic force-updated 0.41. This is a minor setback, atleast all the devs will be working on the same version.

Niantic force-updated 0.41, which means the devs can't run tests on 0.39 anymore. They need to move to 0.41. This is like Safetynet, a minor setback. It is annoying but it won't stop the devs. The functions they found on 0.39 have different names in 0.41. So they need to find which function is which. They automated a good part of this process though.


-credit to Dutchdefender


So, how many of you are still playing this game?
Click to expand...

yeah, that's what i said. how could the devs catch up niantic's upgrade pace?
 
I was not really expecting that this thread will reach 2 pages, I was hoping that one page is all it needs before new bot is released. But since I started it, might as well continue, to quell the noise of irate customers who are probably looking for some updates. I myself am running out of patience and starting to lose interest, but what can I do? It is worse when the developers are the ones who lose interest. I would suspect that if ever successful, this would be the last time that the developers will try to RE this game. It will depend on how many people will remain interested after this update. Whoever this Dutchdefender is, much credit to him.


19 October, GMT +0, 00:00 - The FPM-dev says they "understand" the hashfunction. I think this means they know where it calls to and roughly what it does.

They are also looking into taking Niantics code to do the hashing for them. That would save the work of reversing the hashing function, but it wouldn't be the ideal solution. I can think of copyright reasons.

Progress is still being made.

P.S. I am sort of running out of stuff to say. It is really hard at this stage to understand what exactly they are doing. Lastly: not a whole lot is happening. Patience is a virtue.

-credit to Dutchdefender
 
I don't know why I still continue posting someone's update here. 25% of you know where I get this from. Another 25% will not even read this. The other 40% will read it, but they will not understand any of it, will still try to bug the developers to stop whatever they are doing, break their thought pattern so they can tell what is going on. I guess I am hoping that the last 10% will be satisfied by it.

So, here it is:

20 October, GMT +0, 00:00 - The devs have moved to IOS, they are making good progress on IOS.

Okay, I am done calling the FPM-dev "the FPM-dev". I will call him Waryas from now on.

I am not sure as to exactly why they left android. I can only guess they want to dodge safetynet eventually. One of the reasons that the devs were working on andoid was because Waryas started there. He had no (compatible) Iphone.

This afternoon Waryas asked his followers for a phone, and by the evening he was debugging on IOS. Shoutout to whoever gave Waryas the Iphone (and the others that volunteered). For obvious privacy reasons it will remain unknown who gave the Iphone.

I feel a sense of respect from the devs towards Niantic. The inventions Niantic made to protect their API are frustrating but in some way but also incredible in another way. The devs have to give Niantic credit that they did a good job protecting their code. Now whether Niantic should have put all that energy in protecting their code is another question, at this rate Niantic is becoming a security firm rather than a game developer. But you have to give Niantic respect as a security firm.

IOS-debugging with Niantics security measures is mostly new terrain at this point. However with the experience/intel from android they are blazing through Niantics defenses. I guess they will soon be stuck on the hashing function on IOS too.

Now that the effort has moved to IOS it allows some other devs to get into the action (they only had Iphones). It is good to see some more devs work on it. If you want to help and you have experience with IDA/Frida RE on IOS then now is the time to jump in.


-credit to Dutchdefender


I guess someone else share my view that Niantic is more focused on protecting their own interest than improving the entertainment value of the game.

And three more things:

1. Yes, PF will extend our keys to compensate for the lost time
2. Yes, they are still working on it.
3. No, there is no ETA
 
Last edited:
Square said:
9 October 2016, GMT +0, 23:00 - There is a lack of developers actively working on the RE. There is one dev making progress though.
The one guy who is still getting stuff done is the FPM-dev. (Fast Poke Map) He has found a way to reverse engineer despite the obfuscation. The obfuscation has made it that much more tedious, but he's got it working. He has stated on his Twitter that he won't share the API-break if his share of reverse engineering continues to be as big as it is, which makes sense.
Click to expand...

So if I'm reading this correctly, as of the 9th, nobody from the Buddy Bots team was actually working on getting the Bot working again? So while we were being repeatedly told that they're "working on it", they actually weren't; they were sitting with their thumbs up their asses waiting for another dev to do their work for them - for free?

Meanwhile, their bot is a paid service piggy-backing off the the work of other, more talented coders, which they continue to sell even though it currently doesn't work.

That settles it, once my current key runs out I am definitely not re-purchasing. I don't expect cheating app developers to have much honor, but these slimeball practices are indefensible and I won't be supporting them any further.
 
Square said:
You are reading it correctly, but your interpretation is wrong. I copied that post from a different website and those are quotes from a different person. I copied and pasted that because some people are so freaking lazy to do their own search. I thought I was doing some people a damn favor. Like everyone else, I'm also f@#!ng pissed off and tired of waiting, and my patience is almost gone, but unlike other morons and ignorant clients, I don't blame the developers here because I understand how the process works. If I know how to do it, I would have jumped in right away and help, but right now, the only thing that I can do to help is to partially answer some of the questions, PLAGIARIZED from other website, so that you don't have to search on your own, and so that the developers can continue hacking the code without interruption from annoying kids here. I don't know shit about reverse engineering, but at least I am trying to help. Some of you on the other hand are just bunch of annoying SOB who are more worried about their $5.00 that they paid, That will not even pay for my sandwich. I'm a paying customer too. But what can I do? Reengineer the API myself? I don't know any shit or about any of it. Should I lose sleep over $5.00? That will not even buy a bottle of corona in my club.

I am done with this crap! Update this thread yourself. Go ahead and continue bugging those guys, maybe it will make things faster. Ask them what time they wake up, if they brushed they teeth, wipe their butts, ate breakfast, turned on the PC, picked up the cellphone, charged the cellphone, open files, and everything else. If that's what will make you happy. Freaking Whiners...
Click to expand...

When did they last have sex?
 
Square said:
I am done with this crap! Update this thread yourself. Go ahead and continue bugging those guys, maybe it will make things faster. Ask them what time they wake up, if they brushed they teeth, wipe their butts, ate breakfast, turned on the PC, picked up the cellphone, charged the cellphone, open files, and everything else. If that's what will make you happy. Freaking Whiners...
Click to expand...
Please, keep update.
 
You must log in or register to reply here.
Back
Top