Comment by hobs

Comment by hobs 8 days ago

2 replies

View on Hacker News

The strings command is pretty old can do it if you're naive enough to embed a username and password into the game client.

The main thing is that its privileged - having a token shouldn't let you do anything besides say, report your game stats to a central server or enumerate the server lists, things like that.

NikkiA 8 days ago

TBF strings might not trivially show up the password if you took the most basic of provisions (a non-ascii password, not stored right next to the username separated by a \0), but most programmers likely wouldn't even bother with that.

Reply View 1 reply
  • nijave 8 days ago

    Even then you can MITM if you have elevated access to the platform and can tinker with the certificate store.

    Games like Pokemon Go use a highly obfuscated algorithm to sign requests which makes it much harder to actually use the key if you can retrieve it

    Reply View 0 replies