fut icon indicating copy to clipboard operation
fut copied to clipboard
verified publisher icon futapi

implement multisession plexing

Open hossainirad opened this issue 11 months ago • 8 comments

Hello! I'm trying to analyze how FIFA enforces the single-session lockout feature, where logging in on console prevents additional sessions from being created on other devices or vice versa. Specifically, I'd like to see if there's a way to capture or replicate the network requests that trigger this lockout.

However, in my testing, all console traffic appears to be encrypted (likely HTTPS/TLS with possible certificate pinning). Common approaches—like Wireshark or local proxy tools (e.g., Charles, mitmproxy)—haven’t worked because I can’t install or trust a custom CA on the console. Thus, I'm stuck at capturing gibberish or seeing failed handshakes.

What I’ve tried

Setting my console’s network DNS and gateway to my PC’s proxy.
Using Wireshark on the local network to see packets (encrypted).
Searching forums, but mostly finding info on intercepting the PC or Web/mobile companion app traffic.

Why I think this repo might help I see this project references reverse engineering or analyzing traffic for EA or console titles. I’m hoping there's a known workaround or partial solution for capturing these console requests.

Questions

Is there any known method to intercept or decrypt console traffic?
Does console traffic remain locked behind certificate pinning or system-level encryption that’s effectively unbreakable without deeper console hacking?
If you’ve successfully analyzed the console’s single-session enforcement logic, can you share any guidance or references?

Thanks.

hossainirad avatar Jan 14 '25 05:01 hossainirad

Hey @hossainirad,

I am interested in the use case that you've mentioned. Did you managed to get any insights about it?

jeraldlyh avatar Jan 28 '25 10:01 jeraldlyh

@jeraldlyh I have a application for moving coins between accounts. I have not succeed to find out any clue.

hossainirad avatar Jan 28 '25 12:01 hossainirad

@hossainirad That's cool, I'm hoping to get some insights on how you can enable such a lock to prevent another concurrent session on the webapp

jeraldlyh avatar Jan 29 '25 11:01 jeraldlyh

Did you have any luck thus far? @hossainirad

jeraldlyh avatar Oct 02 '25 04:10 jeraldlyh

Did you have any luck thus far? @hossainirad Unfortunately, no. People says you should send an empty string for "ds" parameter when you get session. I do this, but does not work for me.

hossainirad avatar Oct 02 '25 07:10 hossainirad

@hossainirad Where did you get that source from?

jeraldlyh avatar Oct 02 '25 08:10 jeraldlyh

I think the easiest way to analyze it would be to buy it for PC and then check how the PC UT differs from the web app.

derSoerrn95 avatar Oct 02 '25 11:10 derSoerrn95

@derSoerrn95 I did some tries in this way, But it has a lots of anti cheat obstacles. I didn't succeed. I also used network traffic applications.

hossainirad avatar Oct 02 '25 12:10 hossainirad