C2 projects hacking prevention

Hi,

I am planning to work on some online multi-player mini games that are made in C2, but before I start, I needed to check whether it was possible for players to temper with the variables of the games and such, since a lot of data are client side and the server can't be controlling them.

So I've made some tests on a random game from the Arcade section, and figured out that everything was exposed to me as a player:

------------------

This is an unminified test subject : https://www.scirra.com/arcade/adventure ... free-10760

-----------------

Here is another test subject which is minified: https://www.scirra.com/arcade/action-ga ... -run-14758

----------------

You can see from the scores tables my score.

Is it possible to make the c2runtime object unaccessible from the console ?

Are there any side effects of Object.freeze ?

Thanks

About all you can do is try to protect the variables. The minifyer is great for obfuscation, but you can also encode strings, and use hash's

http://www.scirra.com/forum/plugincb-ha ... 43824.html

viewtopic.php?t=73288&start=0

viewtopic.php?t=75040&start=0

As far as I'm aware the only place you can't get at the console is Nwjs.

newt As long as it can be accessed from the console, it can be modified. You can access the console of an Nwjs app with Ctrl+Shift+C or F12, unless you add this script which forces the browser to close the devtools :

var gui = require('nw.gui'); 
var win = gui.Window.get();
win.on("devtools-opened",function(){
    win.closeDevTools();
});
[/code:1en4y49y]

It can be modified, but if its encoded thats pointless unless they know the method/ key.

Theres other things you can do, like concatenating strings, and even just using a bunch of variables.

Granted they can tell which variables are being used, but figuring out how they go together would make it harder for them.

newt Minifying and encoding are pointless since the only things interesting are values, not variable names.

And the c2runtime object has a structure which makes it easy to access the eventssheets child object.

So as long as the object is accessible and unfrozen, nothing can be done to prevent hacking.

The values are what would be encoded.

It's basically just about what a casual hacker would be interested in messing with.

Everything can be hacked, not everything is worth hacking.

got me good

Any chance you could unhack your score from my leaderboards?

BeastCoasting There is no option to remove it, I guess a moderator may have the privilege to remove a score from leaderboards.

Sorry about that but I had to prove a point, by the way your game is really polished, congrats.

X3M

Wow, that is rather alarming that it is that easy to change variables like that. I had never used the console like that before, so I played that first game you linked to, gave myself all the lives I wanted, all the coins I needed to buy all the upgrades, whatever score I wanted... if my health got too low, I could just pause the game, set my health back to full and then continue on.

encrypting every important variable in a game seems like a lot of extra work and overhead, but what else can you do? I guess keep track of key presses, mouse clicks, and time in game so you can estimate if the score is possible (and encrypt those values too). Maybe keep multiple copies of some variables (in different forms) and test for hacking, or leave some honey-pot variables unencrypted to see if someone is trying to cheat.

Like newt said - anything can be hacked, but it should not be possible for a complete novice (like me) to completely defeat a game in a few seconds! I guess if you want to keep Global leader boards, you could keep code for testing whether the score is valid or not on the server. But they would still be able to see how the data is assembled to be sent to the server and eventually reverse engineer it.

Hmmmm.... sounds pretty bad, especially if you're planning to do any type of competitive multiplayer if values can be altered like that.

I would like to know:

Can this be done to mobile games also?,

Does all html5 games have this issue, or is construct games more vulnerable ?

Can you do this to basically any game on other arcades like kongregate or newgrounds?

I guess cheaters will always find a way to cheat, but at least you shouldn't make it easy for them to do so.

I worked on a multiplayer game before but sadly hacking and cheating isn't isolated to a few users anymore. A very large portion of any online mutliplayer games users are willing to cheat which ruins the game for everyone else.

I saw a talk about the cheating problem on steam and that counterfighting it took so much time that they didn't have time to work on the game and just had to focus on the anti cheat system.

After this I realized that online multiplayer in C2 is just too complicated to protect so I lost the motivation to continue and kept focusing on local multiplayer instead. Because I don't care if people cheat in those kind of games. If people want to cheat they can as long as others doesn't suffer.

Same goes for mobile games, just open it with your text editor of choice and change the variables and boom you have all content unlocked, no ads and can crush all your opponents online in seconds

And btw, where did my avatar go??

I wonder if policing variables in events would help?

Clamping certain values i.e health and ammo; running checks on others like score such as monitoring the difference/jump in score from one second to the next, and resetting it if it's too big a jump to have happened naturally.

I wonder if policing variables in events would help?

Clamping certain values i.e health and ammo; running checks on others like score such as monitoring the difference/jump in score from one second to the next, and resetting it if it's too big a jump to have happened naturally.

I've tried some counter measures like that. For example:

The game only allows maximum 5 arrows per player in the game. If the total game arrows are is more than what's actually allowed. (Number of players x 5) you're your actual arrow count is reset, to how much you should be allowed to have.

Player 1 has 7 arrows.

Player 2 has 1 arrow.

YOU have 0 arrows.

On the ground is 7 arrows.

= 15.

You won't be able to have more arrows than is allowed in the game (3x5=15), so you need to destroy one ground arrow before you can increase your arrow count.

Works pretty well, but I probably have to spend more time on things like this to make it even more secure later. I'm probably going to move a lot of variables to be stored in the game room / photon cloud instead of locally as I'm doing now, to prevent it even further.

tunepunk Remember that anything that is client-side can be modified, so even if you do that ( comparing amount of arrows to a max value ) , the max value can still be hacked. So there is no point in that if the hackers will set their own max allowed arrows value.