Games and Hacking

After using C2 for a while and better understanding the ways game engines and programming syntax vary, I was curious what is the basic hacking approach.

Giving it some thought, I would guess that they alter the variable values, since every game needs it to store important information, and various game engine uses different programming languages, which has different syntaxes but they all still need variables.

I understand that while it is almost impossible to stop a game from being hacked, how about knowing if a game has been hacked? I noticed that most games once you hack, it is recommended to never go online, because they will be able to tell if it has been hacked. Almost all pc games now have this, but I am not sure about mobile games. What do you think are some of the simple methods to tell if your game has been hacked, and or the score and results altered?

To my knowledge changing the programming language doesn't make the game more difficult to hack once it is compiled.

At the hobby/indie level of game development it might be too much to worry about if it is a single player game. If it needs to go online then you could consider using thresholds like if a score can realistically be 100 like in flappy birds, but ends up being over 1,000,000 then you can detect this easily and block some game features or their account.

Hackers will target the variables, but they won't need to know how they are named and their type, one of the most basic forms of hacking would be scanning values and looking for changes to alter scores, health (godmode), and time. You could also wait for them to do it and then ban them and their score as they appear.

Mobiles can implement the detection just as easily with the same methods as on pc. Most mobile users wouldn't have the option to hack unless they are running android through an emulator or if they have rooted their phones.

Thanks for that insight IndieKiwi! It gives me a much better idea of how it basically works. Haha yup, unrealistic scores are definitely one way of knowing it has been hacked or not, but I am afraid it might not really work for what I am trying to set up.

This is what I am trying to do, I want to create a puzzle game, and the first 10 people to solve it will win a small gift. Haha that is why I wanted to find a way where I could detect if the results has been altered and the game has been hacked. Of course, if they claim to complete it in just a few days than of course I highly believe it is unlikely due to the nature of the game.

Just a thought though, since they are targeting variables that alter scores and the main aspect of the game, do you think it is effective for me to setup a sort of simple replay of the game they did? For example, each time they solve a small part of the puzzle, it stores it, than adds a different value when it reaches a certain milestone, save the amount of powerup they actually have at the beginning and how many was used in each level, and time milestones spent playing the game. This file would never be used to affect any of the gameplay, just store it in the game and than when they complete it, they have to send an email directly from inside the game and than the game will send me the data than I can check to see if all the variables add up.

Do you think this is effective and the hackers will ignore the seemingly useless variables, or will the hackers see through this easily as well?

Good idea, logging meta data would also work for a competition. My suggestion is to not let the player know you are collecting this data. Maybe have a submit score button that submits along with the meta data, with each score.

Don't send by email, it is inconvenient and open to tampering.

And remember ANYTHING can be faked, especially images and data. Good luck

Thanks IndieKiwi, I will definitely look more into it to see how I can implement it.

Haha ya, I won't send it by email. Maybe at the game completion, have a small entry form where they just enter their email and name, and when they press the send button, it will also send the other variables so I can check and confirm they were not hacked. This should be better and hopefully less obvious to any hackers.

Hehe what do you think about forcing them to link to their facebook account to participate in the competition? Might be good promotion as well as background check than maybe use facebook to show their status. For example, when they complete every area of the puzzle, a show status button will appear and they have to share it on facebook. Haha but maybe that will make the hackers be more suspicious and look at the other variables more carefully as well.

The only way to really secure your game is through storing your logic and variables server side(php). Anything done via javascript can be spoofed by armchair scripters. Even that can be troublesome to secure accurately as noticed by all the data breeches. Good news though is unless you are storing financial or personal identity information, security doesn't need to coded super thoroughly. Just move your logic to a php script and save your variables in a MySQL database. If your not overly familiar with php then a simple Google search for example code can yield working code that just needs minor changes for your purposes.

Thanks for that info — I will go google it and try to study it.

Do you mean that hackers can unscramble the scripts and read the entire code for the game and see the logic? If so, than I guess doing many decoy variables with a few important ones might not be so effective.

Yes, before I decided to start making games I used to do just that. But it's a lot easier than that, all I needed to do was watch the network traffic coming and going from a game in order to make calls on behalf of an application to a server or even make facebook calls without user input. As far as variables, you can put as many as you want in the app and it might slow progress slightly but not much. If you save information to web storage then it's very easy to manipulate the data. Back in the MySpace days there was a popular app called pirates of the Caribbean. They finally closed down the app because there were more scripters using the app then people playing the game. Check out user scripts.org and see how easy it is to find cheats and automated players for your favorite games.

—, thanks, that's really insightful! Since the basis of it was to watch the communication between app and network, do you think what I mentioned earlier is effective at all?

I store information on how the score was played, and the total score for each game. But that piece of information is never communicated until the end. Where the game asks the player to enter the name and email and send it to me, and when he sends it, only than it sends the information. Than I can calculate to see if the scores all add up correctly.

Or should I store all those variables and information immediately as they play in the php server you mentioned.

Do you think this could work?

Construct2 minimized scripts will keep almost all of the scripters at bay, it would be too much of a challenge to be worth the time. But it is possible to script minimized javascript so, if there is a dollar value attached to the prizes I would put the logic and variables on a server and just reference them with Ajax calls. But if there is no dollar value attached to prizes then I wouldn't really worry about it.

Thanks —! You've really helped me out with this! Really appreciate it!

You might find this interesting, and maybe learn how easy it is for them..

but if there's no monetary value in your game, then I don't think there's much to worry about from guys like this.

Thanks procrastinator! I can't watch it right now cause I am still away and have very limited internet quota, but I will definitely watch it as soon as I get back in a few days time.

There is a high chance I might put in a small monetary value, so all information and advice is definitely a welcome! Thanks again!

I don't see why putting logic and variables on the server would help. You will still need javascript to send data to the server to manipulate the server variables, it just means you can't manipulate them directly? But for generating a high score, you would have to keep a local one and then send it?

Interesting topic, I´m pretty sure there was another one month ago here on the board, with lots of interesting info.

Everyone interested in this should check it out