Possibility of Hacking in C2 Games

This is something I just wanted to bring up, as it has been lingering in my mind for some time - is it possible for a user to mess with the JavaScript in a C2 game and alter the game (cheat)?

I understand C2 encrypts things, but anyone who understands how trainer programs work should be able to figure out something given time and change.

Take for example a game where I have a weapon with 10 bullets. I do a JavaScript search for the number 10 and keep track of all instances where 10 shows up. I then fire a bullet and have 9. I then search each of those instances in the JavaScript code and figure out which ones changed to 9. If there are multiples, I fire again and figure out which one changed to 8. Eventually I have the number that is keeping track of my ammo and will be able to edit the JS to give me, say, 1000.

This problem is easily mitigated by releasing as an app, but what if I don't want to do that? If I am legitimately releasing a browser game, what is the possibility of cheating and what measures does C2 take to prevent that?

browser game - yes, you can cheat/hack.

Unfortunately you can cheat/hack on any game/any platform if you have the know how.

I actually played yesterday with a (bad word) in CoD:Ghost that had implemented various hacks - pretty clever actually, but not cool.

This is a game that takes great strides to prevent hacking/cheating (huge budget etc).

If people are going to cheat/hack, then nothing you can do to stop them.

But html 5 games in C2 is pretty easy to alter / steal would be great if a few extra security features were put into place (nothing is full proof) but a little salting never hurt anyone :)

The short answer is No.

You should trick the hackers that couldn't hack your game.

For example, you add an extra condition for number 10, 10 is supposed to be maximum, if is more than number 10, the game restarts.

Another method, make multiple variables, variable 1 is for 10, and another variable 2 is for 10, they should compare as equal, the game works. Otherwise, variable 1 is different than variable, the game restarts. if you add extra variables such as 3, 4, A, B, it makes hard security. It's not perfect method, but if hacker gives up due to overtime.

Other thing, you might use PHP to get variables that they can't hack because it's server side.

Perhaps salting or some form of security could be something for future consideration into C2.

Don't bother, use https://jscrambler.com/

Joannesalfa

Lol $55 per month - is extremely steep for something that is actually pretty simple and can easily be included into C2.

If you minify a game on export the source becomes pretty unreadable so that's a good first measure.

It is impossible to entirely prevent hacking in a client based game (server based games can enforce this, but if you don't have a server, it's entirely hackable). Releasing a game as an app does not necessarily add any protection - for example a node-webkit game on Windows is still hackable by the same method you describe, just using native technologies instead of browser technologies.

We could add some simple kind of number encryption, but it would probably cause a performance impact if we used it everywhere. Perhaps some kind of 'secure variable' plugin could address this, but then it won't even solve the problem, you'll just make a determined hacker use a different approach (such as directly modifying the code).

So it's always going to be possible to hack. Be well aware of this if you ever want to offer prizes for high scores in a client-based game!

I like the idea of a "secure variable". This should solve a lot of problems as we generally just require a handful of secure variables.

And not a complete encryption.

I'll +1 a secure variable feature

Cant you add a md5 tag/hash at compile time related to the game files size ?

at run time, have it check once with the files.

should give a trigger for file tampering.

I don't think that solves any issue, especially if you hack using the method I describe in my first post.

The best solution would be Ashley's where you can have a "Secure Variable" to place a few sensitive things in.

You could even use it for salting :)

Bullets = 10 plus secured variable(.4534534543)

Fire shot = 10 - 1 + secured variable(.4534534543)

Cheat check. If bullets /= (variable bullets + secured variable) then goto cheating page.

Will need to play around as probably example I gave won't work, but you get the gist of it.

hmm, I have to admit, I used greasemonkey in the past to manipulate webpages, its quite easy to adapt it to have web elements perform any action you want. (it adds custom javascript at run time)

Opera even has built in options to start custom JS script with beforescript and before external script.

I dont think there is any easy way of getting out from under it.

This is one of the reasons Im considering setting up highscore systems for mobile devices and web versions.

The awnser in this post has some very distinctive approaches to make it harder for people to maipulate your web pages:

stackoverflow

As I said, a secure variable plugin doesn't actually solve the problem, it just changes the way an attacker would hack your game.

For my perspective, in a client based game with no real gain except than self-esteem for finishing the game (aka: no real issue other than the game being finished through cheating), I let the players do what they want.

You bought the game, I let you cheat in it if you want, I disapprouve, but if you have fun without spoiling fun to others, then I won't complain, It is what the game is (sometimes) made for, having fun.

I think the most important is to give the player a good gameplay experience, also, if they cheat, try to understand why, most just cheat because they don't really want to play your game like you wanted, but sometimes, that can mean good things to think about for your next game:

-"I use cheats to adjust the base items so the gameplay experience is different" --> Maybe think about a system to have more possibilities for base items, like a difficulty mode.

-"I use cheats because I can play the character I want everywhere in the game" --> Maybe a challenge mode with all level playable, with the choice of the character since we aren't in history mode

-"I cheat to see ara croft Naked" --> Don't put lara croft naked, just don't!

Sure, if they buy the game, that's a different story. But that's not necessarily what we're talking about here.

Most browser-based games are not 'bought' but instead are free. This creates a real issue in cheating because of high scores tables, in-app purchases, etc.