• Advertisement
Sign in to follow this  

How hackable is my highscore?

This topic is 4680 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hello! After being a conscript for 10 month I have slowly got into programming again. I'm currently experimenting with how to implement an online highscore using C#/.NET and I need your help. I'd like to find out how hard it is to hack my current solution. How easy can it be hacked, and what can one do to prevent it alternativly make it harder? I plan on making an article on this subject later, but first I need som testing. You will find the 60kb download here: Spatra HS (Highscore) (EDIT: Download removed. Check out my website for the sequel planned to come in a few weeks). [Edited by - Enselic on January 28, 2006 5:49:23 PM]

Share this post


Link to post
Share on other sites
Advertisement
The game fails to start (some undefined error), but I'm using a public computer now, so it could be my problem.

Share this post


Link to post
Share on other sites
Yeah, the public computer probably don't have the .NET framwork installed.

Share this post


Link to post
Share on other sites
tried sending and viewing my score just freezes :( ( for ages )

and u might wanna work on your collision detection

EDIT: after waiting i get the error "error underlying connection close, could not connect to high score..."

Share this post


Link to post
Share on other sites
Hmm, ok. Well, the server is in sweden, so it might take a while. I've let some other swedes try, and they didn't have any problem with submiting/viewing.

Share this post


Link to post
Share on other sites
Quote:
Original post by Enselic
Yeah, the public computer probably don't have the .NET framwork installed.

True, I forgot. Too bad, I was looking forward to the challenge.
Quote:
Original post by Michalson
Took about 2 minutes.

Oh dear.

Share this post


Link to post
Share on other sites
Oh dear...

I knew it wouln't take long, but 2 minutes?

How could you do it that fast? You think it would help if I encrypted the data?

Share this post


Link to post
Share on other sites
well, you have ZERO encryption, at least you check if the score is an actual number, negative etc :p as you see, Mr 'Easy' has never started the exe, but appeared as a topplayer.

You dont need a decompiler to get the unicode address and then its a simple write a url action.


What you should do:
-Make your Programm unreadable with some sort of Obfuscator (that will make decompiled code unreadable)
-Add encryption or verification data to the 'Post' process (sending the url)
-Add decryption on your server, you can also try to make some system that requests a key from the server...


T2k

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
open up the exe in a hex editor and you will see the php calls in the code

Share this post


Link to post
Share on other sites
Uh, oh.

Feels like if I want this highscore to be secure, I need to work pretty hard :).
And the Obfuscator thingy seems to cost me a bit too "Our obfuscator is available at $799 for 1-5 developers."

Share this post


Link to post
Share on other sites
Quote:
Original post by Enselic
Uh, oh.

Feels like if I want this highscore to be secure, I need to work pretty hard :).
And the Obfuscator thingy seems to cost me a bit too "Our obfuscator is available at $799 for 1-5 developers."


well, not sure about that but shouldnt you already have one? my copy of Visual Studio 2003 came with Dotfuscator...


T2k

Share this post


Link to post
Share on other sites
I'm using SharpDevelop which doesn't (yet) have an obfuscator. But if VS.NET have one, I guess I could find one for free somewhere.

Share this post


Link to post
Share on other sites
Quote:
Feels like if I want this highscore to be secure, I need to work pretty hard :)


The only way that actually works is to support record/replay of the game, and upload the replay file to the server. The server replays the game, and enters the score that it arrives at.

Any scheme that depends on trickery on the client can be hacked -- and will, if it's important enough to somebody.

Share this post


Link to post
Share on other sites
I actually though of that replay solution, but I was afraid it would use too much bandwidth. I'm using a low-price webhost with limited bandwitdth.

When I decided to do an online highscore game, I tried to come up with a game concept that you easaliy could create small replays-files to. But I ended up remaking an old DirectX game I made in C++ a long time ago and using a very simple form of highscore.

Share this post


Link to post
Share on other sites
Quote:
Original post by hplus0603
The only way that actually works is to support record/replay of the game, and upload the replay file to the server. The server replays the game, and enters the score that it arrives at.


Then create a "perfect" replay file and send it to the server.


Quote:

Any scheme that depends on trickery on the client can be hacked -- and will, if it's important enough to somebody.


So make the scheme hard enough that noone really wants it to hack.


For the highscore system you can come around with signing the highscore.

More info here:
http://williamstallings.com/Extras/Security-Notes/lectures/authent.html

http://libtomcrypt.org/features.html

Share this post


Link to post
Share on other sites
Quote:
Original post by hplus0603
Then create a "perfect" replay file and send it to the server.

If your game is somewhat complex, I guess the easiest way to make a perfect replay-file is to play the game. I imagine a replayfile where you have a LOT of coordinates for instance. Editing these maybe tens of thousands of coordinates isn't really worth it. If you want more security, you can also let the game send the replay-file to a human, which then would analyze it so it looks "natural". If you want to submit a highscore to the old classic Elasto Mania, the replay is first analayzed by humans.

Share this post


Link to post
Share on other sites
What if you hack and slow down the game speed by factor ten ?

Share this post


Link to post
Share on other sites
The replay method would probably be the safest. You at least get the guarantee that what they did to get the score is at least possible. Plus having replays of all the best players would be a cool feature. Still doesn't stop them from hacking it to always use the same seed to make it easier, or slowing it down to give them more time to react to things.

For storing the replay, you store the game's seed used by the RNG, and then record key presses/actions/events as a frame offset since the last event, and a special 'null' event that does nothing to prevent the offset counter from overflowing, which would screw things up.

Assuming 1 byte per offset (game logic could run at, say, 30 fps) there will be at least 2 bytes (offset + null event) every 8.5 seconds. Assuming the null event is 0xff, and the offset is 0xff, having a long run of 0xffff will be easilly compressed. Next, assuming an average of 8 key presses per second, a recording of a 20 minute game should total about 19KB. Again, it should be less with compression.

I'm not sure how authentication would help. It just ensures it coming from who we think it is and that it got there okay. It's not going to stop them from sending fudged data.

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
Side note:

Given the talk in this thread about obsfutication I would just like to point out that this is not the same thing as encryption (which you definately seem to want). Obsfutication just hides the names of variables and methods in the binary that aren't ment to be avalible publicly - but it won't actually encrypt the data (internal names like this are usually visible in .net). It's useful for you - but not everything you want.

Share this post


Link to post
Share on other sites
Well, a better score would be 31415927 becuase the next digit is 5 ;)

My plans is to port the game to a sprite based DirectX-engine and encrypt the sumbition process more. When that is done I'll let the hungry hackers of GD get their hands on it. It'll be interesting to see how hackable the new version will be.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement