Jump to content
  • Advertisement
Sign in to follow this  
Patbert

Unity Hack my online high score (updated)

This topic is 4830 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Just a few suggestions. I'm at work at the moment so I can't actually try the app.


1). When you submit your score, are you making sure the data is coming from your game and not elsewhere? (It's obvious, so you might have done this already).

2). Make sure the data positions in memory change with each run. It slows down casual hacks. Might want to go as far as to change them every level.

3). Few apps write directly to memory. Most use ReadProcessMemory/WriteProcessMemory. Do a systemwide hook if you can. In your hook, kick out any calls to those functions.

4). If you can afford it, lock down your memory until you absolutely need to write to it. Cheat programs can't write to your memory if you lock it down and keep it that way even if the memory attributes are changed remotely (through VirtualProtect/VirtualProtectEx). (See previous suggestion. You might want to hook those also).

That's all I can think of at the moment

Share this post


Link to post
Share on other sites
Advertisement
well first off i must apologise to JESUS for my stupendous hackings. as you may notice your FIARY WALLS OF DOOM have perhaps been penetrated leading to the hacking of your table. this was quite easy my good buddy and i suggest you attentionalize these monstrous flaws immediately. again i apologise sincerely for this but it is the only way to full enlightenment. thank you friend for accepting.

~ longtime lurker

Share this post


Link to post
Share on other sites
Patbert,

You could use the afore-mentioned methods of detecting hacked scores and then allow the hacked high scores to remain - and attach a label to them that says "hack score." The hackers will know that they hacked you, that you know that they hacked you, and that everyone will know it's a hack score. Real players can disregard the dumb scores.


XY,

You're not contributing anything here.

"Fiary" is spelled "Fiery."

Attentionalize is not a word.

Typing in ALL-UPPER-CASE LETTERS is really annoying.

It's not a sin to hack when someone asks you to.



--Torus

Share this post


Link to post
Share on other sites
Some good suggestions there, I'll have a look into them.

Quote:

-Have a data verification variable like what bjle said, maybe even make it the ~ operator of the score, and make it have every operation the score has, and if they don't match up after an ~ it's most likely because of a hack.

Good idea, is this best checked server side or client side?

Quote:

1). When you submit your score, are you making sure the data is coming from your game and not elsewhere? (It's obvious, so you might have done this already).

Unfortunatly I'm submitting the scores the lazy way, ie. system("start http://...") so I'm not sure how to do that.

Quote:

well first off i must apologise to JESUS....

Consider those firey walls of doom attentionalized [lol]

Quote:

You could use the afore-mentioned methods of detecting hacked scores and then allow the hacked high scores to remain - and attach a label to them that says "hack score." The hackers will know that they hacked you, that you know that they hacked you, and that everyone will know it's a hack score. Real players can disregard the dumb scores.

Good point, but I fear it may just encourage hackers to try adding a fake score that doesn't have "hack score" next to it. One way I could do it is to display a hacked score but not save it to the database, just hope they don't press refresh or link the hacked score to an IP address so it only displays that score to that particular IP.

Share this post


Link to post
Share on other sites
Encrypt and Decrypt before sending.
Include multiple forms of the encryption/decryption.
Send a packet which contains values which points to other values which will lead to which encryption method used.
Remove the pointer char's out of the packet, decrypt the full packet.

With that said, there is NO way to fully it except by monitering evrything on every player within a time-frame cycle. Like bunkbuster does in BF1942.

Share this post


Link to post
Share on other sites
Update!

I've added a bit more security to the game, it should prevent the lazier cheaters anyway. You'll need to download the updated version (same link as above). Please try it out and see if you can hack it, hopefully it should take a little longer this time. (Hint: one of the ways I've used to put off hackers is to pretend the highscore has been saved to the database, so check it really has been saved)

Thanks everyone!

Share this post


Link to post
Share on other sites
Quote:
Original post by Patbert
Update!

I've added a bit more security to the game, it should prevent the lazier cheaters anyway.


Bingo! I tried for a bit, but couldnt figure out how to crack it. (The crashing when a debugger tried to auto alt-tab it made me give up.) It looked like you had a second variable that it would check against created with some kind of algorithm involving xor...but I might be totally wrong.

Share this post


Link to post
Share on other sites
Great! You're right, each number that needs protecting (score, level, lives) also has another number that is XORed with a key. That way it can look like the score has been hacked when it actually hasn't. I'm surprised you managed to work out it was xored with something though. Whoever made tsearch is an evil genius. I'm not sure why it crashed when you used auto alt-tab though. I may try Maega's suggestions about VirtualProtect though.

Share this post


Link to post
Share on other sites
Hmm, I notice someone has managed to hack the highscore again. All they've left for clues is this:
3	7747	1	SETNEWSCOREFUNCTION
4 5842 1 DEBUGGER
I'm pretty sure I compiled it without debug info so I don't know how they managed to call the function that sets a new score. Anyone have any ideas how to prevent this? I'm guessing doing a systemwide hook like Maege said would help, anyone have any more info on that?

Share this post


Link to post
Share on other sites
Guest Anonymous Poster
I just used a debugger (ollydbg) to search for the function. After that, I patched the exe to increase the score with 0x7F instead of 1.. A systemwide hook won't help when the exe itself is modified.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!