Hey, I have a few questions about the above listed topics. 1.) What are -your- methods of obfuscation? 2.) Do you find obfuscation necessary in large games? 3.) Is there any way to stop other processes ( like a debugger ) from attaching to your game's processes? 4.) Is there any way to generally stop other processes from reading or writing to your game's memory? I'd like to see your answers to the above questions, and perhaps any additional opinions you have about these subjects. Thank you for your time, -- Lenox

If I am worried about a program changing the memory in a process I own, i simply duplicate the memory into multiple areas of the heap, store vauge pointers, etc. then you can go in and check for differances. This is somewhat slow but it would get the job done.

You can set process security rights, but im pretty sure that can be averted.

As far as obfuscation goes, what good does it do to natively compiled applications?

Quote:Original post by Toolmaker
You could place a system hook on the debugger capabilities and monitor for attached debugger processes. It can be done, but it's easy to circumvent this hook aswell.

Eventually, a hacker will find a way around each security you build in. The harder it's to beat, the more popular it's will become in the hacker scene.

It'll end up as contest material there :).

Toolmaker

But, the better your security gets the amount of hackers hacking that attempt to hack your game will slowly get lower and lower. Good security weeds out the script kiddies from the real hackers, and eventually, some real hackers will get annoyed and STOP trying, and when you weed out everyone possible, you can then start banning people.

Quote:Original post by Lenox
you can then start banning people.

well.... if you're a MMO (only game type that banning makes sense for) then you don't need any obfuscation. Everything should be checked server side so if the user has a hacked client it doesn't do anything.

Anything that's not an MMO type game (where there is a trusted server) will get hacked. It doesn't matter if 99.9% of hackers "give up". All you need is one to succeed and then your app is cracked with a friendly little exe out on the web. It certainly makes sense to have some verification checking in there just to weed out the casual cheater, but you can't otherwise prevent it.

If it's a single player game who really cares if people cheat? Piracy is another issue but cheating isn't really that big a deal.

-me

Quote:Original post by Palidine

well.... if you're a MMO (only game type that banning makes sense for) then you don't need any obfuscation. Everything should be checked server side so if the user has a hacked client it doesn't do anything.

Anything that's not an MMO type game (where there is a trusted server) will get hacked. It doesn't matter if 99.9% of hackers "give up". All you need is one to succeed and then your app is cracked with a friendly little exe out on the web. It certainly makes sense to have some verification checking in there just to weed out the casual cheater, but you can't otherwise prevent it.

If it's a single player game who really cares if people cheat? Piracy is another issue but cheating isn't really that big a deal.

-me

I really wouldn't call what I'm attemping to make an MMORPG, but an ORPG. ( It doesn't earn the title of MMORPG until it gets at least 1,000 players online at any point in time, so I just name a starting project like this an ORPG until I see if it succeeds or not ) I like how Sony deals with piracy for Starwars Galaxies. They make you enter a key, then they flag it as being used, so unless the user can modify the database or the place in code where it checks to see if the key is used, they're out of luck.

[Edit]

The reason I included Obfuscation is the title because I think I remember hearing about a different type of obfuscation, "memory obfuscation," where the effect is that addresses in memory are rarely ever the same, so it makes client-side hacking an even longer process. ( things like map hack if there's a map.. )

Doesn't all this remind you of that movie with the phone call tracer, the trace busta and trace busta busta, lol...

Sorry it's my last day of my summer job and I have 30 mins left and nothing better to do =p

Quote:Original post by Lenox
Hey, I have a few questions about the above listed topics.

1.) What are -your- methods of obfuscation?

Frankly, IMHO, it's a waste of time.

Quote:2.) Do you find obfuscation necessary in large games?

No.

Quote:3.) Is there any way to stop other processes ( like a debugger ) from attaching to your game's processes?

No.

Quote:4.) Is there any way to generally stop other processes from reading or writing to your game's memory?

No.

Quote:I'd like to see your answers to the above questions, and perhaps any additional opinions you have about these subjects. Thank you for your time,

Basically, if your app runs on someones computer, they can do ANYTHING they want to it, and with a little time and experience, they can crack any possible memory protection you could devise. There are companies that spend tens of thousands of dollars (Microsoft) on copy protection just to have it cracked a few hours after it's released.

That being said, as others have said, if you have a multiplayer game, then server-side checks are your best bet.

In windows you can set security attributes to your process to make it unwritable (and unreadable), thats what those programs that hide your app from the process list do.

Quote:Original post by Lenox
1.) What are -your- methods of obfuscation?

Obfuscation is a loosing battle.

Quote:2.) Do you find obfuscation necessary in large games?

No.

Quote:3.) Is there any way to stop other processes ( like a debugger ) from attaching to your game's processes?

You can make it harder, but again that's a loosing battle.

Quote:4.) Is there any way to generally stop other processes from reading or writing to your game's memory?

Yes - running it remotely. A client can't poke around the memory of a server hosted on another computer for example. Otherwise, no.

Quote:I'd like to see your answers to the above questions, and perhaps any additional opinions you have about these subjects.

Obfuscation is one of the worst methods of security. It's not even damage control, it's damage delayment. And it's much easier to bypass than it is to do - meaning for every N hours you waste, someone else only has to spend some factor of N hours in order to bypass said protection. Not only that, but the bad guys usually outnumber you.

There are two general security measures that come to mind as acceptable:

1) Damage prevention. If you have no security holes and don't trust the client to not lie about it's health, it's going to be rather hard for them to have god mode.

2) Damage control. This has two stages: detection and containment.
Detection comes in the stage of noticing damage - a player is going through walls, turning 180 degrees for an immediate headshot every 5 seconds, player has a lag pattern very consistant with a speed hack, etc.

Containment comes in when trying to deal with the problem. A common soultion is a serverwide ban - this minimizes damage to the single server. Another solution might be a clusterwide ban - a bunch of people agree to ban the same people. Banning occuring either by CD key or IP address, either temporary or permanent (permanent tends to hurt legitimate players however (who had their CD key "borrowed" or who get the same IP from their ISP at a later date), another form of "damage".