# How would... double encryption fare?

This topic is 4176 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

## Recommended Posts

Currently working on a little diddy of an MORPG with my friend. And well, we want to keep it macro-proof. Seems one of the more popular styles of macros these days is proxy style where it'd obviously intercept packets, and change them as needed. So I'd like to encrypt the packets before they're sent out. But since this is with *all* packets (it's TCP, btw) I figured using something like RSA would be too slow. Doing it X-OR style would prove faster... but then the key would be saved in the memory. I figured... what if we encrypted it once with X-OR... and then again with a different key? It doesn't seem that slow and it'd sure as heck confuse people trying to decrypt the packets. Either way, some advice with what would be recommended for encryption would be nice here. :) Thanks! -Aternus
Edit by Fruny: fixed title. [Edited by - Aternus on August 13, 2006 3:30:12 AM]

##### Share on other sites
Quote:
 Original post by AternusSo I'd like to encrypt the packets before they're sent out.

If there is an un-inlined encryption function in your program, they can call it too and encrypt their own packets.

Quote:
 I figured using something like RSA would be too slow.

RSA is typically only used to encrypt and transmit a key that is then used with a faster, symmetric encryption algorithm.

Quote:
 Doing it X-OR style would prove faster... but then the key would be saved in the memory. I figured... what if we encrypted it once with X-OR... and then again with a different key?

That would only amount to a single XOR with a key that is the XOR of the two other keys repeated to a length that is their common least product.

e.g. key 1 "ABC" and key 2 "DEFG" would result in an effective key of "ABCABCABCABC" XOR "DEFGDEFGDEFG".

That ain't any more secure.

Quote:
 Either way, some advice with what would be recommended for encryption would be nice here.

Look for a library with encryption routines, carefully read up on how they should be used, then just use them. XOR encryption is crap.

##### Share on other sites
While I'm not an expert on encryption, I don't recommend it. For starters, XOR encryption is very weak and it's easily crackable (unless you're using it in a One-Time Pad fashion, but that's not very practical). Anyone with some reverse engineering know-how and a good grasp of cryptography & statistics will break your system relatively quickly.

Also, just because you encrypt "plain text" twice in succession, it does not mean it will be more secure. This is especially true if you do a 2-pass XOR operation like you described, because there is a way to decypher the message with just a single XOR operation.

The problem you're trying to solve is quite complex, and the issue goes probably beyond cryptography as well. Security in over-the-wire communication doesn't depend entirely on concealing the message (i.e.. cryptography), they also depend on various "hand-shaking" algorithms which ensures that communication is only estabilished with a trusted sources or clients.

Before you dig in, I'd suggest you to do some background research on Information Theory in general, on topic related to crypto-analysis (i.e.. study the strenghts and weaknesses of popular crypto-systems), and topics on secure protocols.

Could start here:
http://www.cacr.math.uwaterloo.ca/hac/

##### Share on other sites
IMHO, no FAQ for beginner programmers is complete without:

Quote:
 Q. Blah blah blah encryption blah blah blah?A. Forget about it. If you do it yourself, it won't be secure. If you use an off the shelf solution, you'll probably end up using it in a way that defeats the purpose. Properly secure encryption is (a) really hard to get right, even for people who should know better; and (b) highly unlikely to be that useful, because encryption isn't the whole story of security, and because there often isn't anything worth securing anyway.Q. Blah blah blah MMORPG blah blah blah?A. Are you insane? A real MMORPG is a project for hundreds of very talented people working for years with millions of dollars of funding. If your project actually is of a scope you can handle, stop using those letters. Seriously, what's with the addiction to the term 'MMORPG'? Do you hear beginning composers saying they want to write an opera?

##### Share on other sites
Alright. Thank you Fruny and Tachi for actually helping. I'll look into the subject, and do what I can. And yes, I was already aware security isn't all in the packets.

Zahlman... geez. Way to be polite. Never once did I say it was a serious project. It's more of a learning experience for me and my friend, and so far it's going very well. As the GUI is working 100%, winsock wrapper class is faring (doesn't seem right, Fruny >_>) well, and it even works on Mac OSX and Linux. So far I have learned a LOT on OpenGL, networking, AND porting to other OS'. I decided I should try and learn a bit on encryption, too. How can this not be good for me? Also, if I'd called it an "RPG" you would assume it's offline. What am I supposed to call it? Oh, and I lowered your user rating due to your unpolite behaviour. And one last mention... about your signature. Shouldn't that be char*? Regular characters are very useful for holding numbers that you know will never go over 256. Also can hold 8 booleans in 1 byte, which is the same size as a regular boolean (for flags and such). Useful it be. Bug it be not.

Edit: Oh, and as for your MMORPG budget... what about Tibia? Was originally made by a team of 4 people and only one of which I believe knew how to program. They're not very good at it... their solution to macros was to give everyone else one (yes, they actually implemented it into the client last update). 'Least I'm trying to find ways around. Although it's not that great of a game, it has 4 million characters created to date.

-Aternus

##### Share on other sites
Quote:
 Original post by Aternuswinsock wrapper class is faring (doesn't seem right, Fruny >_>) well

And yet that's the right verb. In fact, if you just take the aside out of your sentence, you almost get "fare well". Looks familiar? [smile] It isn't a coincidence, you know.

Quote:
 Also, if I'd called it an "RPG" you would assume it's offline. What am I supposed to call it?

Online RPG? Graphical MUD?

##### Share on other sites
Hrm, you're right... I've always said "farewell". I guess I'm just tired and mixing up the fair adjective with the fare verb. Ah, well. Also, I took out the "M" representing "Massive" in the original post to satisfy Zahlman. :d

-Aternus

##### Share on other sites
Please don't be too offended by Zahlman's comments Aternus. If you have a search around the forums you'll find that MMORPG has become almost a running joke around here.

I note you at least had the decency to call yours a MORPG instead of a MMORPG.

[EDIT] Oh - you just took the M out just now.

##### Share on other sites
#1 encrypted packets are the same no matter what.

If the hacker is using a sniffer and has a methodology of determining what actions create what packets then you're encryption is cracked.

You must be able to base your encryption on timing so that a "Move Forward" packet changes according to time. Even then, hackers can 'figure it out.'

Ultimately, to get a good(but NOT un-crackable) game is to have both client and server validation routines.

Your best bet is to figure out the hackers and ban them when you can.

Happy coding!

##### Share on other sites
The truth is, the big comapanies cannot make hack proof games, and yes they try but the second one person discovers a hole, it spreads. So I think the only thing you can do is try your hardest but ultimately be prepared for macros to eventually get used.

##### Share on other sites
You can have very secure encryption of packets. For instance we can look at the way World of Warcraft does it which is extremely secure. They first negotiate a shared key via SRP. They then use this key in a RC4 crypto. This means that you can not passivly sniff and decrypt the packets. You have to take an active role on some level. Unless your game has a very large audience this should be enough and it's very fast.

Stopping injecting hacks is much much harder but Blizzard has implemented a very potent system for that as well. Probably one of the most sophisticated I have seen. The people you're fighting probably knows a whole lot more than you do about the issue though so chances are you'll lose.

##### Share on other sites
im *definitely* not an experienced programmer, but wouldnt it help at least a little bit having a server-side script looking for patterns in the players behavior? like if the player always does things the exact same way with the exact same delays and such he could be banned or whatever?

iunno.. just an idea

##### Share on other sites
Quote:
 Original post by Ogganim *definitely* not an experienced programmer, but wouldnt it help at least a little bit having a server-side script looking for patterns in the players behavior? like if the player always does things the exact same way with the exact same delays and such he could be banned or whatever?iunno.. just an idea

This would be near impossible to implement unless your game is outrageously simple, and once implemented it would be trivial to circumvent.

CM

##### Share on other sites
I would say the real problem with such a solution would be the high likelihood of a false positive. Some players tend to be very repetitive when playing these types of games and I'm sure you'd end up hurting real players.

##### Share on other sites
I used a macro in an online game once, because I got very, very bored of sitting around repeatedly clicking on some vegetable patch or something trying to harvest carrots because that's what I needed to do to get my farming skill up. Or whatever it was.

The best solution would be to design your game such that it doesn't contain that kind of mindless, repetitive action. That way nobody will want to macro.

##### Share on other sites
Quote:
 Original post by asp_I would say the real problem with such a solution would be the high likelihood of a false positive. Some players tend to be very repetitive when playing these types of games and I'm sure you'd end up hurting real players.

yeah of course, but i mean if the player keeps repeating something and it takes *exactly* the same time between moves all the time.. but yeah, of course it cant be *exact* like i just said because it varies with the lag.. heh, so i guess that sorta kills the whole idea. oh well =þ

and i definitely agree with superpig there..

heh, in Runescape its practically impossible to use simple recorded mouse-moves/clicks and keystrokes to macro..
they have implented loads of features for that..
for instance, when fishing, all of a sudden some kinda river-monster pops up from somewhere who would kill a simple-macro'er. and also the 3D camera moves a tiny little bit sometimes, but its enuf so that a recorded mouse-macro would not work.

##### Share on other sites
Ah... I have a bit of experience with hacking games. There are a few ways to make macros.

1. You can simply send keyboard and mouse input to the window without any information of the game world.

2. Usually there'll be an array of entity information in memory somewhere, if you find that and find a pointer to it, you can look through it and get information about the world around your player, for example, the players location and an items location, and then you can use that information to send keystrokes to the window intelligently.

3. Intercept packets and get your information from them, and send keystrokes based on that, or even change the packets as you said.

The only way to truly combat macroing in an MMORPG is to make design decisions where people will not want to macro, or it will not be possible to macro.

For example, most MMORPGs have very boring repetitive crafting systems which involves absolutely no player skill, and barely any player input. See creative crafting, something like that would be fun to do, it'd reduce players macroing crafting, and it'd be difficult to create a macro for it.

Even if you were to encrypt packets twice, some reverse engineer who was determined enough would tear apart your program and figure out how to decrypt the packets.

##### Share on other sites
Quote:
 Original post by ScottCAh... I have a bit of experience with hacking games.

Oh, really ?

Quote:
 The only way to truly combat macroing in an MMORPG is to make design decisions where [...] it will not be possible to macro.

Well, duh.

##### Share on other sites
Quote:
 The best solution would be to design your game such that it doesn't contain that kind of mindless, repetitive action. That way nobody will want to macro.

Seems the best solution to me, no grind, no macro.

##### Share on other sites
Ultima Online used double encryption for a long time; in fact, it might still, but I doubt it. Before I implemented double encryption in UO, many of the programs that were used to hack the game knew the encryption scheme and did in-line encryption and decryption of the stream. After implementing double encryption, none of the main-stream UO hackers were able to figure out what I'd done. So, it took a while for them to eventually just bypass the encryption altogether. So the point of this is, double encryption will only slow them down.

World of Warcraft doesn't even encrypt their entire datastream; just the header bytes of each packet. This makes it impossible to syncronize with the packet stream unless you actually know the algorithm. At first I thought that was a real freak show because all of us in the MMO business had been trained to encrypt everything as much as possible. But, after having given this some thought I realized that the idea was pretty good. None of the actual unencrypted data you can see is really useful anyway so there's no point in encrypting it all, and it saves a ton on CPU utilization.

##### Share on other sites
Yeah the Blizzard team really showed with World of Warcraft that they had learnt from their experiences with Diablo and Diablo 2 and that obscurity doesn't help when you have millions of young people with a ton of time on their hands trying to break your game.

Although there has been some exploits in World of Warcraft I would say modelling your own architecture after theirs isn't a bad idea. They probably spent a lot more money on researching a good solution than you will be able to with your project.

The issues I have heard of have been logic errors and synchronization issues. These are issues which are generally always exposed eventually and very hard to avoid completely.

If you have the time I would also look into their protection mechanism against injection bots and similar tools. Look for articles on Warden. There should be plenty available as it has managed to get quite a reputation in the game reverse engineering community.

##### Share on other sites
Quote:
 Original post by superpigThe best solution would be to design your game such that it doesn't contain that kind of mindless, repetitive action. That way nobody will want to macro.

Here, here! No one makes macros for Guild Wars, why? Becuase there's nothing in that game that's mindlessly repetitive. Ditto for the Diablos.

Follow their footsteps, not those of Tibia or Runescape.

##### Share on other sites
Why don't you just design the game so macros are useless? Either that, or design it in such a way that, even if possible, macros don't sidestep the whole point of your game. If you choose the latter solution, you can even code the macros into the game; after all, if it doesn't affect gameplay, why not?

edit:
Whoops, only read half the thread. Looks like superpig beat me to the punch :/

[Edited by - bytecoder on August 13, 2006 5:59:29 PM]

##### Share on other sites
Just to chime in here: the book Policing Online Games (http://www.wayner.org/books/pog/) is an awesome little treatise. Well worth the purchase.

##### Share on other sites
Quote:
 Why don't you just design the game so macros are useless?

That's like saying why doesn't the FPS game designers design their games so that aim bots are useless? Why doesn't RTS game designers design their games so that map revealers are useless? A pretty arrogant statement in my opinion.

The reality is when aided by a computer you get a lot of benefits. Some people feel that these benefits aren't fair, I tend to agree. Now the MMORPG genre might be on the extreme side of repetitiveness but players aided by computers will always have an edge. Except maybe at GO.