Hello everyone,
I am in the process of completing a Java (jbox2d) based physics puzzle game.
Whenever a puzzle is successfully solved depending upon the time required the data i sent from the client side to the server side.
How can i make sure this data is not being tampered with … or what should i do so that the game score cannon be hacked ??
Thank you 
Nothing, so don’t bother. At the very most, encrypt or munge the data you send and MD5 it so it’s at least not totally trivial for someone to send crap which your server accepts.
Cas
You can’t guarantee anything from the client is legit but you can raise the bar.
For a physics based puzzle you could send what moves the player did to get that score as “proof” they know how to solve it.
can I do something like take the co-ordinates of the point where he has suppose ‘shot’ the cannon and then run the simulation again on the server side for exactly the same situation without using the graphics and all and updating the game world at super high speed … This way i can check what happens on the server side rather than on the client-side.
Will this help ? and can it be even implemented ?
Yeah sorry I left that part off. You verify the score by running the moves on the server using the same physics code as the client did, then compare the scores.
This is much easier on deterministic games like physics puzzles.
Thanx a lot guys… Any more ideas or things i can implement to make my game a bit more hack-free ?
Only thing to remember is: Never, ever trust the client
Is physic engines deterministic? I noticed that at my game Shapetronic It totally random where the game object bounce after initial drop. Initial drop is allways at same position so as player. My game use phys2d so it may be different than box2d. But I would’t trust that two simulations are identic even if starting variables would be.
umm … i m not sure about that haven’t used it so i dont know …
What do you do then to protect your game from client side hacks ?
Off-topic, but are you using fixed time steps for the physics engine updates? If not, then that’s the cause of your ‘random’ behaviour.
Simon
Many floating point math operations are not guaranteed to return the same results unless you use strictmath. So, no your simulation will not be deterministic.
Well that leaves me back to where i was 
How can i protect my game from being hacked and sent wrong scores etc. ?
For JBox2D, there’s some discussion about repeatability/determinism on their forums.
(Short answer: seems you may have to tweak the source code a little.)
Simon
As others stated, you can’t. If you want to prevent script kiddies from just sending some scores, send them encrypted (even a simple xor encryption should be sufficient - maybe make this a handshake process with sending a one-time key by the server). Also obfuscate your client code.
That’s about it - you can’t do anything more (at least without your legitimate customers getting pissed - what the bigger game studios don’t seem to get…). As soon as there is a capable hacker interested in your game, it will get hacked. But by then your game is probably quite successful anyway.
For the physics simulation, as long as you are using your own algorithms, you can afaik force strict math.
Ok i’ll do those things … and I think JBox2D physics engine does use StrictMath for its calculations so I will be able to simulate the solution on the server side as well.
The next question that comes to mind is how do we pull this off ?
I mean if there are like 100 players playing the game together at 1 time, do i have like 100 instances of the application running on the server to verify the results ?
and how do we actually do this ? I mean ‘RECEIVING the data from the user , STARTING an application on my server checking for results and then CLOSING the application on the server ?’
No. Abstract the simulation to take a set of parameters reflecting the players action. Let the client send this to write a high score. Copy over this values in a kind of queue and close the connection to the client - you don’t need to wait for the simulation to be finished (if you want to show the score table to the player, just use the locally calculated result on the client). Then have a single thread with the physics calculation working on this queue in a loop.
But what in cases when the user cannot go to the next level until he has successfully finished the current level ?
You can always prioritize what results to verify.
A new top 5 highscore should be verified but a score with a place 54 is probably not a cheating attempt
hmm that’s nice