Besides that, just listing processes alone wouldn’t be good enough, somebody could make a copy of “java.exe” (or whatever program) and raname it to something else, like “mspaint.exe”, so your app couldn’t detect a “bad” process by name alone. It would have to resort to even more devious shenanigans to analyze what all other processes are up to…
At the risk of beating a dead horse: the client cannot be trusted. ever.
A few years back when I wrote BeetleMania, I was convinced my homebrew-security was uncrackable (or at least not worth trying).
But encryption tricks or spying on processes or whatever is meaningless because you’re fighting the wrong battle.
For example, I asked the #lwjgl channel to bypass the highscore “security” in BeetleMania. Matzon promptly wrote a java app that simply called the routine/function that fired off the highscore. He didn’t have to break my ‘encryption’, he simply provided an input to my own program which it happily encrypted and sent to the server.
Now, granted, that was poor design on my part. But the point is you can’t defend against state. Even if it came down to someone editing the program’s memory to adjust the score … you just can’t defend against that.
Summary: if, under correct circumstances, your program can submit a valid high score … those circumstances can always be emulated to fool your program. That is virtualization and/or emulation at the most basic level.
I am 200% on Riven side here. Its spyware plain and simple. Its looking and seeing things it has no business seeing. Your highscore list is just not that important. We are not securing launch codes here.
There is a reason (other than i hate grind) I won’t touch WoW. It takes a screen shot of every open window (even if minimized) and “hashes” it and phones home. Well it has a hard time doing that on wine. Or in VM doesn’t it.
So not only will this method not work. But all the honest players will hate you for it.
So server side content and logic, and/or constant “updates” to the client that break map hacks etc is about as good at you will get.
You can also “randomize” the binary so that a patch will only work on some of them. However then the crack will just include the whole binary.
The sequel was much better.
well if you are in a money tournament you will be willing to let the process listing work and the random screenshot (for map hacks) being taken.
highscores were just the subject of this post.
Another solution for highscores is the recorded game. The game is recorded as an instruction set. So this instruction set can be replayed and the highscore can be verified by the community. A hacker able to create an instruction set to reach the highscore deserves it.
Not really - all the hacker has to do it make the client run at half or quarter speed. From the recorded keystrokes it’ll look like they’re playing really well. Similarly a hacker could put a memory image save/restore and so ‘incrementally’ play a perfect game.
Running a for-money tournament on an open machine and trusting the client is flat out stupid IMHO.
[quote]There is a reason (other than i hate grind) I won’t touch WoW. It takes a screen shot of every open window (even if minimized) and “hashes” it and phones home
[/quote]
lol
what about :
[quote]you should give a little more details on the kind of game you are talking about, you wont be able to make an unbreakable one as long as the game is fully running client side but depending on the game you can sliglty increase its security.
An example for a car game :
you send time when player pass the start line
you send time for each check point
you send time when player pass the end line
=> server side you verify the coherence of the data (for exemple : minimum time before each check point for a given race) and compute high score
=> you only authorize higscore submission for same account every “n” minutes
[/quote]
any chance to have more detail on the target game ? it is IMO important to design security
in theory it cannot be trusted, and you cannot trust the server either in theory. In practice you can find ways to trust both.
You got to think out of the box. Maybe by using real life ways…
Score laundering is like money laundering. How do you think emoney is secured?
[quote]In practice you can find ways to trust both
[/quote]
I dont think so… can you point me only one client software (game or other) that deal with money and wich is trusted ? (client may check basic error but server will doublecheck => client is not trusted)
It’s not about thinking outside the box … I can respect that you have this blissful fantasy that securing the client is possible … we’ve all been there, you just haven’t yet crashed into the wall of realization.
That’s a different problem. It is technically feasible with the correct inputs to post funds to your account from someone else’s account. That information is usually obtained through social engineering.
But the point is the entire “state” of an account is handled on the server - the client can only request transactions to be made, which the server will always validate. But that doesn’t solve the problem of someone usen valid (but stolen) information to post a valid transaction.
To make a game analogy … you could use a similar strategy with a game of Checkers. The server generates a game state and hands it off to the client. The client can then tell the server move-by-move what it wants to do. The server maintains the game state and validates each move.
But even this is not securing the client - it’s just computing game state on the trusted end. Anytime you have a game where the state is exclusively maintained on the client side, you’ve already lost. It will be possible to cheat.
(you could also cheat at the “Checkers” strategy with a bit of AI).
Try doing some hacking on your own. Learn the tools you need to secure against. You will quickly discover why cheating is prevalent in online games, and why its so hard to combat.
Solution to this “subproblem”: You could have a timestamp for the game you play so the result is only valid for a limited time. This limits the damage for recorded keystrokes.
Hacker counter: Save a whole play with recorded input and send to server.
Solution to this counter: Randomize start state
A bot that can run in real time is however more difficult and it doesn’t even have to run as a process in the target system.
In practice, when money is involved, suspicious users can be banned for no other reason than being just suspicious. No actual proofs are needed.
unless the state is there for all the see. Map Hacks lose their purposes if game is played with no fog of war.
about emoney I meant cards where money state is stored on the card. They used to call it Proton here, Solo on the UK though i never used that one.
So while I agree that in theory state on the client side makes it possible to cheat, like I said, paper money is state on the client side. Money laundering does happen. But try to launder money using big fat notes of 500 euros? Doesn’t happen very much.
So for highscores, nobody cares if people cheat for scores lower the Top 10. Alll you have to do is monitor the top ten scores using the above techniques and then some. For me, that’s practical client security. Make recorded games and let the community check on those top ten highscores.
Now your point is one bright hacker would be able to masquerade even then. Well even the best money fakers are caught. They are playing “Catch me if you can”
What about your income history // highscore history. Maybe client security is also about how you design the community surrounding your game highscores.
That’s why I wrote “real life ways” to achieve client security.