C2 projects hacking prevention

Discussion and feedback on Construct 2

Post » Sun Apr 16, 2017 9:55 am

Hi,
I am planning to work on some online multi-player mini games that are made in C2, but before I start, I needed to check whether it was possible for players to temper with the variables of the games and such, since a lot of data are client side and the server can't be controlling them.

So I've made some tests on a random game from the Arcade section, and figured out that everything was exposed to me as a player:
------------------
This is an unminified test subject : https://www.scirra.com/arcade/adventure ... free-10760
-----------------
Here is another test subject which is minified: https://www.scirra.com/arcade/action-ga ... -run-14758
----------------

You can see from the scores tables my score.

Is it possible to make the c2runtime object unaccessible from the console ?
Are there any side effects of Object.freeze ?

Thanks
Banned User
B
17
S
7
G
24
Posts: 388
Reputation: 14,494

Post » Sun Apr 16, 2017 1:46 pm

About all you can do is try to protect the variables. The minifyer is great for obfuscation, but you can also encode strings, and use hash's
http://www.scirra.com/forum/plugincb-ha ... 43824.html
viewtopic.php?t=73288&start=0
viewtopic.php?t=75040&start=0

As far as I'm aware the only place you can't get at the console is Nwjs.
Image ImageImage
B
169
S
50
G
174
Posts: 8,330
Reputation: 110,804

Post » Sun Apr 16, 2017 2:14 pm

@newt As long as it can be accessed from the console, it can be modified. You can access the console of an Nwjs app with Ctrl+Shift+C or F12, unless you add this script which forces the browser to close the devtools :
Code: Select all
var gui = require('nw.gui');
var win = gui.Window.get();
win.on("devtools-opened",function(){
    win.closeDevTools();
});
Banned User
B
17
S
7
G
24
Posts: 388
Reputation: 14,494

Post » Sun Apr 16, 2017 2:31 pm

It can be modified, but if its encoded thats pointless unless they know the method/ key.
Theres other things you can do, like concatenating strings, and even just using a bunch of variables.
Granted they can tell which variables are being used, but figuring out how they go together would make it harder for them.
Image ImageImage
B
169
S
50
G
174
Posts: 8,330
Reputation: 110,804

Post » Sun Apr 16, 2017 4:31 pm

@newt Minifying and encoding are pointless since the only things interesting are values, not variable names.
And the c2runtime object has a structure which makes it easy to access the eventssheets child object.
So as long as the object is accessible and unfrozen, nothing can be done to prevent hacking.
Banned User
B
17
S
7
G
24
Posts: 388
Reputation: 14,494

Post » Sun Apr 16, 2017 4:54 pm

The values are what would be encoded.
It's basically just about what a casual hacker would be interested in messing with.
Everything can be hacked, not everything is worth hacking.
Image ImageImage
B
169
S
50
G
174
Posts: 8,330
Reputation: 110,804

Post » Tue Apr 18, 2017 1:16 am

got me good
B
26
S
13
G
3
Posts: 11
Reputation: 3,925

Post » Tue Apr 18, 2017 1:37 am

Any chance you could unhack your score from my leaderboards?
B
26
S
13
G
3
Posts: 11
Reputation: 3,925

Post » Tue Apr 18, 2017 8:58 am

@BeastCoasting There is no option to remove it, I guess a moderator may have the privilege to remove a score from leaderboards.
Sorry about that but I had to prove a point, by the way your game is really polished, congrats.
Banned User
B
17
S
7
G
24
Posts: 388
Reputation: 14,494

Post » Thu Apr 20, 2017 2:52 am

@X3M

Wow, that is rather alarming that it is that easy to change variables like that. I had never used the console like that before, so I played that first game you linked to, gave myself all the lives I wanted, all the coins I needed to buy all the upgrades, whatever score I wanted... if my health got too low, I could just pause the game, set my health back to full and then continue on.

encrypting every important variable in a game seems like a lot of extra work and overhead, but what else can you do? I guess keep track of key presses, mouse clicks, and time in game so you can estimate if the score is possible (and encrypt those values too). Maybe keep multiple copies of some variables (in different forms) and test for hacking, or leave some honey-pot variables unencrypted to see if someone is trying to cheat.

Like @newt said - anything can be hacked, but it should not be possible for a complete novice (like me) to completely defeat a game in a few seconds! I guess if you want to keep Global leader boards, you could keep code for testing whether the score is valid or not on the server. But they would still be able to see how the data is assembled to be sent to the server and eventually reverse engineer it.
B
98
S
34
G
20
Posts: 438
Reputation: 17,815

Next

Return to Construct 2 General

Who is online

Users browsing this forum: mihirolover, Tjums and 11 guests