Possibility of Hacking in C2 Games

Chat about anything not covered in these forums, but keep it civil!

Post » Wed Nov 13, 2013 7:22 am

This is something I just wanted to bring up, as it has been lingering in my mind for some time - is it possible for a user to mess with the JavaScript in a C2 game and alter the game (cheat)?

I understand C2 encrypts things, but anyone who understands how trainer programs work should be able to figure out something given time and change.

Take for example a game where I have a weapon with 10 bullets. I do a JavaScript search for the number 10 and keep track of all instances where 10 shows up. I then fire a bullet and have 9. I then search each of those instances in the JavaScript code and figure out which ones changed to 9. If there are multiples, I fire again and figure out which one changed to 8. Eventually I have the number that is keeping track of my ammo and will be able to edit the JS to give me, say, 1000.

This problem is easily mitigated by releasing as an app, but what if I don't want to do that? If I am legitimately releasing a browser game, what is the possibility of cheating and what measures does C2 take to prevent that?
Project Lead of Zems Online Card Game

Producer at Impulse Limited
B
18
S
6
G
3
Posts: 677
Reputation: 5,234

Post » Wed Nov 13, 2013 8:43 am

browser game - yes, you can cheat/hack.

Unfortunately you can cheat/hack on any game/any platform if you have the know how.

I actually played yesterday with a (bad word) in CoD:Ghost that had implemented various hacks - pretty clever actually, but not cool.
This is a game that takes great strides to prevent hacking/cheating (huge budget etc).

If people are going to cheat/hack, then nothing you can do to stop them.

But html 5 games in C2 is pretty easy to alter / steal would be great if a few extra security features were put into place (nothing is full proof) but a little salting never hurt anyone :)
You think you can do these things, but you can't, Nemo!
Just keep reading.
Just keep learning.
B
65
S
16
G
9
Posts: 1,429
Reputation: 12,728

Post » Wed Nov 13, 2013 8:46 am

The short answer is No.

You should trick the hackers that couldn't hack your game.

For example, you add an extra condition for number 10, 10 is supposed to be maximum, if is more than number 10, the game restarts.

Another method, make multiple variables, variable 1 is for 10, and another variable 2 is for 10, they should compare as equal, the game works. Otherwise, variable 1 is different than variable, the game restarts. if you add extra variables such as 3, 4, A, B, it makes hard security. It's not perfect method, but if hacker gives up due to overtime.

Other thing, you might use PHP to get variables that they can't hack because it's server side.

B
99
S
35
G
29
Posts: 3,139
Reputation: 28,421

Post » Wed Nov 13, 2013 11:41 am

Perhaps salting or some form of security could be something for future consideration into C2.
Project Lead of Zems Online Card Game

Producer at Impulse Limited
B
18
S
6
G
3
Posts: 677
Reputation: 5,234

Post » Wed Nov 13, 2013 11:53 am

Don't bother, use https://jscrambler.com/
B
99
S
35
G
29
Posts: 3,139
Reputation: 28,421

Post » Wed Nov 13, 2013 12:02 pm

@Joannesalfa
Lol $55 per month - is extremely steep for something that is actually pretty simple and can easily be included into C2.
You think you can do these things, but you can't, Nemo!
Just keep reading.
Just keep learning.
B
65
S
16
G
9
Posts: 1,429
Reputation: 12,728

Post » Wed Nov 13, 2013 12:31 pm

If you minify a game on export the source becomes pretty unreadable so that's a good first measure.

It is impossible to entirely prevent hacking in a client based game (server based games can enforce this, but if you don't have a server, it's entirely hackable). Releasing a game as an app does not necessarily add any protection - for example a node-webkit game on Windows is still hackable by the same method you describe, just using native technologies instead of browser technologies.

We could add some simple kind of number encryption, but it would probably cause a performance impact if we used it everywhere. Perhaps some kind of 'secure variable' plugin could address this, but then it won't even solve the problem, you'll just make a determined hacker use a different approach (such as directly modifying the code).

So it's always going to be possible to hack. Be well aware of this if you ever want to offer prizes for high scores in a client-based game!
Scirra Founder
B
403
S
238
G
89
Posts: 24,653
Reputation: 196,143

Post » Wed Nov 13, 2013 12:55 pm

I like the idea of a "secure variable". This should solve a lot of problems as we generally just require a handful of secure variables.
And not a complete encryption.

I'll +1 a secure variable feature
You think you can do these things, but you can't, Nemo!
Just keep reading.
Just keep learning.
B
65
S
16
G
9
Posts: 1,429
Reputation: 12,728

Post » Fri Nov 15, 2013 8:15 am

Cant you add a md5 tag/hash at compile time related to the game files size ?

at run time, have it check once with the files.

should give a trigger for file tampering.
Who dares wins
B
57
S
17
G
21
Posts: 1,878
Reputation: 19,592

Post » Fri Nov 15, 2013 8:58 am

I don't think that solves any issue, especially if you hack using the method I describe in my first post.Excal2013-11-15 08:58:15
Project Lead of Zems Online Card Game

Producer at Impulse Limited
B
18
S
6
G
3
Posts: 677
Reputation: 5,234

Next

Return to Open Topic

Who is online

Users browsing this forum: No registered users and 0 guests