49 replies to this topic

[creators124]

Cheating is critical only for games where online highscores or achievements are available.

For those you may want to have 'verification' variables along with all important ones.
So you would create a script(s) like:

// score_set(value, skip) - changes score
// value - new score value
// skip - skip verification
if (!argument1) if ((score ^ 77) != score_) global.is_cheating = true;
score = argument0;
score_ = score ^ 77;

Replace '^ 77' by calculation of choice - be that division, lengthdir, or checksum.

This method leaves variable(s) well exposed, however you will know if player changed something, and take care - be that shutting the game down, resetting their score, or kicking them out just before the end of game (warning: may cause hate).

As I go through this thread I see that YAL's way seems promising!
But after trying out his example I used Cheat Engine to use code injection on it and deleted the little pieces of code the made the checking and I changed it a will.
after that I think making an anti-hackable game is impossible!(except server-sided games)!

[Fledermann]

after that I think making an anti-hackable game is impossible!(except server-sided games)!

Yes, that is a true fact. When the client, i.e. the game, is under the player's control, he or she is free to manipulate anything. They don't even need the game, since they only have to send some data which will be accepted by the server.

There is a reason that the billion dollar video game industry couldn't come up with any reliable client-based cheat protection. It's not possible.

Fledermann

[cotycrg]

What about making two seperate variables..

x1=40;
x2=30;

And when you need to call them..

x3=x1+x2;

Imagine a player trying to figure out that one.

Or even go further, with like x1, x2, x3, x4, etc. But either way.. if the game is online (which is really the only place where you need to be worried about cheating), then just make all sensitive variables and sensitive calculations server-side.

[creators124]

after that I think making an anti-hackable game is impossible!(except server-sided games)!

Yes, that is a true fact. When the client, i.e. the game, is under the player's control, he or she is free to manipulate anything. They don't even need the game, since they only have to send some data which will be accepted by the server.

There is a reason that the billion dollar video game industry couldn't come up with any reliable client-based cheat protection. It's not possible.

Fledermann

ok thanks for the info yeah no wonder there are an extensively amount of people wanting to hack those the billion dollar video games!

What about making two seperate variables..

x1=40;
x2=30;

And when you need to call them..

x3=x1+x2;

Imagine a player trying to figure out that one.

Or even go further, with like x1, x2, x3, x4, etc. But either way.. if the game is online (which is really the only place where you need to be worried about cheating), then just make all sensitive variables and sensitive calculations server-side.

now about that:

• If I had CE(cheat enigne) right now I could get both those values!
• I could easily debug the value from the last value.
• after debugging I could debug even more and then find all the values.
• then after confirmation, I'll hack the speed and literally code inject all of them to give me around 999999 value!

but sorry to say your way seems destroy-able, unless you could provide a .gmk or .exe were I could see if your way isn't destroy-able!
sorry I used CE before but now CE is off my computer!

[TheouAegis]

There are also some program out there that would let you just read the assembly code anyway, telling you what steps were taken to encrypt and then decrypt. If you really wanna make it difficult to crack, do it Castlevania 3's method. The decryption process is literally 3x longer than the encryption process. Arithmetic hashing to the extreme.

But yeah, if your decryption code is just the encryption code in reverse, that's easy-peasy to crack.

[halfmaster1]

I don't know much about hacking, but, where a needs to be protected,

End step:

b=a;c=b,d=c,e=d

Begin step:

if!(a==b&&b==c&&c==d&&d==e)
{HACKER!}

The they need to change 5 variables at the same time.

[loverock125]

The they need to change 5 variables at the same time.

Which is what they usually do.

[creators124]

I don't know much about hacking, but, where a needs to be protected,

End step:

b=a;c=b,d=c,e=d

Begin step:

if!(a==b&&b==c&&c==d&&d==e)
{HACKER!}

The they need to change 5 variables at the same time.

I could find all those variables numbers and change all of them at the same time! (hold CTRL+mouse click to select more than one )
sorry but that is way to easy.
plus if I happen to change "b" it'll never make the statement false.

[ramses12]

There is a reason that the billion dollar video game industry couldn't come up with any reliable client-based cheat protection. It's not possible.

I wonder why would it be useless to prevent hacking using an over-complicated big fat bunch of data. I'm talking about 500 checksums changing in memory every second, each with a different algorithm and each processing a combination of actual data with pseudo-random generation, and not some cheap algorithm which can be human-read by a little reverse engineering, but some 1k Assembly instruction block.
Obviously, the processing power I described might be too much for a game's purpose, but when you have a big budget, you can make such thing, at a decent resource consumption and still big and bad enough to prevent a human from being able to crack it.

[famous]

No Debels is posting here?

[loverock125]

There is a reason that the billion dollar video game industry couldn't come up with any reliable client-based cheat protection. It's not possible.

I wonder why would it be useless to prevent hacking using an over-complicated big fat bunch of data. I'm talking about 500 checksums changing in memory every second, each with a different algorithm and each processing a combination of actual data with pseudo-random generation, and not some cheap algorithm which can be human-read by a little reverse engineering, but some 1k Assembly instruction block.
Obviously, the processing power I described might be too much for a game's purpose, but when you have a big budget, you can make such thing, at a decent resource consumption and still big and bad enough to prevent a human from being able to crack it.

I wonder why would a billion dollar video game industry need to do this to prevent humans from cracking their client.

[creators124]

There is a reason that the billion dollar video game industry couldn't come up with any reliable client-based cheat protection. It's not possible.

I wonder why would it be useless to prevent hacking using an over-complicated big fat bunch of data. I'm talking about 500 checksums changing in memory every second, each with a different algorithm and each processing a combination of actual data with pseudo-random generation, and not some cheap algorithm which can be human-read by a little reverse engineering, but some 1k Assembly instruction block.
Obviously, the processing power I described might be too much for a game's purpose, but when you have a big budget, you can make such thing, at a decent resource consumption and still big and bad enough to prevent a human from being able to crack it.

I wonder why would a billion dollar video game industry need to do this to prevent humans from cracking their client.

I agree with him!
ALL THEY NEED TO DO IS HAVE AN EXTREMELY SECURE CONNECTION!
not secure the client, the hackers can screw the client till it is not usable, and what do they care. xD
they only need to protect the files from being transfer able but it is too hard!

any ways I'll just use Debels anti-hack extension. (gm: studio extension for windows too)
instead of using a long piece of math that has to be used constantly and possibly slow the game down excessively!
ok proven wrong by Y.A.L. and his brilliance!
should stop posting late at night.

Edited by creators124, 23 June 2012 - 04:49 AM.

[YellowAfterlife]

I generally try to keep away from this topic, since it's initially and ultimately silly (discussion should have worn off ages ago), but this is starting to be unbearable.

any ways I'll just use Debels anti-hack extension. (gm: studio extension for windows too)
instead of using a long piece of math that has to be used constantly and possibly slow the game down excessively!

instead of using a long piece of math that has to be used constantly and possibly slow the game down excessively!

What are you saying?
Did you even bother to check your facts before posting that?
Do you think that your liked extension works on magic and fairies?
Nope, still a piece of GML. Maybe 3 pieces of GML. It's even stated in topic.
For curiosity reasons, below is source of current version of extension, edited to this state in as much as 14 minutes.

Using functions as actual scripts, user events, or inline code reduces execution overhead.
Editing values makes system harder to find in memory.


Understanding the principle allows to make your own functions, to provide more or less levels of protection, depending on how precious a variable is.
For HTML5 games, it is also possible to utilize nature of JavaScript to create extension functions in realtime, making job of tracking down anti-hack check equivalent to finding a needle (~10..20B) in haystack (300+KB).

So, where this is going - please proof-read your posts and facts that you are presenting as truth, to avoid telling nonsense.

Edited by Nocturne, 14 July 2012 - 06:14 AM.

[Schyler]

- Hook Read/WriteProcessMemory
- Check for IsDebuggerPresent calls, hook it, and check its integrity beforehand (check for the header int3 instruction)
- Intercept LoadLibrary calls to external .dll modules so nothing can get inside your process to undo your work (google; dll injection)

That should be enough to stop anyone from hacking anything. I guess for added security you could CRC your whole module or use a HWBP on the header of GM's interpreter to check the CRC of the page which stores all the variables before each step.

Edited by Schyler, 24 June 2012 - 10:47 AM.

[smash ball]

For saving and loading, I always figured you could store a few variables for a few lines. After a few lines you could then store a fake variable, like if you multiply a previous variable or a 'to be stored' variable by a number or something. By having quite a few of these fake variables in a save file, it makes the hacker work a lot harder to figure out what everything is. (upon loading, you would check the variables to see if it was hacked. Doesn't fool-proof it of course, but it makes it a great deal harder)

Of course, that's just what I would do to prevent save file hacking. Seems logical to me.

[DZiW]

As far as cheat engines rely on standard and inverted value types in memory I see two way to combine: locked file logging AND nonstandard types. However, as far as GM is but a univar IDE, I think it's more than trivial to uncork it, unfortunately.

I've just played a little with Artmoney Pro and found out that random pointers are rather difficult to track down and Flash is so heavily encoded against cracking, but it's not the case with GM, although its authorities naively stated they soon would improve GM anti-decompiling protection (nice try!) and if I remember correctly there were a few vague statements regarding better anti-hacking protection (just another lie!).

As for me, I think that it's always possible to hack a game, but I found a few games where hacking almost didn't change anything or even made gameplay worser, but it's usually about cardgames or where one's stats and money is correlated with monsters'. For example, what is the use to have infinite Fire cards when CPU keeps spamming you with Earth ones? Or what is the use to change one's level to, say, 99 if all monsters will re-adapt? Nay!

[Stabbast]

it is always possible to crack disassemble and decompile anything... common misconception is that its not possible to crack literally anything ,but there are always ways to make it a little more time consuming and difficult. Byte code, Machine code, Assembly language, |EAX|EBX|ECX|EDX|ESI|EDI|EBP|ESP|EIP|, Lowest common bit, Highest common bit, Statistical array algorithms etc... etc... You could look into Steganography and Cryptography hiding information in and out of other external files can make things rather annoying for people trying to use resources and such even get rid of some of the unnecessary file slack...
-Got to know your algorithms!-
1) Injection (suspicious because of the content-unrelated file size increment)...
2) Generation (suspicious because of the traceability of the generated carriers)...
3) Ancillary data and metadata substitution...
4) LSB or adaptive substitution...
5) Frequency space manipulation...
6) Randomly generated GIC(s)...
Really big thing is don't make general hash(s) or to short of keys...
If you want to know more take a computer forensics class...
I know that YellowAfterLife is actually right about using the functions as actual scripts. It is kind of a ridiculous comment though... The biggest game companies in the world play hell trying to keep people from reverse engineering and still fail horribly... The good news is that generally your average Neophyte or Script Kiddie does not understand how to do really any of that ,and everyone else doesn't really care
// 99.999999% of the time...

Edited by Stabbast, 03 July 2012 - 03:11 AM.

[Boreal]

What I don't understand is why you guys care about client-side hacking, because it's only relevant in single player (unless you use a naive server - bad idea). A more interesting and practical topic is detecting and rejecting aimbots.

In fact, I'd like to give my players the freedom to mess with their personal game data. Games can be made more fun if you can have a minigun with infinite explosive ammunition.

Edited by Boreal, 03 July 2012 - 09:25 PM.

[Stabbast]

yeah... I'd be more worried about people trying to hack online game play then anything ,and in that case I'd make encryption a priority!

[Debels]

I generally try to keep away from this topic, since it's initially and ultimately silly (discussion should have worn off ages ago), but this is starting to be unbearable.

any ways I'll just use Debels anti-hack extension. (gm: studio extension for windows too)
instead of using a long piece of math that has to be used constantly and possibly slow the game down excessively!

instead of using a long piece of math that has to be used constantly and possibly slow the game down excessively!

What are you saying?
Did you even bother to check your facts before posting that?
Do you think that your liked extension works on magic and fairies?
Nope, still a piece of GML. Maybe 3 pieces of GML. It's even stated in topic.
For curiosity reasons, below is source of current version of extension, edited to this state in as much as 14 minutes.

Using functions as actual scripts, user events, or inline code reduces execution overhead.
Editing values makes system harder to find in memory.
Understanding the principle allows to make your own functions, to provide more or less levels of protection, depending on how precious a variable is.
For HTML5 games, it is also possible to utilize nature of JavaScript to create extension functions in realtime, making job of tracking down anti-hack check equivalent to finding a needle (~10..20B) in haystack (300+KB).

So, where this is going - please proof-read your posts and facts that you are presenting as truth, to avoid telling nonsense.

Now that's really wrong, releasing the source code of my extension un-obusfated is really .... (not going to say the word), Would you like if i crack your games or applications and release the source code for every one?, I think not.

So please stop doing this kind of things >.>