There is a hack tool to change our game variables in MacOSX

One client that downloaded one game of ours ‘Frutakia 2’ for MacOSX admitted that he used an external tool called ihaxgamez to hack my game and add huge score or even convert the free/lite version to full version without paying.

How did he did that? With this tool he changes the variables of the game to whatever he wants.
Is there any way to be protected with these kind of tools?

Thanks

yes, you can kinda protect yourself from that.
But in my opinion let offline game players cheat as much as they want, it’s only critical when it’s a game with online functionality.
There was a good presentation at unite 2013:

My game has an online scores database and this guy put a monsterous 1 billion points there. that is why I disabled his acount at the first place.

Welcome to the big leagues. If people are taking the time to hack your game it must be worth something to be on the leader board!

I’m no expert on security, but here are a few places to start:

First job is to download the tool yourself and get a feel for how it works. If it simply lets the player adjust in game variables, then some simple obfuscation of variable names and a hash check of everything sent to the server might be enough.

You’ll also want to check that your server communications are secure. Again a hash check is probably the simplest way to do this, but there are more sophisticated ways as well.

Server side verification is another way to check. Figure out a maximum number of points that can be scored per second of play. Have the game check in to the server frequently. If there are too many points for play time then simply reject the score.

Never trust the client

7 Likes

Just read the documentation for the tool here. This particular tool works by allowing the user to search the memory for values that match in game values. These memory locations can then be modified to new values.

I see several ways to defeat the tool. I can’t speak for if these will work for other hacking tools, but they will for this one. Note that these ideas will come with a performance cost.

  • The tool relies on the user being able to guess the memory values from the in game values. Multiplying all of your variables by a key will obfuscate their values in memory, making the tool difficult to use. You could set the key to a random value every time the game starts. Or you could use different keys for each value.
  • Use a hash check. Store a hash along with the value each time you save it. Each time the value is read, check the hash matches up. If it doesn’t you know the player is cheating. Deal with cheating appropriately. I would suggest something funny rather then something destructive.
  • The tool only examines memory for certain primitive data types. These are the various sizes of floats, ints and strings. Rolling your own primitives from byte arrays will break the tool.
  • The tool also has specific weaknesses around strings, it cannot increase a strings length. Storing low ints, like no of lives, as “xxxx” would lead to an interesting situation where a hacker could only ever reduce the number of lives they have.

I suggest only doing this sort of technique for key values in the game. Attempting to keep every memory location secure will totally destroy your performance. But you should be able to keep things like number of lives, score, and cash secure.

And of course any hacker worth their salt will be able to break these protections by decompiling your application. But it should keep you safe from amateurs with tools downloaded from the internet.

4 Likes

Very good advice and is also versatile. Works for multiplayer as well as general business.

1 Like

Don’t look for a good way to prevent the client from uploading a false score. Maybe implement a super basic protection to prevent script kiddies but leave it at that, anything more is a waste of time.

Instead you have to figure out a way to validate the score on the server or say “forget it, I’ll just delete scores that I think are too high”

2 Likes

If that’s true, there’s a similar tool for Windows called CheatEngine. Used it long time ago, but not for cheating but for reverse engineering. Not sure if there’s something like that on Linux (I’ve seen something that looks like it might be it, forgot the name, but I couldn’t confirm that it actually worked).

1 Like

I’d lay odds that there is. There probably is for every possible operating system.

Based on the descriptions of how the program works, there were things like this for the Commodore 64, though back then you were editing save files instead of live memory.

Even the cartridge games had cheat “software”. It was just on another cartridge that you plugged your game into before plugging into the console itself.

As long as there are electronic games, there will be stuff like this. Build a better protection, someone will build a better hacking tool, if for no other reason than to prove they can. As has been stated above, all you can really do is focus on the places where the damage is important, like account data on the server, and not let the rest keep you up at night.

2 Likes

There were definitely some for the Commodore 64, but they were specialized for each game and called “trainers”.

https://github.com/scanmem/scanmem

So true. Surely people have heard of the Game Genie, GameShark, and Action Replay. On my old C64 I just used a machine code monitor if I ever wanted to examine the contents of a game while it was running. And of course the disk editors allowed you to easily view all of the data search for specific strings and so forth. I never had much interest in it except for an hour or two of dabbling just to see if it was possible. Was more interested in designing and programming.

These days I think it is more important though because of multiplayer games and people focusing so much on the social aspect. If you are showing a list of high scores/whatever to give people credit for their accomplishments and a couple players are using hacks to completely blow away everyone else that would suck.

I thought about this a bit a few months ago in case I ever do something like a multiplayer / high score system. I think I would just make checksums for the data (which of course could be reverse-engineered and spoofed) and have the server serve as the watchdog. I’d need to put some more thought into it but basically just like @Kiwasi mentioned the server would be aware of how many points are possible within a certain time or within the current level. When certain items become available and so forth. This would be enough to stop people from submitting a score packet containing 48 seconds of play time with 5,000,000 points. Or submitting a packet with 1 hour of play time and 5 million points and the server says 'um… you have been playing for 7 minutes". And it would prevent someone from playing level 1 and suddenly gaining access to an item that is not even introduced until level 8.

But that is as far as I would go. Only in the interest of helping out the legitimate players. Because you could waste all of your time just trying to thwart things like this. You will secure one area and they will crack another. You have better things to do such adding more cool gameplay to the game. Adding more gear. Adding new areas. And so forth.

1 Like

I’ve thought about trying a system that records the game (serializing the level and player input) and then submits it to the server with the high score. If the server tagged someone as cheating, I could simply watch the replay to verify.

It would have the added benefit that players could watch replays themselves.

1 Like

That would be cool. Alternately, take maybe 3 screenshots per second cycling over and over the same files numbered 0 to 5 and whenever the player’s score increases package up the 6 screenshots tying them to this score increase and then saving screenshots numbered 6 to 11 cycling over and over until the next “score event”. Then send all of the images to the server when they submit their score. Same for receiving an item. Wouldn’t be perfect but with some tweaking we could capture footage of the two seconds leading up to the score increase or new item received, etc.

It would be an interesting easy system to make. A finer resolution (more frames captured per second) would be cool but would need to be balanced against performance.

1 Like

You’ll find most games with recording capacity originally start as debugging tools. Game sessions are recorded to find weird bugs. Then suddenly the art department is using it to align styles and fix particle effects and marketing are promising it as a feature.

That’s what I did when running a competition with Master Thief. That’s a pretty simple case, though - I only had to record a time series of one variable (position) to get enough data to completely recreate a game, and individual games are typically less than two minutes.