I would like to make a web service where you can purchase things from a website and use them in the game. So far I’m trying to make a webservice where you send your username and password (Encrypted) and basically receive a list of unlocked stuff. When this data is received it updates a local list bools that describes what the player has.
My question is how hard is this list of bools to hack. Could a savvy player make something that edits the memory to switch all the bools to true so that they have everything without paying for. Is there a better way do this?
I don’t know personally, but from what I’ve heard, as far as Mac/PC standalones are concerned, apparently it is pretty easy to hack the source of Unity games. So if its just a matter of them changing the values of a few booleans in a script, I would say it would probably be pretty easy to hack.
So encrypting the message would not be a problem but just storing the data on the standalone is.
I know on Steam to make unlockable content they actually just encrypt the content and when you buy it steam downloads the key and decrypts it. It is even pretty sophisticated because each steam users data is encrypted with a different key.
I’m assuming you would always have the correct values in your database as to what specific unlocks a user should have, you could probably do a check periodically in-game to see if the player has any true booleans that he shouldn’t based on his database entry and lock him out or something.
if the webservice is done right, nothing like this is possible.
Cause any reasonable webservice won’t give out any access features to the client that perform INSERT or UPDATE operations, those things you normally do from a website with a server programming language (insert - update commonly mean buy app, buy addon, buy consumable items, … - you would never handle such things directly on the application be it just due to the potential consequences on enforced refunds when the double click and the visual indication does not respond correspondingly fast or when your application has a hickup)
Agreed. Normally I’d believe the client has no write access to critical information like this, and would pass through a serverside payment system which, itself, accesses the database.
I agree, I was never operating under the assumption that the client’s game was actually doing inserts or updates to his DB, but it has to at least connect to it and see what he has unlocked with a select.
Churro’s point is, if an unlockable purchase just changes a boolean var to true in one of the scripts in the game, what’s going to keep the client from hacking the script and changing the boolean var, ignoring the database altogether?
I’m not concerned with Unity inserting in the database. Right now the only access to insert in the database would be given to the webserver hosting the website.
The SQL user that Unity will connect to will only have right to read.
The problem is when you get knuckle head like me who tries tries to edit the memory just after the database reads what stuff I bought. Maybe this isn’t an issue and modern Windows and OSX prevent this… but I don’t really feel secure about that especially since it is C#… and they are scripts… I’m just not sure how that all fits into OS security.
You could probably get fancy, and use something like a hash with an timestamp/checksum sent from the server to store the bought items locally instead of just in a naked bitvector.
In the end Unity relies upon dot-net so it’s quite simple to extract the source code of a game sitting on your hd and see what security measures you’ve put in place then bypass them.
The question is really whether is entertaining/popular enough that they’ll go through the bother of launching reflector and clicking one button.
If the project had the money I guess I could also put all my security into c++ made DLLs and import them… but I would need Unity Pro… and mix the managed / un-managed worlds.