I tried to find a better way to stop cheaters by searching on Google using the following keyword: “how to hack unity games with cheat engine”. Some YouTube video links appeared and one of them is disturbing:
It shows that Unity games are very easily hacked. Go to 08:00. The Iron Tanks game, the game used as an example, already used the Code Stage’s Anti-Cheat Toolkit, one of the most popular anti-cheat tools on the Asset Store. The hacker easily bypassed the online game security and even manipulated the game logic (!).
Another online game example by the same hacker:
I read from some post that the game developers should not be bothered with cheaters, unless the game has:
Real world value attached to scores (gambling).
E-Sports appeal (Starcraft, League of Legends, etc).
Mechanics that depend on scores (Earth 2025).
And the same post says trying to stop cheaters is a time wasting, because nobody really cares about global leaderboards all that much and there will always be someone who cheats the system.
But currently most mobile games are freemiums which involve in-app purchases and player-versus-player feature. The cheaters can make their character stats powerful, to get rare items and golds easily. Or simply beat other players without breaking a sweat. It is okay if he keeps the cheat method to himself. But some of the cheaters bragged about their cheat methods on social media like YouTube.
I agree that there will always be someone who cheats our games, but I think there should be some good practices or workflows that we can follow to minimize the cheats. Is there any comprehensive tutorial about Unity game security? I found the Server Side Highscores tutorial from the Unity Wiki, but I think this method will easily be hacked.
EDIT:
Thanks everyone for your inputs. I don’t blame Unity for the security, I just wish there is a comprehensive tutorial or guidance on how to minimize the cheats and hacks by using server side checks or other methods. As we can see from the videos, the game developers have already tried to protect the variables by using an anti-cheat plugin. Is protecting or obscuring the variables still effective? Or no need to bother obscuring the variables, because the server side check method is more effective?
Except these games will be handling most everything like player stats, inventories, and currency management with server side checks, which can’t be so easily hacked.
Just use IL2CPP on mobile and watch “crackers” cry. Real crackers will find a way either way if they care enough, but script kiddies will not be able to do it so easily anymore.
Will Unity provide a comprehensive tutorial about Unity game security? As what @Murgilod said, if the games handle most everything like player stats, inventories, and currency management with server side checks, the games can’t be so easily hacked.
It would be better if Unity has a complete tutorial on this server side check or other good method, because I think the game developers should focus more on the other aspects of the game development, not more on the security issue.
No, we’re not in business for that. It would also be kind of useless to do so, as most of those methods depend on them being obscure. If everyone followed it, it would be much easier to circumvent.
I think a good hacker can steal Unity games and redistributing them, like what happened to several Android games. On the YouTube video, it shows that the hacker can copy the game logic with SWF Memory Dumper and Telerik JustDecompile. I read there are methods to steal the assets from Unity games.
A lot of games are relatively easy to hack (to gain money/etc), if the programmer didn’t implement any safety measures. Money hack is the easiest and can be usually achieved in seconds. More complex non-unity games aren’t safe either.
Here are examples of someone hacking dark souls 3 messages:
In the end implementing anti-cheating features (assuming the game needs those - meaning it is competitive multiplayer) is YOUR job, not engine’s.
This. In about 15 years IL2CPP will make hacking more difficult across all platforms. Until then feel free to browse the source code of any Unity game directly.
But ultimately server side checks and logic make more sense then trying to implement client side security.
il2cpp will help for pretty small time stuff, since you can simply open it in ilspy and see all the sources while its still a mono app. But its not a means to the end since even engines where all engine code and logic is C++ you still find hackers. To prevent cheaters, it takes doing as much work server side as possible and getting creative with how you handle client data.
That is not really a Unity specific flaw. That video simply shows how easy it is to cheat in an online game when the online game lets the game client choose how often a player can fire. When you are concerned about cheating, the server needs to be responsible for deciding if a player can fire, how quickly a player can move, etc. In the tank game video, it is obvious the server is simply trusting the clients about things like that. The hacker simply exploited that poor networking design. That vulnerability exists in any online game where the developers made the same choices about letting the server trust the client.
Just to be clear, no amount of IL2CPP or anti-cheat tools will get around a poor networking design issue. I realize that the hack feels extra invasive because the hacker is using tools to tear apart the Unity game, but the core issue in this example is the networking design. This is an example of an online game where the server trusts the client too much.
Also keep in mind it is the Internet. If you search enough you’ll likely find content on any given thing. Doesn’t mean it is a common thing. In this case the video has a total of 841 views at the time I checked (just now). Many of these may have even come from this thread Unity devs themselves.
Basically figure out who your target audience is. If it is these hackers you’d probably be better off building a game about hacking from the ground up specifically for them. If they are not your target market then don’t waste energy and time thinking about it.
It’s like this… I just watched part of the video and have no interest in digging into the source of people’s games around here. I imagine most other people are the same.
Exactly. With a trusting server a person could create their own network proxy to intercept the packets and alter them at will without the need to even look at the game code.
Knowing what player is cheating can be simple. But what to do with him when we discover that particular bad head unfair player?
I wish an asset example in the asset store about “Cripto Games”. That let you make a game in the same way a cripto currency chain is made. This can help preventing cheating.
