koobas.hobune.stream
Protection from Reverse Engineering/Hacking
Hello dear community :)
It is not a secret that that Java/C# and few other languages could be reverted back from compiled machine code to the original coding language
I was personally doing it many times and it is easy to do as 1-2-3.
Recently I start playing "Rust" which is new survival horror MMO hit in steam and which is created in Unity and C#
After I was very much annoyed by cheaters I start reverse engineering this game to see what the story there and modifying original logic of the game which allow me to do crazy stuff like:
See all objects/players/NPCs names in zone u are in (Rust using uLink for network communication where in uLink zone is predefined area or square of set size - see more uLink documentation for clear understanding)
Remove hunger
Remove fall damage
the most craziest one is to kill any Player in your current zone remotely by spoofing player ID, just make it to suicide, or shoot from the bow in emptiness but redirect damage to player which u dont even see
many other nasty stuff
I could accept that for some people it could be fun to annoying other players and play with cheats, however when it comes to developers or innocent people it is not fun at all
I mention "Rust" as example just because I personally manage to modify it, however I assume that it is possible for any game made in C# as it could be easily reverse engineered.
So the question is how to protect? what are your ideas and suggestions?
Mine ideas so far (assume we have online game with server/clients): On launch and connection to server make online request for each client to submit their files size (to bytes) and make sure that DLL files are not modified (as any modification of DLL would change it size at least for few bytes) But then again, in case if we have full access to the DLL code and we can modify it, then that kind of request could be canceled, or even if server will not allow to continue without submitting this data, then not cancelled but statically overwritten to return value which server would accept.
All this cheating very much annoying players and if developers do not fight with it the population of players going down very quickly, for example "Warface" is great example.
How to protect your libraries from being modified by unfair players?
If you could remove hunger, fall damage, kill other players, etc, then that's barely an issue caused by reverse engineering - it's just a badly programmed server. If you're planning to write an $$anonymous$$$$anonymous$$O, don't let the client make any decisions like that.
"But then again, in case if we have full access to the DLL code and we can modify it, then that kind of request could be canceled"
Here again: If the client can just deny this checkup and still login, then the server is badly programmed. Also, use at least a checksum, not the file size.
Over a long enough time frame, players could even write their own clients for your game. Just don't give the client any power. The client only makes requests and displays the state of the game, the server handles all of the information processing.
Well it is easy to say, but hard to implement some times To avoid cheating you have to replicate the whole game world and make Server to notify client about changes. that could mean that if player fall from the rock, decision of did it fall from enough high to get damage and how much damage exactly should decide server and once it decided update client that it felt painfully and tell the client it new HP level. That way if player even disable acceptance of inco$$anonymous$$g update from server with it new reduced health value, server still would know the correct amount of health. there fore Server also will need update client state (e.g. "youAreDeath") but what if client also disable this? the client would thinks it still alive, but server would be sure it is death :)
anyway that i do understand but what about damage from shooting? client tells to server "I shoot in to player with ID=XXXX from XYZ weapon type" in case of "Rust" it applying damage to the player ID XXX and if I put into the loop: "I shoot in to player with ID=XXXX from XYZ weapon type" I can kill player which I dont even see, just by knowing it ID but how server should really act in that case to prevent me from from applying damage to playerId ?
ah forgot to mention that replication entire world with all events which generated by players is a very expensive task for the server from the hardware and performance point of view
You can use tools to scramble the code to an unreadable mess, this is no absolute protection but makes the effort really high for hackers.
Its normal that the player use tools to see how their progress is saved and cheat. Scramble the save file to make those tools useless. A simple way to do this is to move around the bits that the save data is made off, with some key value attached to it.
If you have a competitive online game you need to put a anti cheat check on the server, a common check is to make sure that the players dont move to fast, otherwise they will be moved back. This can be made in different levels depending on how important the protection is, up to just receiving input and sending a video stream to the players.
The easiest solution is to just let the players hack the game, your game will most likely stay small and its better to put your efforts into adding loads of content instead. Some games are popular just because they are easy to mod.
Last, many devs worry about that someone will steal their code. First off, nobody will if you arent super famous. And the open source has the advantage that you can very easily prove if another game has your code in it.
Stolen code is truly the last thing I worry about, what i do worry is about fair gameplay for everyone.
And obfuscation is still readable, but agree take more effort to understand. For example uLink obfuscated and it took me hell loads of time to make it readable. Over again there tools for everything :) for reverse engineering for obfuscation and deobfuscation
