00:00
00:00
View Profile PsychoGoldfish

n/a, Male

NG Code Monkey

Hard Knocks

Ur Mom

Joined on 9/26/00

Level:
12
Exp Points:
1,548 / 1,600
Exp Rank:
29,059
Vote Power:
5.44 votes
Rank:
Town Watch
Global Rank:
52,482
Blams:
46
Saves:
107
B/P Bonus:
2%
Whistle:
Normal
Trophies:
32
Medals:
544

High Score/Medal Hacking

Posted by PsychoGoldfish - May 11th, 2012


Ever since I built the original Flash API tools, people have been reporting people that have hacked their scores to ridiculous levels, or hacked some kind of stat variable to unlock a medal, etc etc.

We put a lot of effort into keeping communication between your games and the API gateway fairly secure using all sorts of encryption and seeding techniques, but at the end of the day, if a game has no internal security measures, our API can't do anything about these "hackers".

To be fair, none of these cheaters are actually hackers, they are typically just dumb kids who have learned about a program called CheatEngine (or something similar). This simple cheating app allows any user to manipulate memory resident values, such as scores or in-game statistics.

Most users use cheat engine to check for values that change. If they know the exact value of the change, its even easier, but not necessary. Here's some examples:

A user starts a game with a score of zero. They tell CheatEngine to search for all memory values that equal zero. This search yeilds a large list of possible memory addresses, so they can't easily cheat yet.

The user kills an enemy and now has a score of 100 points. Now they tell CheatEngine to search within the last list of memory addresses for a value of 100. Cheat Engine narrows down all the possible addresses and comes up with a smaller list.

The user keeps repeating this search until they have narrowed the value down, then they can change it to whatever they want.

Using a similar search they can look for values that have changed (up or down) to figure out where you store things like hit points and get themselves unlimited health in any game.

So how do you combat these cheats? Well, there is no real 100% cheat proof solution, but if you understand how these cheat engines work, you can do a few things to detect when something fishy is going on.

One of the first things you should do is use getter/setter functions for sensitive variables rather than setting them directly. If you use OOP classes, you can make your score/health.etc variables private and use a getter/setter function to alias them. If you still code on timelines in AS2, you can just make a setScore(value) and getScore(value) function on _root or something to that effect.

In these functions you can apply some creativity to keep track of how much each value has changed since the last time those functions were called. Here's a small example using crude AS2 (I didn't test any of this, but you should get the idea):

// this is the variable we will store our current score in
score = 0;

// this is the variable we will use to store a value used to verify our score
verify_score = 0;

// This is a random number we will use to create our verify_score value.
// Using a random number will make it harder to figure out our scoring algorithm.
random_seed = Math.random() * 5;

// this is the function we use to set add points to our score
function updateScore(points) {
if (!cheatDetected()) {
score += points;
// this will generate a number that's almost impossible for a person to change correctly.
verify_score = Math.sqrt(Math.round(score/random_seed));
}
}

// this is used to detect whether the score was changed manually
function cheatDetected() {

// these will both be zero if no score has been added
if (score === 0 && verify_score === 0) return false;

// using the same foruma from the updateScore function we can check to see if our current score calculates
// to the same value it did when it was set using the above function.
return (verify_score != Math.sqrt(Math.round(score/random_seed)));
}

// This is used to either get the score, or return zero if the user cheated. Use this when posting high scores.
function getScore() {
if (cheatDetected()) {
return 0;
}
return score;
}

You can use a variety of methods like MD5 hashes, or something more custom to create your verification values, just make sure it's not something you can easily calculate without having access to the source code. using random seed values will make it even harder since every time they play the formula will change.

Keep in mind these formulas do use extra CPU, so you wouldn't want them running on every frame or interval on a high-load game, but for stuff like scores and health, this is a nice technique.

I strongly recommend getting a copy of CheatEngine and trying to cheat your won games.


1

Comments (21)

This isn't quite related to the "hacking" you're describing, but it's on the same page: By viewing the page source of a medal-enabled Portal submission, it's possible to see the names and descriptions of secret medals without unlocking them by using the Find feature to search for "medal_description".

Lol cheaters. I personally agree with mandog. I've played some games which had cheats, without the cheats and it felt good. It was a challenge. After beating a game I would use the cheats to have some 'extra' fun, but usually that fun's limited, because compared to the sensation of overcoming a tough enemy or challenge, it's not even a small bit of fun. Imagine Devil May Cry where you'd kill everything in one hit. It wouldn't be fun anymore.

We could make fake score variables.
Let's say the user has a score of 900
We make one that's 900, one that's 9000, one that's 450, but we use an obscure formula to solve it.
Like the submission variable's the score * 25 /12 or something.
and make check variables to see if a variable doesn't equal the others, and if they aren't equal, they've cheated.

Also who gives a crap about medals.
They don't mean anything, and at least scores let you flaunt your score boner.
If cheating the medals makes the kids feel better, let them. They just won't have the satisfaction of actually earning them themselves.

If you take a developer's standpoint, these things become more important.

Lets say you are making a game for facebook or something, and you are using achievements and/or high scores to create a sense of competition players can tap into. The idea is this competitive nature will result in more people promoting your game to their friends, which ultimately makes it more successful/profitable.

If this hypothetical game is just full of bogus scores and medals and its common knowledge everyone is just cheating, there's really nothing motivating people to show off their scores and building that competitive community.

The formula I used could be replaced with anything really, but you really want it to be something that doesn't have an obvious pattern the human brain can see. I used a square root function because even though you might sniff a value and see it growing, you just can't realistically guess the formula by looking at the way multiple variables change all at once. You could use any number of variables to separate your verification more, you just don't want to over-complicate things too much because debugging stuff with extra points of failure is a pain in the ass.

"...when something FISHY is going on."

Whether or not you intended the joke, I'm pointing it out.

Cheating to win flash games seems like a pretty awful waste of time. I can barely even keep focus or find the time to beat more than the tutorial level on most games.

cheaters never win, winners don't do drugs, drugs have nothing to do with games, but games are thwarted by cheaters.

it's an endless cycle of technological repetition and confusion even when a formula is presented in simplistic manners.
Once W creates X to stop Y, Y will adapt and create Z to prevent W and so on and so forth until repeat ad nauseum.

regardless, it's bound to happen again and again. I guess you could say its one of humanities' perversions of technology.

Good point.

My 2 cents (more like 1 and a half). This is just my personal take on things and I am not speaking for anyone else. I couldn't give a crap about medals unless i like the game. These I consider as extra objectives, I love collecting all the medals for a game i enjoy. And I don't consider a game completed until I have all the medals (missing just one medal to complete THE ROOM , and I will be back to get it). So if you hack medals you are truly only cheating your self(out of enjoyment). In fact not that I think of it, if I never went back to get the medals in THE ROOM i would have never seen all that crazy shit that happen when you go after the medals , like when....telekinesis ..smash,...kill cops... and that other part...chris...blood. i didn't want to ruin it for anyone who hasn't seen it yet so i let a lot of words out of that last sentence.

Thanks for the tip! I'll definitely implement some sort of formula protection in my next highscore-based game.

One thing I discovered when trying to prevent "hacking" in one of my previous games is that the value inside a text field can't be accessed using the traditional cheat engine memory search, so I used the score display text field to make sure the score hadn't changed between two kills. I don't know exactly how safe it is but it can add an extra layer of protection against the script kiddies.

Also, do you have any tips on how to protect your games from people hacking the .swf itself? (such as seen on <a href="http://www.arcadeprehacks.com">www.arcadeprehacks.com</a>)

Here's a fun fact : the guy who sponsored my last game, Discount Mayonnaise, actually wanted me to put in a button that said &quot;unlock everything&quot; and that would lead to a &quot;hacked&quot; version of the game - that I would provide - on his hacked games website.

WTF IS GOING ON?!

every time your score is added to, multiply it by -1. then just use an absolute value function to display it as a positive number in the text box or what have you.
most (if any) of your average cheat engine users wouldn't expect the score to fluctuate in such a way between increasingly positive and negative values.
of course, it's been a while since i've used flash or cheat engine, so this might be completely ineffective, i have no idea.

You could display a false score in-game and have the actual score be something else, say half of the in-game score. Then when it's time to submit the score, just double it and nobody would notice.
People using a CheatEngine would try to change the in-game score and then when they submit it, it still just submits the actual score and not the cheated one.
Not only would that get rid of a good amount of cheaters from your game, but there would be a bunch of &quot;Fuk dis program it don't even wurk!!11!!111!&quot; comments on the CheatEngine site.

Anyone who's really got their heart set on cheating won't just stop when the ovbious value doesn't work. In the case of using a half value I could use cheat engine to just look for values that go up until I have a single value left. Then if that value is 450 and my score says 900, I'm smart enough to do that math.

That's an awesome technique you've come up with! But at the end of the day, these are only Flash games so I wouldn't really care less if someone cheated on any of my games.

Well I was just using half for a simple example. You could do square root or something, and then use the absolute value thing someone else mentioned.

I remember what I meant to say.
If the person wants to cheat at medals, it doesn't effect others that do all that much, people who cheat at high scores get put on a leader board and it gets filled with cheaters.
Medals can be looked at in a more personal achievement kinda way while leader boards require multiple people.

I hate so called &quot;Hackers&quot; that do this shit. Oh look at me I am really bad ass at using a program that SOMEONE ELSE wrote to change a value in my game and look awesome. If they really wanna hack go hack amazon, ebay, facebook, google, paypal and get real skills at breaking security so that you can buy a better computer or some bull crap like that. I absolutely hate kids these days. Our society is going to fall so hard.

For some reason, I'm glad I didn't add scoreboards.

Lets say that every time you kill an enemy you get a point, and every time you get a coin you get 2 points...

One thing you could do is have it so that a variable determines what the score was last when you attack an enemy or get a coin, except perhaps the variable's name is not called like &quot;verify_score&quot; or anything like that - and it's a NEGATIVE version of the score ( score -= (score * 2) ) so that users don't pick it up.
Next thing you do is have it so that every time you get an enemy or coin, it will check the negative version of the score (once making it positive again) and see if they're the same, and if they are you will gain points. If not, you can simply make it GotoAndStop(&quot;the_frame_where_we_say_go_fuck_yo urself&quot;)

God damn, I was doing fine reading until you got to the bit about code.

speaking of medals, the games with medals page is not working :(
Please fix it as soon as possible so I can start gaming and winning some sweet medals

...Its a shame that people will cheat to get what they want. Its bad taste, and indicates how desperate someone is for attention.

Eugh, I know these are &quot;only&quot; Flash Games but damnit i've spent a lot of time and effort writing these things and it really gets me down when I see somebody has just cheated their way to the top.

Any word on how successfully these techniques work? It seems like it'll work pretty well at a glance but i've never tested this sort of thing in the wild.

More Results