00:00
00:00
PsychoGoldfish
I like turtles

Age 47

NG Code Monkey

Hard Knocks

Ur Mom

Joined on 9/26/00

Level:
14
Exp Points:
2,010 / 2,180
Exp Rank:
31,563
Vote Power:
5.60 votes
Audio Scouts
2
Art Scouts
3
Rank:
Town Watch
Global Rank:
47,834
Blams:
48
Saves:
131
B/P Bonus:
2%
Whistle:
Normal
Trophies:
57
Medals:
788
Supporter:
11m 30d

High Score/Medal Hacking

Posted by PsychoGoldfish - May 11th, 2012


Ever since I built the original Flash API tools, people have been reporting people that have hacked their scores to ridiculous levels, or hacked some kind of stat variable to unlock a medal, etc etc.

We put a lot of effort into keeping communication between your games and the API gateway fairly secure using all sorts of encryption and seeding techniques, but at the end of the day, if a game has no internal security measures, our API can't do anything about these "hackers".

To be fair, none of these cheaters are actually hackers, they are typically just dumb kids who have learned about a program called CheatEngine (or something similar). This simple cheating app allows any user to manipulate memory resident values, such as scores or in-game statistics.

Most users use cheat engine to check for values that change. If they know the exact value of the change, its even easier, but not necessary. Here's some examples:

A user starts a game with a score of zero. They tell CheatEngine to search for all memory values that equal zero. This search yeilds a large list of possible memory addresses, so they can't easily cheat yet.

The user kills an enemy and now has a score of 100 points. Now they tell CheatEngine to search within the last list of memory addresses for a value of 100. Cheat Engine narrows down all the possible addresses and comes up with a smaller list.

The user keeps repeating this search until they have narrowed the value down, then they can change it to whatever they want.

Using a similar search they can look for values that have changed (up or down) to figure out where you store things like hit points and get themselves unlimited health in any game.

So how do you combat these cheats? Well, there is no real 100% cheat proof solution, but if you understand how these cheat engines work, you can do a few things to detect when something fishy is going on.

One of the first things you should do is use getter/setter functions for sensitive variables rather than setting them directly. If you use OOP classes, you can make your score/health.etc variables private and use a getter/setter function to alias them. If you still code on timelines in AS2, you can just make a setScore(value) and getScore(value) function on _root or something to that effect.

In these functions you can apply some creativity to keep track of how much each value has changed since the last time those functions were called. Here's a small example using crude AS2 (I didn't test any of this, but you should get the idea):

// this is the variable we will store our current score in
score = 0;

// this is the variable we will use to store a value used to verify our score
verify_score = 0;

// This is a random number we will use to create our verify_score value.
// Using a random number will make it harder to figure out our scoring algorithm.
random_seed = Math.random() * 5;

// this is the function we use to set add points to our score
function updateScore(points) {
if (!cheatDetected()) {
score += points;
// this will generate a number that's almost impossible for a person to change correctly.
verify_score = Math.sqrt(Math.round(score/random_seed));
}
}

// this is used to detect whether the score was changed manually
function cheatDetected() {

// these will both be zero if no score has been added
if (score === 0 && verify_score === 0) return false;

// using the same foruma from the updateScore function we can check to see if our current score calculates
// to the same value it did when it was set using the above function.
return (verify_score != Math.sqrt(Math.round(score/random_seed)));
}

// This is used to either get the score, or return zero if the user cheated. Use this when posting high scores.
function getScore() {
if (cheatDetected()) {
return 0;
}
return score;
}

You can use a variety of methods like MD5 hashes, or something more custom to create your verification values, just make sure it's not something you can easily calculate without having access to the source code. using random seed values will make it even harder since every time they play the formula will change.

Keep in mind these formulas do use extra CPU, so you wouldn't want them running on every frame or interval on a high-load game, but for stuff like scores and health, this is a nice technique.

I strongly recommend getting a copy of CheatEngine and trying to cheat your won games.


2

Comments

Lol cheaters. I personally agree with mandog. I've played some games which had cheats, without the cheats and it felt good. It was a challenge. After beating a game I would use the cheats to have some 'extra' fun, but usually that fun's limited, because compared to the sensation of overcoming a tough enemy or challenge, it's not even a small bit of fun. Imagine Devil May Cry where you'd kill everything in one hit. It wouldn't be fun anymore.

"...when something FISHY is going on."

Whether or not you intended the joke, I'm pointing it out.

Cheating to win flash games seems like a pretty awful waste of time. I can barely even keep focus or find the time to beat more than the tutorial level on most games.

cheaters never win, winners don't do drugs, drugs have nothing to do with games, but games are thwarted by cheaters.

it's an endless cycle of technological repetition and confusion even when a formula is presented in simplistic manners.
Once W creates X to stop Y, Y will adapt and create Z to prevent W and so on and so forth until repeat ad nauseum.

regardless, it's bound to happen again and again. I guess you could say its one of humanities' perversions of technology.

My 2 cents (more like 1 and a half). This is just my personal take on things and I am not speaking for anyone else. I couldn't give a crap about medals unless i like the game. These I consider as extra objectives, I love collecting all the medals for a game i enjoy. And I don't consider a game completed until I have all the medals (missing just one medal to complete THE ROOM , and I will be back to get it). So if you hack medals you are truly only cheating your self(out of enjoyment). In fact not that I think of it, if I never went back to get the medals in THE ROOM i would have never seen all that crazy shit that happen when you go after the medals , like when....telekinesis ..smash,...kill cops... and that other part...chris...blood. i didn't want to ruin it for anyone who hasn't seen it yet so i let a lot of words out of that last sentence.

Thanks for the tip! I'll definitely implement some sort of formula protection in my next highscore-based game.

One thing I discovered when trying to prevent "hacking" in one of my previous games is that the value inside a text field can't be accessed using the traditional cheat engine memory search, so I used the score display text field to make sure the score hadn't changed between two kills. I don't know exactly how safe it is but it can add an extra layer of protection against the script kiddies.

Also, do you have any tips on how to protect your games from people hacking the .swf itself? (such as seen on <a href="http://www.arcadeprehacks.com">www.arcadeprehacks.com</a>)

Here's a fun fact : the guy who sponsored my last game, Discount Mayonnaise, actually wanted me to put in a button that said "unlock everything" and that would lead to a "hacked" version of the game - that I would provide - on his hacked games website.

WTF IS GOING ON?!

every time your score is added to, multiply it by -1. then just use an absolute value function to display it as a positive number in the text box or what have you.
most (if any) of your average cheat engine users wouldn't expect the score to fluctuate in such a way between increasingly positive and negative values.
of course, it's been a while since i've used flash or cheat engine, so this might be completely ineffective, i have no idea.

You could display a false score in-game and have the actual score be something else, say half of the in-game score. Then when it's time to submit the score, just double it and nobody would notice.
People using a CheatEngine would try to change the in-game score and then when they submit it, it still just submits the actual score and not the cheated one.
Not only would that get rid of a good amount of cheaters from your game, but there would be a bunch of "Fuk dis program it don't even wurk!!11!!111!" comments on the CheatEngine site.

Anyone who's really got their heart set on cheating won't just stop when the ovbious value doesn't work. In the case of using a half value I could use cheat engine to just look for values that go up until I have a single value left. Then if that value is 450 and my score says 900, I'm smart enough to do that math.

That's an awesome technique you've come up with! But at the end of the day, these are only Flash games so I wouldn't really care less if someone cheated on any of my games.

Well I was just using half for a simple example. You could do square root or something, and then use the absolute value thing someone else mentioned.

I hate so called "Hackers" that do this shit. Oh look at me I am really bad ass at using a program that SOMEONE ELSE wrote to change a value in my game and look awesome. If they really wanna hack go hack amazon, ebay, facebook, google, paypal and get real skills at breaking security so that you can buy a better computer or some bull crap like that. I absolutely hate kids these days. Our society is going to fall so hard.

For some reason, I'm glad I didn't add scoreboards.

Lets say that every time you kill an enemy you get a point, and every time you get a coin you get 2 points...

One thing you could do is have it so that a variable determines what the score was last when you attack an enemy or get a coin, except perhaps the variable's name is not called like "verify_score" or anything like that - and it's a NEGATIVE version of the score ( score -= (score * 2) ) so that users don't pick it up.
Next thing you do is have it so that every time you get an enemy or coin, it will check the negative version of the score (once making it positive again) and see if they're the same, and if they are you will gain points. If not, you can simply make it GotoAndStop("the_frame_where_we_say_go_fuck_yo urself")

God damn, I was doing fine reading until you got to the bit about code.

speaking of medals, the games with medals page is not working :(
Please fix it as soon as possible so I can start gaming and winning some sweet medals

...Its a shame that people will cheat to get what they want. Its bad taste, and indicates how desperate someone is for attention.

Eugh, I know these are "only" Flash Games but damnit i've spent a lot of time and effort writing these things and it really gets me down when I see somebody has just cheated their way to the top.

Any word on how successfully these techniques work? It seems like it'll work pretty well at a glance but i've never tested this sort of thing in the wild.

I'll admit I've contemplated giving Cheat Engine a try quite a few times at particularly grueling gaming moments, but proud to have withstood that temptation when it was all over, the bigger the challenge the bigger the reward, after all. Anyway: interesting read on how it all works, and what can be done to prevent it.

Also assume 'won games' is meant to be 'own games' (final line).