Hack-prevention in Sandbox.

[RonnieNeeley]

Well, this is probably at the back of everyone's minds: Hacking.

When we put our time and effort into Sandbox, we don't want Joe CheatEngine to come on by and ruin hours and hours of work in like 10 seconds.

I was just playing Sauerbraten to see if CheatEngine worked. It did. You could edit bullet amounts, but when you edited health it seemed to revert back to the original once you got shot, which brought me some hope. Oh, and of course, speedhack worked.

Would there be a way to block these programs?

Perhaps you could add an object that checked what programs the user had up, and if any programs that are on the "Block List" are running, the game closes out immediately.

Hacking a single player game is one thing, but I do not want my MMORPG to be able to be easily hacked. Otherwise, players will dupe items/edit stats and so forth, and all our work will have been pointless. Yes, there will always be hacks, but for god sakes, can we atleast block CheatEngine?

I suppose this is more of a discussion than a question, but please, feel free to add/help.

[AndyLangel]

I doubt you'll find anything directly linked into the Sandbox...

Though, since we would know how the game was built, we can do many things in hopes of preventing hacking:

Encryption

Although most likely not supported by the Cube language, a simple Visual Basic program can encrypt files when they are not being used, and then decrypt them as needed- though, this requires Visual Basic to somehow detect when the game needs access to a file so that it can decrypt it and obtain the information from it. You could also, in theory, use the Visual Basic program as a terminal for information between the encrypted file and the game.

The game will need to send a request to the Visual Basic program, which would then access the required files and transfer the needed information to the game. In this way the file is never decrypted, only read in a decrypted way. But all this would require extensive testing and more experimentation between Cube and Visual Basic. Though, it may be possible t write a Cube script allowing Visual Basic integration.

Program Detection

The Visual Basic program can easily detect what programs a user is running at the time of them using another program. This information can be sent back to the sever and if any 'Black List' programs are running you can terminate the users connection to the server and database. You could also do many server side options such as delete or ban the users account, block their ip, or whatever.

File Tampering

Visual Basic can detect if a file have been tampered with in an unauthorized way, which may be a mod to the game or a hack. The Visual Basic program will have to cross reference all user files with an official server-side set. Any changed files could then deny the user access to the game and do a list of other things like report the offense, where the user can be banned or whatever.

--

Basically, as long as Visual Basic can someone be integrated into the Cube language, then you can make the game as secure as you want it to be. If Visual Basic cannot be so easily integrated, i am sure you can at least have the two programs transfer data back and forth to each other. There are actually many ways to control the flow of data between the server, game, VB program, and the user. Below is a basic set of flow charts to give a visual of how these relations can be set up:



Okay, so here are only 3 ways the system can be set up- each setup has its pros and cons.

Red System

This system runs all data through you Hack Prevention program before it is transferred to its destination. This method is the most secure, since all data going to the server, from the server, to the game, from the game, to the user, and from the user has to pass through the hack prevention program. Though, this setup is almost surely going to slow down your game. If you can make the scanning of data quick, then this system may work, otherwise there will be major lag throughout the entire system.

Green System

This system allows all data to flow naturally between the server and the game, and the game and the user. The hack prevention system merely monitors activity within the game, which may or may not be very effective. This system has much less security, since the user can access the game directly, which can access the server directly. Though, although more prone to being hacked, this system is the fastest, allowing unhindered transferal of data between the server, game, and user.

Blue System

This system is basically a hybrid of the Red and Green Systems- though, it too is prone to lagging up the users connection the the game server. This system allows the user to directly access the game, so it is more than likely that they will be able to cheat on the client side of the game. However, since all data between the game and server will be monitored, the player will not be able to hack the game server. Basically, the user may be able to change their 1 coin to 1 million, and it would say 1 million- but when they go to buy something, the value goes back to one, since the game checks the server data to see if they have enough money.

ERROR: The blue system actually would monitor user inputs, not game outputs- the game and server would have direct communication, while the game and user have a anti-hacking buffer. Sorry i messed it up, but this is what i meant.

This system is much better suited, and may only add a few milliseconds to cross referencing time. Though, with all information being stored server-side, users will have a much harder time hacking the game, even if no Hack Prevention software was implemented. As in the game you tested, and hacked, that would be a client side game, though- server-side games are much different.

Also, while looking through the Sandbox files, i found that the engine run C-lite scripts, which means that Sandbox has C roots. This will allow for C# or Visual Basic integration if it is done right and slightly modded (i would assume). Anyways, time to wrap up my long winded book.

--

Basically, whether we can integrate a anti-hack program into the game or if we must use an outside program, the game will be harder to hack with server-side data. Though, hacking on the server-side is still possible, so we will have to enact some sort of anti-hacking system- but we will not need that until the game is near finished. Until then i will look into it and let you know if i get anything going with it. If it comes down to it, we can always manually ban users who hack

Hope this helped answer your question and i hope you like reading books.

There may be some errors in this post, but i don't have the time to check it so be warned.

[RonnieNeeley]

I don't like the colors you chose for the chart.

You're off the team.






Lol, JK. Again, you are restoring my confidence, because this was one of the problems lurking in my subconscious. You couldn't have worded it any better because everything in there was stuff that I was already thinking but had no clue how to do. Luckily, you have an understanding of it, ha ha.

I just wanted to figure this out before we move on with the project, because what good is a game if anyone can hack it.

And yeah, I hope to acquire a strong team of moderators to keep things in check. Yeah, we could just ban obvious players who hack, but if lots of people join and make alts to hack, banning will be a problem. Plus, if one person dupes a super rare item and isn't going crazy with hacking, we would have no clue.

(On a personal note towards the game, figured I'd put it here since we are talking about it: I intend to be kind of ruthless with banning proven hackers. Most games just ban the account, but I want to deter hacking even more by full IP bans on proven hackers. However we will discuss this more when the time comes.)

[AndyLangel]

I like your sense of humor

And yea- there are always ways to deture hacking, if we want we can make a Hacker Guillotine at the center map, chop their heads off, and then ban them hardcore would be fun to animate

but yea, too many game are lax on hackers- and thats why people try to hack we could also make a nice promotional video on what happens to hackers, then chop their heads off and ip ban them then show it game-wide on idle 'TVs'

[RonnieNeeley]

DUDE! BEAST! Wow, thats a great idea. MUAHAHA }=D

It would be even cooler to do that, then give them like spyware and a bunch of trojans, then IP ban them, but thats breaking some sort of rule I suppose -.-

I remember in 12 Sky, the highest level Jin on our server got banned for Speedhacking (he always denied it but they finally got him), and everyone went crazy. Having like, showed him getting his head chopped off and "televise" it would have been E P I C !

[AndyLangel]

exactly! so we just you know... every now and then make a guy- stat pad him to uber skillz, then say he hacks and kill him :d staged, but at least people would get the point

[RonnieNeeley]

Good point.

Lol, it will turn into the Salem Witch Trials, "HE HAX!", "NO, HE HAX!". Like, we'll say "He was caught speedhacking while training" or something so people get paranoid xD

[Hirato]

(..) Visual Basic (..) Visual Basic (..) Visual Basic (..) Visual Basic (..) Visual Basic (..) Visual Basic (..) Visual Basic (..) Visual Basic (..) Visual Basic (..) VB program

are you trying to get yourself banned for indecency? We do not tolerate its use.

client side junk such as gameguard tick me off to no end. It is a rootkit (very bad for security) and it fails to work on linux which prevents me from enjoying the majority of MMOs on unix. so I really would not recommend it.

The server itself in my opinion should be doing the anti cheating. flagging, banning and making the use of said cheats incredibly annoying, or at least rendering them useless

if the player moves too fast without reason to, pop him to the position he would've been after a move of his correct speed.
if he ignores these pops, then just stream the data of the position he should be rather than where he is.

as for items, there is no reason for you not to be monitoring these heavily.
if they try to use an item they don't have, ignore it
if they manage to use it anyway, don't register its effect on the server,
if they try to change an item into another, once again ignore it, if they use it (and turned a usable into a usable), just register the original's effect, otherwise see above.

if they attack a mob and they boosted their damage significantly, ignore it and just apply the damage they'd inflict normally,
if they create drops and they modify them and then pick them up, then they pick up the original item. not the modified one.

and for maps you have CRC cums, unless these are being spoofed, you will know exactly when someone is using an older/modified map

do you see where I'm going with this?
most of the actions described above should result in immediate kicks, bans, and some of which should only be marked suspicious. Chances are your code will also be buggy, don't want to ban legitimate players now, do you?
that is all I have to say on the matter for now

[chocolatepie33]

Doesn't Wikipedia do something like that? If you're not registered and change a page, they record your IP address, I think. Is that where you're going?

[arcones]

Well Hirato's point is well founded and I think this discussion is actually a good idea...

But another program I thought about was Punk Buster... I'll look into it, as I don't know if it's EA only.