Preventing Code Jumping / Hacking
Community Forums/General Help/Preventing Code Jumping / Hacking
| ||
| I've been thinking of this lately, as I look back on alot of popular games ruined by hacked versions in circulation. Are there any good ways to make it harder for people to do this? Does Moleboxing your application help in any way in this regard? Thanks in advance. edit: The topic title is a little misleading.. so to bypass all the possible "you cant prevent anything" replies. let me just say im most interested in making it more difficult for code jumping/cracking/hacking ect. |
| ||
| Moleboxing (assuming it encrypts the executable, which I believe it does), will make it harder for people to modify the executable, so you're less likely to see a cracked version of your game, but of course, the executable is unpacked at some stage and a decent hacker will be able to figure out how to create an unpacked executable. An amateur such as myself would still be able to hack themselves infinite lives or whatever with a game trainer suck as the excellent (and free) 'memory hacking software (MHS) (TM)'. These work by searching the process memory of the application and identifying changes in value that correspond to a given variable. To make it a little harder to hack, you could encrypt sensitive variables in your app. Create a type to store your lives. Create a 'new' instance of that type every time your bod dies and copy the lives count over to that. This moves the lives counter around in memory and makes things trickier. Also, encode the lives in a simple way, e.g XOR encryption. Have a play with MHS (TM) and you will get a better idea of ways to fool the amateur. It's easy to use and a good laugh, too. |
| ||
| Very informative, thank you John. Do you know of any (simple to use) program memory watchdogs , im not sure what else to call what im thinking of. but somthing that will monitor the memory segment the exe is in for other programs accessing it. |
| ||
| Create a type to store your lives. Create a 'new' instance of that type every time your bod dies and copy the lives count over to that. This moves the lives counter around in memory and makes things trickier. Also, encode the lives in a simple way, e.g XOR encryption Of course, that will only make it slightly more difficult to create a trainer for a game, and doesn't do anything to prevent it from getting copied. One common technique is to look at the process list of running programs upon startup, and terminate your program if it finds the presence of common debuggers / cracking tools, so it makes it harder for the hacker to actually analyze the program itself while it's running. Another one is to have your program do a CRC32 check of its own files, to make sure they haven't been modified. Of course, most hackers have little problem locating these checks and jumping straight over them to bypass the checks. Probably the most effective protection: Have several delayed checks, that don't kick in until after a certain calendar date, or a certain time after the install -- e.g. run another CRC32 check, but only after the game has been installed for -x- days, or only after xmas 2009. That way a hacker may crack a game, appear fully functional, and gets released into the underground. All is fine, and others copy it as well. Then your trigger date rolls around, another CRC32 check runs, it finds that the binary was modified and it can take certain action such as refusing to run, displaying messages, etc. Make sure to put the payload for this check in a different function than that of the 'initial' always-run check, or bypassing the first one may also kill the second in one swoop. Most crackers will try to release their cracked copies early, to get the 'credit' for releasing the game. The delayed check means that while they appear successful at first, in the long run the effects are less. Even if they re-visit the program and find / dismantle the secondary protections as well, it still means that know there are multiple cracked copies floating around, only some of which are functional. Other than that -- even multi-billion dollar companies like Microsoft and Adobe can't keep people from cracking their software. The best you can hope for is to slow things down a little, but you're walking a very fine line: if your checks are not 100% fool proof and burden legitimate customers, then you will be a lot worse off than losing a few copies to piracy in the first place. |
| ||
| I think you should put time into finishing your game and selling it, a simple method of preventing it being distributed by normal people is enough. |
| ||
| well what if you make the games that are cracked have annoying bugs in it that make it unplayable. This way the hackers will think they have bypassed all anti hacking attemts but if you play the "cracked" game long enough, you will realize something is wrong. edit: nevermind, I remember a game that did this and it got a bad reputation because so many people used the buggy hacked versions and then nobody would actually buy the game. |
| ||
| I think you should put time into finishing your game and selling it, a simple method of preventing it being distributed by normal people is enough. I have to take into consideration that my project is multiplayer and a cracked version could ruin it for players who dont care to cheat or use hacked copies. I was googling around trying to find somthing like a punkbuster lite, that perhaps would be easy to adapt to my needs.. no luck yet. Im afraid if i dont do more in way of exe security I probably will do myself more harm than good.. but in the end I may not have much more to add in terms of security beyond some of the tips given so far. What I do right now if contact a master server and download crc for exe and data files every time you run the program, I just need to find a way to know if they skip that part I guess. then you will be a lot worse off than losing a few copies to piracy in the first place. I understand that, but you misunderstand my motives. Im not very concered about loosing revenues or copies, in fact im pretty sure that wont be an issue unless the game does relatively well, I just dont want the multiplayer experience broken for those who do purchase the game. If it were a singleplayer game, I wouldnt be concerned at all. |
| ||
| What I do right now if contact a master server and download crc for exe and data files every time you run the program, I just need to find a way to know if they skip that part I guess. I just dont want the multiplayer experience broken for those who do purchase the game. Then a simple CD key/serial check would suffice - legit players can then be told by the server that their opponent hasn't authenticated (ie pirate). It doesn't stop pirate vs pirate of course (and nothing would if it works on a P2P connection) but from your last sentence that doesn't seem to concern you. |
| ||
| There is this. http://www.whitegatesoftware.com/pages/products/blitzmax-protector.php |
| ||
| what do you know about that software GW. i downloaded the blitz3d demo version onto an issolated machine because it reported a virus, running it just maved. Additional scans on the machine dont show any infection yet, but im unsure what the demo exe was supposed to show me :) edit: nevermind, I found the authors topic about it. ill post there. thanks. |
| ||
| I dont know anything about it other than the author was here on the forums about a year ago pimping it. |
| ||
| RifRaf, you dont happen to be using vista that the example MAV on? i fixed this sometime back but never updated the demo example, i should just no time to. and please understand theres no virus, some of the protection code patched into the .exe will look like it to some anti-virus software. |
| ||
| [quote]and please understand theres no virus, some of the protection code patched into the .exe will look like it to some anti-virus software.[quote] That would be a big issue, IMHO -- it also means that a good chunk of your userbase may run into the same error, which reflects really poorly on the creator. Even though the code is harmless, if you just sold them something and their virus scanner claims it's a virus, people tend to believe the virus scanner... So you'll look either incompetent or malicious... and even if you can magically appease people there, just the scare effect of an antivirus message will lead to a much higher # of support incidents that you have to deal with, which isn't really desirable either. :-? |
| ||
| true, however RifRaf is the second person i recall to say its triggered a virus alert. ive not seen this myself kev |
| ||
| Kev, yeah it was a vista machine that Maved. |
| ||
| I guess this is still largely the piracy debate which has been discussed quite a bit, but is always interesting. In terms of protections, I think in general, and being really abstract here, if you come up with some small protection mechanism, and if there is any way that someone could `think outside the box` ie look at the protection mechanism from outside of itself, they can and will find a way to get around it. Maybe an analogy.. Let's say the way to protect something is to lock it in a prison. Well, it seems like this is a good protection but the problem is there is now an `outside of the prison` where individuals can gain perspectives about the prison in a larger context. As such they might discover ways that the prison itself is limited, which it inevitably is, and thus discover how to pentrate it. I personally think it is absolutely 100% impossible to 100% protect something, because the more you try to `separate it from hackers`, those very separations simply become more opportunity for hacking to occur. It's a no-win situation. It's like the more you put up walls, the more the walls themselves become your weakness. I believe, again talking very abstractly, it's because protection is always inherently limited, since it seeks to limit and be of limiting quality. The only `true protection` is where there is no protection at all, and there is also no need to protect. While we have people who want to attack and hack and modify and overcome, defenses will always be insufficient, because by the very act of `defending` you choose weakness. Defence=attack and attack is a weakness, intending to weaken, and you can't do something to others without doing it to yourself. As you attempt to defend yourself you automatically undermine your integrity. So what to do.. Either go with total openness and be easily ripped off, or put up a fight which inevitably is a losing battle. Perhaps the only option you have is to try to deter, delay, confuse, distract and generally throw hackers off the scent with smoke and mirrors, but it never will totally prevent an attack. |
| ||
| Either go with total openness and be easily ripped off, or put up a fight which inevitably is a losing battle. Perhaps the only option you have is ... haha while I was reading this, I automatically thought after that you would say "Perhaps the only option you have is not to play." I think its a quote from some movie but if its not then it sounds cool. |
| ||
| "Perhaps the only option you have is not to play." I think its a quote from some movie but if its not then it sounds cool. "The only winning move is not to play", Wargames (1983) |
| ||
| oh thanks xlsior, I now remember watching that movie some time ago. *end of derailed thread... |
| ||
| To stop hacking of any of you game is simply dont release it, every game that people like the look of and its work playing gets hacked and packed. |
| ||
| counter strike had all sorts of hacks if i recal, never played the game save for a brief stab at the xbox release, but as there was no respawn it kinda lost my interest, yet it carried on, you would find out which teams and or players were regularly cheating and just choose not to play against them if in tiny tanks such hacks do appear, the gamers might simply choose not to play against them, so if players are all mates and know each other, they would be less likely to rip their friends off by wholesale cheating imaginary humans post makes sence, "the more you tighten your grip the more systems slip through your fingers" or something like that princess leia to vader or grand moff tarkin, i forget which and seeing as you are looking to make the game moddable via player levels etc, any kind of lock down is counter productive |
| ||
| At the end of the day, anything you do to protect your game can ultimately be altered by a committed and patient enough hacker. Therefore, you'll need to set yourself a limit. How much time, money? and/or effort you wish to put in to securing your project against potential sales and revenue or simply the resources at your disposal. If I ever released anything for sale, I'd slap a whole load of virus-infected non-working versions onto every torrent type site I could find XD |
| ||
| TinyTanks is updatable, you just need to change a code that the game sends to the server every update. It would mean hackers have to rediscover the code, and release a new hacked version. |
| ||
| not really, anything locally stored&run unless severely encrypted is hackable given time. Even if you encrypt all the data, somewhere in the app you can usually find the key or condition that unlocks it. |
| ||
| not really, anything locally stored&run unless severely encrypted is hackable given time. Even if you encrypt all the data, somewhere in the app you can usually find the key or condition that unlocks it. You should read this thread: link My favorite part: >> Theres only one way to be hacker proof - don't connect the computer to a network and don't let any humans near it. Even then, I could use my remote controlled robot droid to drill through the mountainside into your secure underground base, physically remove the hard drive from your machine, return with it to my submarine command center, and proceed from there to decrypt your data... The only 100% secure data is data that does not even exist at all (and even then a sufficiently smart hacker could well give you a run for your money). |
   |