Java-Gaming.org    
Featured games (81)
games approved by the League of Dukes
Games in Showcase (499)
Games in Android Showcase (118)
games submitted by our members
Games in WIP (567)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Protection from Data Tampering Client Side  (Read 3779 times)
0 Members and 1 Guest are viewing this topic.
Offline happybirthday

Senior Newbie





« Posted 2011-06-21 18:08:02 »

Hello everyone,

I am in the process of completing a Java (jbox2d) based physics puzzle game.
Whenever a puzzle is successfully solved depending upon the time required the data i sent from the client side to the server side.
How can i make sure this data is not being tampered with .. or what should i do so that the game score cannon be hacked ??

Thank you Smiley
Offline princec

JGO Kernel


Medals: 386
Projects: 3
Exp: 16 years


Eh? Who? What? ... Me?


« Reply #1 - Posted 2011-06-21 19:33:45 »

Nothing, so don't bother. At the very most, encrypt or munge the data you send and MD5 it so it's at least not totally trivial for someone to send crap which your server accepts.

Cas Smiley

Offline zoto

Senior Member


Medals: 4



« Reply #2 - Posted 2011-06-22 00:22:28 »

You can't guarantee anything from the client is legit but you can raise the bar.

For a physics based puzzle you could send what moves the player did to get that score as "proof" they know how to solve it.
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline happybirthday

Senior Newbie





« Reply #3 - Posted 2011-06-22 01:14:31 »

can I do something like take the co-ordinates of the point where he has suppose 'shot' the cannon and then run the simulation again on the server side for exactly the same situation without using the graphics and all and updating the game world at super high speed .. This way i can check what happens on the server side rather than on the client-side.

Will this help ? and can it be even implemented ?
Offline zoto

Senior Member


Medals: 4



« Reply #4 - Posted 2011-06-22 01:36:13 »

Yeah sorry I left that part off. You verify the score by running the moves on the server using the same physics code as the client did, then compare the scores.

This is much easier on deterministic games like physics puzzles.
 
Offline happybirthday

Senior Newbie





« Reply #5 - Posted 2011-06-22 02:16:22 »

Thanx a lot guys.. Any more ideas or things i can implement to make my game a bit more hack-free ?
Offline Mike

JGO Wizard


Medals: 84
Projects: 1
Exp: 6 years


Java guru wanabee


« Reply #6 - Posted 2011-06-22 12:17:55 »

Only thing to remember is: Never, ever trust the client Smiley

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline pitbuller
« Reply #7 - Posted 2011-06-22 20:58:20 »

Is physic engines deterministic? I noticed that at my game Shapetronic It totally random where the game object bounce after initial drop. Initial drop is allways at same position so as player. My game use phys2d so it may be different than box2d. But I would't trust that two simulations are identic even if starting variables would be.
Offline happybirthday

Senior Newbie





« Reply #8 - Posted 2011-06-23 02:01:59 »

Is physic engines deterministic? I noticed that at my game Shapetronic It totally random where the game object bounce after initial drop. Initial drop is allways at same position so as player. My game use phys2d so it may be different than box2d. But I would't trust that two simulations are identic even if starting variables would be.

umm .. i m not sure about that haven't used it so i dont know ..
What do you do then to protect your game from client side hacks ?
Offline dishmoth
« Reply #9 - Posted 2011-06-23 06:21:53 »

Is physic engines deterministic? I noticed that at my game Shapetronic It totally random where the game object bounce after initial drop. Initial drop is allways at same position so as player. My game use phys2d so it may be different than box2d. But I would't trust that two simulations are identic even if starting variables would be.
Off-topic, but are you using fixed time steps for the physics engine updates?  If not, then that's the cause of your 'random' behaviour.
Simon

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline pitbuller
« Reply #10 - Posted 2011-06-23 08:09:01 »

Is physic engines deterministic? I noticed that at my game Shapetronic It totally random where the game object bounce after initial drop. Initial drop is allways at same position so as player. My game use phys2d so it may be different than box2d. But I would't trust that two simulations are identic even if starting variables would be.
Off-topic, but are you using fixed time steps for the physics engine updates?  If not, then that's the cause of your 'random' behaviour.
Simon
Yeah. I have read http://gafferongames.com/game-physics/fix-your-timestep/
Offline tom
« Reply #11 - Posted 2011-06-23 09:02:43 »

Many floating point math operations are not guaranteed to return the same results unless you use strictmath. So, no your simulation will not be deterministic.

Offline happybirthday

Senior Newbie





« Reply #12 - Posted 2011-06-23 10:03:57 »

Well that leaves me back to where i was Sad

How can i protect my game from being hacked and sent wrong scores etc. ?
Offline dishmoth
« Reply #13 - Posted 2011-06-23 17:29:35 »

For JBox2D, there's some discussion about repeatability/determinism on their forums.
(Short answer: seems you may have to tweak the source code a little.)
Simon

Offline cylab

JGO Ninja


Medals: 50



« Reply #14 - Posted 2011-06-23 17:37:55 »

As others stated, you can't. If you want to prevent script kiddies from just sending some scores, send them encrypted (even a simple xor encryption should be sufficient - maybe make this a handshake process with sending a one-time key by the server). Also obfuscate your client code.

That's about it - you can't do anything more (at least without your legitimate customers getting pissed - what the bigger game studios don't seem to get...). As soon as there is a capable hacker interested in your game, it will get hacked. But by then your game is probably quite successful anyway.

For the physics simulation, as long as you are using your own algorithms, you can afaik force strict math.

Mathias - I Know What [you] Did Last Summer!
Offline happybirthday

Senior Newbie





« Reply #15 - Posted 2011-06-24 02:23:58 »

Ok i'll do those things .. and I think JBox2D physics engine does use StrictMath for its calculations so I will be able to simulate the solution on the server side as well.

The next question that comes to mind is how do we pull this off ?

I mean if there are like 100 players playing the game together at 1 time, do i have like 100 instances of the application running on the server to verify the results ?

and how do we actually do this ? I mean 'RECEIVING the data from the user , STARTING an application on my server checking for results and then CLOSING the application on the server ?'
Offline cylab

JGO Ninja


Medals: 50



« Reply #16 - Posted 2011-06-24 03:40:08 »

No. Abstract the simulation to take a set of parameters reflecting the players action. Let the client send this to write a high score. Copy over this values in a kind of queue and close the connection to the client - you don't need to wait for the simulation to be finished (if you want to show the score table to the player, just use the locally calculated result on the client). Then have a single thread with the physics calculation working on this queue in a loop.

Mathias - I Know What [you] Did Last Summer!
Offline happybirthday

Senior Newbie





« Reply #17 - Posted 2011-06-24 04:07:15 »

No. Abstract the simulation to take a set of parameters reflecting the players action. Let the client send this to write a high score. Copy over this values in a kind of queue and close the connection to the client - you don't need to wait for the simulation to be finished (if you want to show the score table to the player, just use the locally calculated result on the client). Then have a single thread with the physics calculation working on this queue in a loop.

But what in cases when the user cannot go to the next level until he has successfully finished the current level ?
Offline krasse
« Reply #18 - Posted 2011-06-24 07:20:47 »

You can always prioritize what results to verify.
A new top 5 highscore should be verified but a score with a place 54 is probably not a cheating attempt Smiley

Offline happybirthday

Senior Newbie





« Reply #19 - Posted 2011-06-24 08:00:31 »

You can always prioritize what results to verify.
A new top 5 highscore should be verified but a score with a place 54 is probably not a cheating attempt Smiley


hmm that's nice Smiley
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

Pippogeek (37 views)
2014-09-24 16:13:29

Pippogeek (29 views)
2014-09-24 16:12:22

Pippogeek (18 views)
2014-09-24 16:12:06

Grunnt (41 views)
2014-09-23 14:38:19

radar3301 (24 views)
2014-09-21 23:33:17

BurntPizza (60 views)
2014-09-21 02:42:18

BurntPizza (30 views)
2014-09-21 01:30:30

moogie (36 views)
2014-09-21 00:26:15

UprightPath (49 views)
2014-09-20 20:14:06

BurntPizza (52 views)
2014-09-19 03:14:18
List of Learning Resources
by Longor1996
2014-08-16 10:40:00

List of Learning Resources
by SilverTiger
2014-08-05 19:33:27

Resources for WIP games
by CogWheelz
2014-08-01 16:20:17

Resources for WIP games
by CogWheelz
2014-08-01 16:19:50

List of Learning Resources
by SilverTiger
2014-07-31 16:29:50

List of Learning Resources
by SilverTiger
2014-07-31 16:26:06

List of Learning Resources
by SilverTiger
2014-07-31 11:54:12

HotSpot Options
by dleskov
2014-07-08 01:59:08
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!