Background
I've had problems for quite a while now with players cheating in my android game. For a strict single-player game this wouldn't be a big issue, but since my game contains multiplayer battles and global highscore lists, it's causing legit players to stop playing because of the cheaters.
How they cheat
Cheaters use an app for root users called Gamecih. Gamecih lets users pause an app, change variable values, and then resume the app. So in my case they just pause the game, change "health" to 74 trillions and then kick the crap out of everyone on multiplayer. Here's a video showing how Gamecih is used to cheat in Fruit Ninja(not my game).
Considered methods
- Code obfuscation. This won't work because obfuscation doesn't change variable values, just variable names. This means that cheaters can still find the variable that has the same value as their current health and then change that variable.
- Code obfuscation + getter & setter value changing. This way, health will not actually represent the real health value. In the getter method I would do something like return health*10; and in the setter I would do health=input/10; This could of course be more complicated.
What I want
It could be argued that considered method nr 2 is what I should use, but then again, it doesn't prevent hacking, it just makes it harder. Ideally, I would like to detect when people cheat using Gamecih, display a pop-up saying "Darn you, you nasty hacker", and then close the application. I do not want a server-dependent solution as I would like my players to be able to play while offline as well. If possible, I would also like to avoid code obfuscation.
You can store life in X number of variables and the real value will be the sum of them (always calculated dynamically). You randomly choose which one to update. On top of that You can add some consistency check and it becomes extremely hard for cheater to realise what and how to change it.
The consistency check could be a simple rule that 1st, 2nd and 3rd variables are in growing order for example and the 4th is the smallest. It will take someone good while to figure this out with this tool.
Yoy can also get more creative and mix in some encryption etc (the way you mentioned) on top of that. Then it becomes second to impossible unless someone has your code.
EDIT: Add 100 random variables that change all the time with random names (or positions in the array, to make it easier) and then good luck for cheaters looking for the right ones. And make it all dynamic so every time they have to crack it again.
You can check periodically if your value has changed when it was not supposed to.
For example, you can store in a separate hidden flag the fact that the health value has changed. If your check method does detect a change in the value, and the flag is not set, then you can tell that the change was illegal.
For example :
void incrementHealth(int amount) {
health = health + amout;
hiddenCheck.hasChanged = true;
}
and in a separate method which must be invoked periodically :
void checkHealth() {
if (hiddenCheck.hasChanged) {
// change is valid
hiddenCheck.hasChanged = false;
hiddenCheck.lastKnownValue = health;
} else {
if (hiddenCheck.lastKnownValue != health) {
// An illegal change has occured ! Punish the hacker !
}
}
}
}
try{
ApplicationInfo info = getPackageManager().
getApplicationInfo("com.cih.gamecih", 0 );
return true;
} catch( PackageManager.NameNotFoundException e ){
return false;
}
If this function returns true, don't even let the hacker enter Multiplayer mode, and prompt him to uninstall it.
Calculate your stats dynamically from a stored value.
private double getSaltedSqrt(int i){
return Math.sqrt(i)+1337;
}
private int getTrueValue(double i){
return (i-1337)*(i-1337);
}
This way, no regular-brained human will be able to find your values from RAM ever. Somebody with 100 health will have a health value of 1347.0
If somebody deals 10 damage to that player, you just have to call:
currentHealth = getSaltedSqrt(getTrueValue(currentHealth)-damage);
However, the most secure way to do this, is to implement all those changes via server.
I have a thought on this, since I sometimes use GameCIH myself. You could have a rolling 10-entry transaction log that self-checks on every new transaction.
What you would do (since GameCIH can only deal with one variable at a time) is have two variables that are checked against each other.
- Original (or 11-ago) value
- Array of values of changes 1 through 10
- Summation value, negated. (This totally changes the decimal value you can see, and it'll change differently than the original value when the oldest log entry is rolled into it.)
If the negative of the summation value doesn't match the original plus the 10 logged transactions, return an error.
You would just have to change how your stat mods are handled - if even one of them still tries to modify the original value directly, your game would return that it's been incorrectly changed.
The people who are good at cheating games read these forums too, and they know all your little secrets.
There is no solid way to prevent people from cheating a game that stores important variables locally. A game must keep these variables on the server. If these variables are not kept on the server, there will always be someone that can hack your game.
To prevent memory cheating you can do one of the following:
- Store the most important values in arrays of digits rather than in variables
- Store the value as string as well and whenever you modify it check to see if it matches the string.
- Take a look at MochiDigits classes from Mochi (Actionscript 3) and come up with a Java port. https://code.google.com/p/cunitescore/source/browse/trunk/as3/unitescore/mochi/MochiDigits.as?r=92
You should store a hash (eg crc32 or md5) of the health etc. everytime you update the value, do a hash check on the currently set value. In this case, the cheaters would have to write a seperate app that handles the hashes. Possible, but this will stop the script-kiddy cheaters soon enough.
In the Pokemon games, they used DMA. You could get a similar effect by having a timer go off and trigger an update of all values while the game is paused for very short time. The update would add some random amount to all variables (including the one that you subtract from to get individual values). You can also try having values stored in a large array and change the starting position. Instead of an absolute pointer like GameState[121], you'd have something like GameState[121+StartingPosition] and just combine the value-incrementor with a location randomizer. Modular arithmetic is your friend, in both cases. Be wary of overflowing the array and off-by-one bugs. A buffer overrun would not be good. ;)
If this was a Flash or Java app: Sadly, using memory management to quickly remap the position in RAM of values is not as convenient as in a native binary like the Gameboy Advance uses. Copying all variables to a second set, in a random order, then deleting and garbage-collecting the original values would probably make your game run slow as heck.
Could you just check for root access on game launch? Then deny opening app or deny multiplayer mode on rooted devices? Provide a small check at the opening load screen only when app is initialized, maybe have app request super user then if user grants it try to do a harmless function not allowed without superuser then a code to check if said function was successfully then undo change and pop a message box indicating user should leave root mode try again.
Alternately this check could be applied upon entering multiplayer mode.
Also you could just run multiplayer mode from a server and single player from device and let single players hex edit freely.
来源:https://stackoverflow.com/questions/12670282/how-to-prevent-cheating-with-gamecih