Geek Answers Handbook

Top cheat prevention for high-rated online arcade games

I am going to develop an online arcade for HTML5 / Javascript games written on an already released IDE.

The game will use Ajax requests to the server to record points when people play these games.

I theoretically have full control over the design of this, including code mechanics that register high scores, game code, that's all.

I know that it is never difficult to hack client-side games such as this or cheat high scores, but I want to make it complex enough so that no competent person is worried enough to do this (wishful thinking).

I read:

How can you prevent fake high scores from appearing on the global high scores list?

This is a slightly different question as it is specific HTML / JS.

My initial idea is that the ajax request checks that the request source is in the right place, which is a simple and efficient unit for most hacking attempts.

+6
javascript html5
source share
5 answers

As mentioned in the previous answer, you cannot trust the client, therefore it is best to break the game down to levels of a certain level and progress at the server management level. If the server tracks each client and its progress, it can limit the range of achievable results. This makes it more tiring to deceive, as the client needs to simulate the progress of each level and show achievements in the correct range of points.

+3
source share

Each time you serve a page, include a randomly generated key, and on the server, associate the key with a user session.

pass this key and manipulate it in obscure ways at different points in your game script.

generates a checksum derived from the score and the key being manipulated.

send the checksum to the server along with the account

check checksum on server

obfuscate script

However, this will not stop the highlighted hacker.

+3
source share

Here is one way that is quite simple (although not trivial) to implement and very difficult to crack and not so easy to crack.

On the server side there is a list of let say 1000 items stored in a text file or database.

Each element will be a unique GUID or other unique long string, let each key element be called.

Now, when you send an AJAX request, send one of these keys ... it may be random from the list or by increasing the index, it does not matter.

Now comes the nice part: after one โ€œuseโ€ of each key (which means that the server received a request with this key and answered it), delete the key from the file / database . If the server receives a request with a key that does not exist in the list, of course, run an error or return the line โ€œwithout hackingโ€.

When the list becomes empty, recreate it with new unique keys.

Thus, the first request with a real key should succeed, as usual, but if the user tries to call the same request again, it will fail. Guessing the keys is also very difficult, assuming that these are long random values.

Like any other method, it is corrupted due to the fact that depending on the client-side code, which can be faked by those who know how to do it. But, since this is not a common occurrence, it will be more difficult for difficult people to find how it works and hack it.

+2
source share

This does not work for all games, but ...

If you register all the control input on each frame, and also register the RNG seed at the beginning of the level, it may be possible to restart the level by playing back the controller input and get exactly the same sequence of events. This can be used to verify that the game was actually played, and the rating was not made. It would be expensive to check every game, but there are other options, for example. just check the game if the score is in the top 100, or check random games and disconnect accounts if the check fails.

Then sit back and watch how scammers begin to use robots to play in their place, which is even more difficult to defend.

+2
source share

Add the hash file md5 from the record code and compare it on the server. But do not make md5 exactly from the record, and not on all symbols of the record only some of the characters, for example, from the second to the last char. In this case, it will be difficult to understand what md5 consists of when it simply tracks ajax calls.

+1
source share

More articles:


All Articles