So yea, I used to write design articles in the GMC for the Game Design section. It's been awhile since I last wrote my Online Games article and lately I've been working with clients and servers and have many ideas to share with people concerning the oh so favorite topic with GM Online Games. Hacking. You see, many people are trying to find a way to make their games impossible to hack. But that kind of thinking isn't going to get you anywhere. In my opinion, a game that's making it most annoying to hack is the winner.
To explain what I meant by being annoying, rather than spending alot of time on making it impossible to open up your game and changes settings, I feel that the best way to deal with modified clients is to have the server do checks to player actions. If there's something flawed, disconnect them with a ban warning and roll their account back to reverse their gains in exp, money, or items.I want to focus on common MMORPG style games out on the market these days. Let's throw a few out there: World of Warcraft, Perfect World, Maplestory, and Runescape all have common features. Your role is to take part as a single individual who trains by killing things, increase stats to make you stronger, aquire items that improve your performance, and you do it all while interacting with other players. The reason hackers do what they do is because it gives them an edge and makes things easier to outperform the other players on the server.So… what kind of hacks do we have to watch out for? Well, there's alot of variations and most have universal names. Common ones are the: Vac Hack, Speed Hack, No-Delay, Money Generators, God Mode, Stat Hack, Level Hack, Fly Hack, and Message Spammer. These types of hacks are usually available to all online games and if your online game gets anywhere, it won't be long before someone gets bored or determined to hack yours.Vac hack works like a vacuum. It sucks all the monsters in the room to a certain position. That way the player doesn't have to walk to the monsters. They can just sit there and attack constantly and everytime a monster respawns, it teleports to the player. My best solution to avoid anyone making decent gains with a vac hack is to place monsters that are to stay invisible at all times, (ones that don't attack, or die), and if they're sucked into a vac hack, that's a signal and you can have the server automatically disconnect them. To further make this system work better against a vac hack, have the names of the invisible monsters identical to the ones that are visible. That way if the hack is designed to attract all monsters by name, the invisible hack detection ones are included in that group. Speed hacks involve increasing the movement of characters to an insane amount, that way they can cover a larger distance in a short period of time. To detect this, I would implement a distance check that measures the players' x,y coordinates compared to their previous x,y coordinates and make sure that the distance is reasonable. If the returned values on the distance checks exceed the max speed you allow players to move then you'll have the server automatically disconnect the player. No-delay hacks focus on the attacks and skills that players use. Usually there's a timer on attacks. You can only attack every few seconds, or something along those lines. That way if a player holds the attack button they don't start to attack endlessly. A No-delay hack makes a player attack at the rate of the room speed. So if your room is running at 60 and a person bypasses a timer that allows them to endlessly attack, they attack 60 times rather than 1. Best way to deal with this is a server side timer, to time check. You could record the time of their last attack in their player file. And compare it to how long it has been when the next attack request is sent to the server. This won't disconnect them, but the system would prevent the hack from working. No-delay hacks are client side. If you make the timer on server side, that alone will prevent them.Money generators. They're value editors. They can work in many ways. One way is to try and edit the amount of money recorded in your player's file, but if it's server side, then this is annoying and difficult. Another way is to use memory editors that allow you to change values, but that's client side. If important features like money are kept server side, then there's nothing a money generator can do. As long as the server has a recorded file of how much they really have and makes checks everytime the player makes a transaction then you're all set. The server will be the only thing that has access to your money and the client only gets what the server returns. If a person is in fact finding a way to change the amount of money they have then one possible way to deal with it is make shadow clones of your player's files that act like a backup everytime a real change has been made and the server agrees with it. That way if something is flawed and changed, a quick comparison between the file and the backup will furthermore check it out. Disconnect if all fails and a change that was not supposed to be made is done. The disconnects will eventually make them give up. God Mode simply means you can't be hit by anything. You don't lose any health if a monster hits you. You should have some kind of formula that checks whether a person should be hit or not. And if they were supposed to be hit, but were not, well… there's something going wrong and the server needs to check it out. God Mode anti-hacks can be difficult because games often implement accuracy and avoid stats in their characters and monsters. A God Mode hack can alter those stats and make it so that the monsters always miss them or just skip the damage step involved in subtracting their health. Make sure the monsters are server sided so their stats can't be changed. Most games include the monster files with their clients and only keep the monsters' positions server side. I find it best to keep all the monsters' information on the server and only include the images and sounds for the monsters on the client. That will prevent players from being able to edit monster values. Stat hacks are value edits. They work in several ways. One way is to edit the player's file but if it's kept server sided, it won't matter. Another way they can be done is editing the amount of stats they have displayed on the client side and have those sent to everyone when your stats are called by other clients. As long as the server manages the stats that every client has and keeps the legit changes recorded, you won't have problems with faulty stats being given to other clients.Level hacks can be done in numerous ways. One way is to edit the value. But like other stats, quite difficult. The other option for hackers is to autospawn or vac hack monsters and have them killed immediately at a fast pace to build up experience rather quickly. If you have shadow cloned monsters to prevent vac hacks and have a system check for monsters that were summoned by the client and not the server, then you can prevent the client from using the fast experience technique.Fly hacks are teleporting hacks that have the player move to any position desired, usually controlled by the mouse. The fly hack doesn't take collisions in consideration either. To prevent fly hacks, you could keep track of x,y coordinates server sided and have the proper x,y values returned to the client rather than having the movement client side.Message Spammer. You can have a client side timer, but there's a possibility that the person will just bypass the timer or modify the timer so that it's set to 0. A server sided timer could work, or having the time a person sent a message recorded to their player file and comparing the current time to their last would suffice as a timer. After determining if they can send another message, the server would return the result to the client upon their request to the server to send.Those are some of the common hacks to online games these days. Anyone can search them up by googling "<insert game> hacks". Some of the techniques that I've discussed can be quite process consuming. For example, x,y coordinates being sent every step to prevent fly hacking and speed hacking can build up alot of bandwidth, but it works. Server sided timers opening and closing player files to compare message and attack times can be beneficial but if someones spamming the requests, it could cause lag. So make sure if you use these types of systems that they detect the hack right away and disconnect the player as soon as possible to prevent server lag. Most games use a seperate program to deal with hacking to prevent lag in the game. If you find making a separate anti-hack program works best for lag, then go for it. You would just have to make the anti-hack program communicate with your client at all times.As I was saying though, alot of people try to make it harder for hackers to read their games and honestly, no matter what, someone's going to find a way to open it up and change things. I feel that detecting the changes and kicking the player off is more efficient. Combined with encryption and obfuscation then yes, things put annoying to a whole other degree. I remember reading somewhere that someone used words to spell out the numbers the used and would have a system that converted the words to numerical values but encrypted the words when stored into files. What was great about this idea is that value editors had a harder time reading the values because they were strings rather than real numbers. I thought that was cool. Anyway, if you're going to implement systems that check for unauthorized changes due to hacks, make sure you use what works best for you and realize that some systems are more costly than you think. Many online programmers will tell you that sending information from the client to the server all the time will cause alot of lag. Especially with many players online. But, if you need the protection, I've given you all the ideas you need to cover the basic hacks out there. If you have any other ideas or ways to improve the ideas I've discussed on how to design a technique that detects a certain hack, then please share
I actually, haven't played RuneScape yet. I've always found myself playing Maplestory as I grew up. Recently I've been fond of Perfect World International though.
Just do everything server side. Like if I press up, client sends signal to the server and the server moves my guy up a space.
It is important to do some things client-side, some movement interpolation never hurts.
The only problem with extensive server-side actions is it tends to cause lag, and react to it badly. For example, TF2 will freeze your position when you're lagging, while WoW lets you continue to move around. One is unfair to the lagger, the other is unfair to everyone else.
TF2 to me is much less bearable under higher latency than WoW is, because its movement is (most likely) server-sided.WHICH WILL YOU CHOOSE?But unkillable non-attacking invisible monsters are creeeeepy…
This is not how you detect hacks. First, you should move basically everything server-side except movement, since in this case its too expensive to have server side. Then, to detect all movement hacks, you do something very simple: 0.1% of the clients' movements are calculated by the server. This calculation is then compared to the client calculation. If they don't match up within a sanity tolerance, the player is hacking. If you do the same thing to monsters, this detects all the movement related hacks you were describing, and takes the player's stats into account, thus also detecting if a player is hacking their speed to be of a very high level that is still within sanity bounderies, but not causing problems if you make a powerup that lets you charge at super fast speeds.
THAT is how you detect hacks, not with invisible monsters.JakeX had a sort of system for AzureRage that when the player file was edited, it would say it was corrupted until you changed the values back. I talked to Ludamad about that system and I already forgot how it worked, some sort of hash-check system.
This doesn't necessarily apply to online GM games, but it's worth noting that GM can have some low-level security.I still think online GM games (mostly peoples' MMO ambitions) are too much trouble and can't work because GM isn't built for it. 4-16 players, however, seems to work fine.@kilin That sounds interesting. That could be done another way. You could have a backup of the database that's placed somewhere else on the server's hard drive and verify all changes with that. It would make hackers have to change two files, both located in different areas. idk, just an idea to make it more tedious for hackers.
Thing is, AzureRage was a single player game. That's why I added:
Or you could just make it server sided and never have to worry about it. I can't think of anything short of incredibly bad programming that could possibly put a strain on the server for dealing with player stats. Even if you had a regular desktop computer as the server and something like 100000 players, you'd likely only have to deal with 2 or 3 level ups per second, which is cake. If anyone ends up using the anti-hacking methods you described, there is something fundamentally wrong with their client programming. Even a peer-to-peer torrent self verification system would fare better, and that requires almost no resources at all.