Anti-Hack Strategies [Design Article]

Posted by Glen on July 28, 2010, 11:19 a.m.

So yea, I used to write design articles in the GMC for the Game Design section. It's been awhile since I last wrote my Online Games article and lately I've been working with clients and servers and have many ideas to share with people concerning the oh so favorite topic with GM Online Games. Hacking. You see, many people are trying to find a way to make their games impossible to hack. But that kind of thinking isn't going to get you anywhere. In my opinion, a game that's making it most annoying to hack is the winner.

To explain what I meant by being annoying, rather than spending alot of time on making it impossible to open up your game and changes settings, I feel that the best way to deal with modified clients is to have the server do checks to player actions. If there's something flawed, disconnect them with a ban warning and roll their account back to reverse their gains in exp, money, or items.

I want to focus on common MMORPG style games out on the market these days. Let's throw a few out there: World of Warcraft, Perfect World, Maplestory, and Runescape all have common features. Your role is to take part as a single individual who trains by killing things, increase stats to make you stronger, aquire items that improve your performance, and you do it all while interacting with other players. The reason hackers do what they do is because it gives them an edge and makes things easier to outperform the other players on the server.

So… what kind of hacks do we have to watch out for? Well, there's alot of variations and most have universal names. Common ones are the: Vac Hack, Speed Hack, No-Delay, Money Generators, God Mode, Stat Hack, Level Hack, Fly Hack, and Message Spammer. These types of hacks are usually available to all online games and if your online game gets anywhere, it won't be long before someone gets bored or determined to hack yours.

Vac hack works like a vacuum. It sucks all the monsters in the room to a certain position. That way the player doesn't have to walk to the monsters. They can just sit there and attack constantly and everytime a monster respawns, it teleports to the player. My best solution to avoid anyone making decent gains with a vac hack is to place monsters that are to stay invisible at all times, (ones that don't attack, or die), and if they're sucked into a vac hack, that's a signal and you can have the server automatically disconnect them. To further make this system work better against a vac hack, have the names of the invisible monsters identical to the ones that are visible. That way if the hack is designed to attract all monsters by name, the invisible hack detection ones are included in that group.

Speed hacks involve increasing the movement of characters to an insane amount, that way they can cover a larger distance in a short period of time. To detect this, I would implement a distance check that measures the players' x,y coordinates compared to their previous x,y coordinates and make sure that the distance is reasonable. If the returned values on the distance checks exceed the max speed you allow players to move then you'll have the server automatically disconnect the player.

No-delay hacks focus on the attacks and skills that players use. Usually there's a timer on attacks. You can only attack every few seconds, or something along those lines. That way if a player holds the attack button they don't start to attack endlessly. A No-delay hack makes a player attack at the rate of the room speed. So if your room is running at 60 and a person bypasses a timer that allows them to endlessly attack, they attack 60 times rather than 1. Best way to deal with this is a server side timer, to time check. You could record the time of their last attack in their player file. And compare it to how long it has been when the next attack request is sent to the server. This won't disconnect them, but the system would prevent the hack from working. No-delay hacks are client side. If you make the timer on server side, that alone will prevent them.

Money generators. They're value editors. They can work in many ways. One way is to try and edit the amount of money recorded in your player's file, but if it's server side, then this is annoying and difficult. Another way is to use memory editors that allow you to change values, but that's client side. If important features like money are kept server side, then there's nothing a money generator can do. As long as the server has a recorded file of how much they really have and makes checks everytime the player makes a transaction then you're all set. The server will be the only thing that has access to your money and the client only gets what the server returns. If a person is in fact finding a way to change the amount of money they have then one possible way to deal with it is make shadow clones of your player's files that act like a backup everytime a real change has been made and the server agrees with it. That way if something is flawed and changed, a quick comparison between the file and the backup will furthermore check it out. Disconnect if all fails and a change that was not supposed to be made is done. The disconnects will eventually make them give up.

God Mode simply means you can't be hit by anything. You don't lose any health if a monster hits you. You should have some kind of formula that checks whether a person should be hit or not. And if they were supposed to be hit, but were not, well… there's something going wrong and the server needs to check it out. God Mode anti-hacks can be difficult because games often implement accuracy and avoid stats in their characters and monsters. A God Mode hack can alter those stats and make it so that the monsters always miss them or just skip the damage step involved in subtracting their health. Make sure the monsters are server sided so their stats can't be changed. Most games include the monster files with their clients and only keep the monsters' positions server side. I find it best to keep all the monsters' information on the server and only include the images and sounds for the monsters on the client. That will prevent players from being able to edit monster values.

Stat hacks are value edits. They work in several ways. One way is to edit the player's file but if it's kept server sided, it won't matter. Another way they can be done is editing the amount of stats they have displayed on the client side and have those sent to everyone when your stats are called by other clients. As long as the server manages the stats that every client has and keeps the legit changes recorded, you won't have problems with faulty stats being given to other clients.

Level hacks can be done in numerous ways. One way is to edit the value. But like other stats, quite difficult. The other option for hackers is to autospawn or vac hack monsters and have them killed immediately at a fast pace to build up experience rather quickly. If you have shadow cloned monsters to prevent vac hacks and have a system check for monsters that were summoned by the client and not the server, then you can prevent the client from using the fast experience technique.

Fly hacks are teleporting hacks that have the player move to any position desired, usually controlled by the mouse. The fly hack doesn't take collisions in consideration either. To prevent fly hacks, you could keep track of x,y coordinates server sided and have the proper x,y values returned to the client rather than having the movement client side.

Message Spammer. You can have a client side timer, but there's a possibility that the person will just bypass the timer or modify the timer so that it's set to 0. A server sided timer could work, or having the time a person sent a message recorded to their player file and comparing the current time to their last would suffice as a timer. After determining if they can send another message, the server would return the result to the client upon their request to the server to send.

Those are some of the common hacks to online games these days. Anyone can search them up by googling "<insert game> hacks". Some of the techniques that I've discussed can be quite process consuming. For example, x,y coordinates being sent every step to prevent fly hacking and speed hacking can build up alot of bandwidth, but it works. Server sided timers opening and closing player files to compare message and attack times can be beneficial but if someones spamming the requests, it could cause lag. So make sure if you use these types of systems that they detect the hack right away and disconnect the player as soon as possible to prevent server lag. Most games use a seperate program to deal with hacking to prevent lag in the game. If you find making a separate anti-hack program works best for lag, then go for it. You would just have to make the anti-hack program communicate with your client at all times.

As I was saying though, alot of people try to make it harder for hackers to read their games and honestly, no matter what, someone's going to find a way to open it up and change things. I feel that detecting the changes and kicking the player off is more efficient. Combined with encryption and obfuscation then yes, things put annoying to a whole other degree. I remember reading somewhere that someone used words to spell out the numbers the used and would have a system that converted the words to numerical values but encrypted the words when stored into files. What was great about this idea is that value editors had a harder time reading the values because they were strings rather than real numbers. I thought that was cool.

Anyway, if you're going to implement systems that check for unauthorized changes due to hacks, make sure you use what works best for you and realize that some systems are more costly than you think. Many online programmers will tell you that sending information from the client to the server all the time will cause alot of lag. Especially with many players online. But, if you need the protection, I've given you all the ideas you need to cover the basic hacks out there. If you have any other ideas or ways to improve the ideas I've discussed on how to design a technique that detects a certain hack, then please share

Comments

True Valhalla 14 years, 5 months ago

At it's core, to prevent "hacking", one simply server sides everything important. The only exception I give to this is movement, though certain genré deal with it better than others simply by nature, and of course there are checks you can code.

But in the end, every single system is 100% secure (except movement), guaranteed, simply due to the server sided nature of the game (ignoring extremes).

I don't understand why you would bring up 'vac hacks' or 'god mode', for example. How can a client achieve this? He can't unless your game is inherently flawed.

I also disagree with account rollbacks, especially since you seem to be promoting the automation of this. That's a sure-fire way to piss off your players.

I agree, however, with making life for a hacker hell. I encourage this thinking for permanent banning as well, but of course you need to remember your average player, and their experience.

Anyway, a nicely written article. Additional security flaws to consider:

- Password encryption/protection.

- Massive packets.

- DoS attacks.

At least 2 of those require special coding, and the other is literally impossible to prevent.

Glen 14 years, 5 months ago

Can you explain what you meant by the massive packets?

True Valhalla 14 years, 5 months ago

A malicious user can send a huge packet filled with junk data. Make sure you code a size check (simple with 39dll) before even opening a packet.

Glen 14 years, 5 months ago

I never thought of that..

blackhole 14 years, 5 months ago

For that matter you should probably be size checking packets anyway to make sure they are what they're supposed to be.