1

I started programming a few months ago. I'm making a complete client side game in Animate CC, so I'm trying a simple measure against memory scan software.

I'm trying to avoid people to change my money variable.

var canMoneyChange = false;
var money = 0;
var previousMoney = 0;

function everyFrame() { //Let's admit that this function is called every frame
    if (moneyChange == true) {
        lastMoney = money;
        canMoneyChange = false;
    } else {
        if (lastMoney != money) { //If money is "magically" changed it should drop here
            resetGame();
        }
    }

Now evertime I update the money visual display I also have to include the boolean variable:

//...
canMoneyChange = true;
money += 100; //For example
updateMoney(); //This is only for visual effects
//...

Wondering if this works at all, thanks.

EDIT: Oh damn, I was not realising that CE would find both lastMoney and money at the same time. I could do something like multiplying by a number to hide lastMoney:

function everyFrame() { //Let's admit that this function is called every frame
    if (moneyChange == true) {
        lastMoney = money * 8;
        canMoneyChange = false;
    } else {
        if (lastMoney != money * 8) {
            resetGame();
        }
    }
Dave
  • 53
  • 1
  • 5
  • 3
    You cant protect your app from memory scann – Abslen Char Mar 27 '18 at 22:07
  • 3
    If the game is completely client side, why do you want to stop them from cheating? If it doesn't hurt you or any other players, you should consider letting the player do what they want. But to answer your question, your method as presented would not prevent memory scan software from being easily used to cheat the game. – Thomas English Mar 27 '18 at 22:09
  • 1
    Say this works, and prevents users from modifying the `money` variable. Now you need to prevent them from modifying the `lastMoney` variable, or the `canMoneyChange` variable. And so on. – Daniel Beck Mar 27 '18 at 22:09
  • Memory scan? No need to be that sophisticated. You could just use the debugger of the js engine that this runs in. – Bergi Mar 27 '18 at 22:36
  • Or indeed it wont stop someone using the console and going in (or deobfuscating your code it you obfuscate it) and simply making your `resetGame` function do nothing at all. If you want anti-tampering you'll really need to go server side – Nick is tired Mar 27 '18 at 22:37
  • This question is what `overthinking` looks like. – Rafael Herscovici Apr 01 '18 at 01:08
  • Doesn't hiding everything inside the closure of a nameless function help though? I don't think that'll hide the vars from CE though, can anybody please test it? – Gui Imamura Apr 01 '19 at 01:11
  • Gui Imamura, I was a complete noob back then. Now I am getting into nodejs and I realizing about server verifications and everything. But thanks for checking out such an old post. – Dave Apr 02 '19 at 11:20

1 Answers1

1

This will stop 50% of Cheat Engine users because most users are inexperienced and are only capable of doing simple scans and memory modifications. They will just give up because you've raised the adversarial costs above their threshold.

As others have commented, it's a cat and mouse game.

Users can still scan for "unknown initial value" and scan for decreased and increased values. This will yield the obfuscated money value and the regular value, doesn't take too much to figure it out from there.

Also users can do "Find what Writes to this address" that will put a write breakpoint on the money address, it will then give them the instruction that changes the money back to the original value. At this point they will see the:

lastMoney = money * 8;

in assembly and be able to figure it out from there.

In all anti-cheat situations, each deterrent you put in place will raise adversarial costs and filter out another tier of cheaters. Your goal should never be to stop all cheaters 'cuz that's never happening. But in a few hours you can roll up a bit of obfuscation and a couple anti-debug measures to deter 75% of the cheaters. Problem is when the other 25% representing the experienced cheaters release the cheats. At that point the 75% inexperienced group's adversarial costs represent a search on a search engine.

I would say add some IsDebuggerPresent() type checks but I imagine on your platform that's not possible.

I'm not familiar with Animate CC or Flash, but combining 1 custom obfuscation technique like you're working on right now, with a public free obfuscator will annoy a substantial number of people enough to give up.

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59
  • Some games also use anti-cheat based on arrays -> everytime you change that value, shift it in array -> it will bypass next scan – Segy Nov 15 '18 at 19:44