2

In my app(unity5, il2cpp build), There is a function like

"GetScore()"

Unfortunately, i found the hacked version of my app in the black market. that hacked version's "GetScore()" function always returns 100. The original return value has to be under 10.

I guess this hacked App is repackaged by using like 'il2cppDumper' and changing my return value to 100;

Is there any way to prevent this problem?

Cloud Lee
  • 23
  • 1
  • 4

2 Answers2

0

Security is always a matter of making it harder for hackers - you can never make it impossible for them to tamper.

So here are some thoughts:

  • Obfuscation: GetScore() gets BananaJungle() - hackers cannot find the correct function without stepping through the source code for hours (hopefully)
  • Validate the score on multiple spots: the function calling GetScore() should do a sanity check: "is it below 10?"
  • In Addition to this: You may want to ignore scores above 10 to fool the hacker he succeeded. You may lock the app after 2 hours or so.
  • Add a ScoreLogger somewhere that logs the history of the score, so getScore() may return values <10 but someone might just overwrite the score in code to 999999. ScoreLogger will check the score history for jumps etc.
  • Validate Score with total playtime (approximately)
KYL3R
  • 3,877
  • 1
  • 12
  • 26
  • 1
    Server-side validation helps too. – Draco18s no longer trusts SE Nov 12 '18 at 16:32
  • I hesitated to list online-validation. It might be a serverless offline app. But sure, that would help too! – KYL3R Nov 12 '18 at 17:04
  • Serverless offline apps: who cares if someone cheats? They're only ruining their own local high score table. The only time cheating matters is when the game isn't single-player, at which point: the client is *always* a lying, cheating, bastard. Never trust the client for *anything* because no matter what you do, it can be hacked (even if its just fake packets!) – Draco18s no longer trusts SE Nov 12 '18 at 17:12
  • You may have serverless apps that allow buying cosmetics or levels, that could be unlocked by playing or paying. If the score allows the player to unlock the paid levels you still want to make sure he doesn't cheat. – KYL3R Nov 12 '18 at 18:09
  • Paying where? If by "paying" we mean paying in-game currency achieved through in-game means for in-game rewards, there is no possibly way to 100% prevent cheating. Its called "drm" and the industry spends millions on developing new drm solutions every year, some of which are broken within *hours* of release. The only thing that works is "phone home": an inherently not-serverless operation. – Draco18s no longer trusts SE Nov 12 '18 at 18:17
  • Oh, and even that doesn't work if the client's phone-home function is modified! – Draco18s no longer trusts SE Nov 12 '18 at 18:28
  • If you use (for example) google play to handle purchases you don't need to have a server your own. So no server-side validation of "getScore" calls but in fact no "offline-app" – KYL3R Nov 12 '18 at 19:18
  • Using Google Play makes the app inherently not severless. You're just not running your own server *but* have a limit on what kinds of server validation you can do (as you indicated). *That said* the Google Play store api does not deal in virtual currency. It can let you *buy* virtual currency, but it does not authenticate the *usage* of said currency. My last contract actually had me look into this. – Draco18s no longer trusts SE Nov 12 '18 at 20:00
  • 1
    Correct, I was just trying to say "if your app doesn't communicate to your own server (so except google) you may not be able to do server-side validation" but "serverless" is of course the wrong word for that. – KYL3R Nov 12 '18 at 20:19
0

You won't ever keep hackers from hacking your games, even if it does indeed have a backing server. Just look at all the unofficial world of warcraft servers. You can keep things relatively safe if you have a server, you keep its source code secure, and your game is meaningless without its server (think Dota 2 with no multiplayer capabilities...). Even then, you can't actually validate the player's every move, unless it's a turn based game and you actually send every move the server to be processed (this works in Hearthstone, for example, but not in WoW, hence all the anti-cheating tools). EA couldn't do it, Rockstar couldn't do it, Activision couldn't do it, even the mighty Denuvo couldn't do it, you certainly can't do it.

However, you should stop and ask yourself why you want your game to be that secure. Out of every 1000 cheaters you stop, maybe one or two would actually pay. You should put in a moderate amount of effort on security (take KYL3R's advice), simply to keep honest people honest. Dishonest people will always find a way, so don't worry about them so much that you end up wasting time on (useless) security; time you could spend on making your game better.

Oh and by the way, that's also one way to keep hackers out: frequent updates to the game. They have no life, but they don't have enough time to keep making a hacked version of every game on the market every week.

Arshia001
  • 1,854
  • 14
  • 19