1

I'm developing a game with online mode, but it's opensource (SourceForge) and anyone can download the code, hack any checks and play against the official server with a hacked client.

I've been thinking about EXE file md5 checking, but anyone can calculate the genuine md5sum and send it to the server, bypassing that runtime check.

Is there any method to assure that the client is not modified? I know I must use server side checks because everything can be hacked. Other option is not committing some little part of the code and release EXE files compiled only in my computer, having all the files, but that goes against SourceForge rules I think.

JasonMArcher
  • 14,195
  • 22
  • 56
  • 52
Beto
  • 21
  • 3
  • What kind of cheating are you afraid of? – SLaks Jan 06 '12 at 02:27
  • so your question is, how to detect if the client is modified? – ianace Jan 06 '12 at 02:33
  • It's a turn based game (Hotel board game, Monopoly like), so you have your money, posessions and you can modify the amount of money you have and anything that gives advantage against other players. The best is to make hacking very difficult (not having source code, checking client modification) but it seems to be impossible hehe. Thanks! – Beto Jan 07 '12 at 01:11

1 Answers1

4

As you stated, you need to check everything on the server.
Regardless of whether you release source code (remember Reflector!), you must never trust the client for anything (including its own integrity).

Note, however, that (ideally) you don't need to make cheating impossible; you just need to make it harder to accomplish a task by cheating than it is to accomplish that task legitimately.
Rational people will not cheat to accomplish something if they can do it more easily without cheating.

However, some people will cheat for the challenge of the hack, even if it's harder than doing it normally.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • 1
    In a similar vein, don't send the client any more information than it needs to know. I'm assuming that there is some shared game state common to all players, and each player has a local view of some part of it. You can verify server side that the client is not sending illegal commands, but the only way you can be sure that they are not viewing secret information (like wallhacking) is by minimizing the amount of information about the game state available to the client. – Jeremy Salwen Jan 06 '12 at 02:33
  • Remember, no program is unhackable. If machines can read machine code, so can determined people. If compilers can write machine code, so can determined people. – Kendall Frey Jan 06 '12 at 02:35
  • And there's things like decompilers, which can easily take machine code and turn it back into something slightly more readable. – thedaian Jan 06 '12 at 03:35
  • Just a note: people will cheat in order to win in multiplayer games. This is a curse of online games which needs to be fixed by having most if not all game logic on the server. – Eugene Mayevski 'Callback Jan 06 '12 at 05:22
  • Thanks for you comments, they are very useful :) The conclusion is: check everything serverside :) – Beto Jan 07 '12 at 01:14