Cheat Engine

[Polynomial]

I'm writing a small multiplayer game in VB.NET and C#, and would like some advice as to the best course of action against cheating. I don't mind it in single player games, but it sucks for multiplayer. I have a few measures in place to help prevent it, but nothing concrete.

Here's what I have so far:
1) Active detection of cheat applications split across multiple locations in code - some ran synchronously with normal game code, some ran in its own thread. Detection of cheat applications = crash. If the user is logged in, the game logs the detection and if 4 attempts are made within any one hour period, the user's account is banned. I'll not reveal my detection methods but it does easily detect all the versions of Cheat Engine and ArtMoney I downloaded, and even with CE's kernel mode stealth switched on.
2) SSL communication with additional handshaking - All communication with the server is through SSL with an additional underlying handshaking protocol. The game application is basically a front-end that talks to the server. All actual operations are done server-side, the client simply requests them.
3) Protocol violation logs - If the client sends unexpected messages to the server (usually impossible for normal use) they are logged along with the IP of the request and the user ID if logged in. Too many violations is a temporary ban, repeat offenders get a permaban and have their account(s) deleted.
4) Secure variables - More as a deterrent than a preventative measure. The game stores certain sensitive values inside an encrypted vault of sorts. This prevents the usual scan and rescan methods.
5) Hash dictionaries - All game files are hashed and those hashes are signed using an RSA private key. The public key is shipped with the game and the hashes must match to allow the game to play. Again, this is more of a deterrant than a security measure.

If you can think of any flaws in the above, or any other ways to stop people from cheating on the game, let me know.

The other issue I have is that the game has certain unlockable features that I don't want people just to get by cheating. In one case, the game has a form that displays the progress of an operation, but version 1 only displays the percentage, whereas version 2 displays the time left with some accuracy (+/- 20%) and version 3 displays it accurately to the second. Is there a way to stop people from hacking the form to display version 3 when they only have version 1?

Thanks

[chrisbk88]

Well when its released all players need is to look at this post to see how everything is protected and then bypass it.

[Csimbi]

Problem is, the code runs on my PC and the data is stored here as well - so, I am not sure that there's anything you can do about it - really. To use the data in your app, it has to be decrypted and accessed eventually - you can't avoid this - so it will end up in a register at some point. Once it's in the register, the reverse-engineer will do whatever he wants with it. What you can do is perform some checks whether the data conforms certain parameters - but then again, a reverse-engineer will just NOP or JMP over this "validation" part of your code and it won't be executed.

The thing is that eventually everything gets reverse-engineered - all it takes is brain and patience. So, it's pointless to waste CPU cycles on encrypting and decrypting data. Instead, focus on creating a well-balanced game that is worth playing. Those are rare nowadays.

I've seen some games where they tried employing various anti-cheat techniques (that you seem to be looking for). Sure, it was working for 3-4 months or so - until the mechanism was reverse-engineered. But if you look back, there are only drawbacks:
- the developers spent a lot of time developing a mechanism (waste of time)
- the mechanism was cracked and the developers had to deal with the associated problems anyway (more waste of time)
- the mechanism came with additional CPU requirements, so a pretty large chunk of consumers were automatically excluded (less copies sold -> less income)
- as it turned out, the mechanism was not thoroughly tested, so bugs had to be fixed (waste of resources) and this created a incompatibility between different game versions (more copies returned to store).

BTW: I would not brag about detecting Cheat Engine and ArtMoney for three reasons:
1. It's easy, because these are tools for weekend warriors like myself. Pro hackers use their own tools - that are often built for specific applications - and there is nothing you can do to prepare for those. Again, the code runs on my PC, so it is the reverse-engineer who decides how it will work in the end.
2. Once your app is out, CE might be updated - and you cannot prepare for that. Unless if you want to keep patching your app.
3. You only attract attention and you are calling for trouble - even wannabe hackers will jump on your app just to prove you wrong. I am note sure that's what you want.

[Polynomial]

I'm not bragging that my application can detect CE, but that's beside the point. Pretty much all of the anti-cheat I mentioned above is a deterrant. Those without any real skill (99% of the player base) won't get past the measures I put in place. The point I was making is that I've not been dumb about it and just shoved all of my anti-cheat in one method. The anti-cheat code is varied and hidden in random places within the normal game code. This means that a reverse engineer has to go through much more code to get round it. Again a deterrant, not a preventative measure.

I suppose it's not too much of a loss if people manage to launch higher versions of client side features than they're meant to, as it doesn't really give them a real advantage. Any features designed for use on/with other players go through the server in the form of a request, so the game will check if you own the version you are trying to use.

I was just interested to know if you have any ideas how I could make it pretty hard to mess with the gane. What's a reverse engineer's worst nightnare?

[Odecey]

[Csimbi]

[TehBestNewbZ]