OT - Score submission in OSS games..?

Hi people

I’m just putting the finishing touches to another craaaaaaaaaaazy game I’m
making… and I was just thinking that it might be kind of nice to allow
people to submit their highscores…

Trouble is… I can’t think about how I could do this in an open source game
without people cheating!

Is it at all possible? I could the scores to be submitted over the internet,
but since the source is available, it is perfectly possible for someone to
submit a bogus score by changing the code.

Anyone got an clues on this?

Cheers,

Stevie

I think theres no way to be sure the high score isnt fake.

but, just like with anything (locks on doors, cryptography, "the club"
people use on cars etc), there is no fool proof solution to this kind of
thing (:

even if it wasnt open sourced, people could edit the memory your program was
using or decomipile/recompile.

luckily though, just like a lock on a door, maybe there is something that
makes it so 99.9% of the people out there arent able to fake high scores.

hopefully the other .1% are honest hehe (:

only way would be to make it more secure (this is a bad way i know) would be
to make the code around that section really complicated and do wierd stuff
to the score before it submits like xor/add/subtract/bit rotate/byte rotate
against wierd constants that are gotten through complex functions and
combined in wierd ways…

then, when the server gets it, it does the reverse and untangles the data
and gets the high score.

maybe someone has a better idea though (:> ----- Original Message -----

From: stephen.sweeney@parallelrealities.co.uk (Stephen Sweeney)
To:
Sent: Tuesday, December 30, 2003 11:04 AM
Subject: [SDL] OT - Score submission in OSS games…?

Hi people

I’m just putting the finishing touches to another craaaaaaaaaaazy game I’m
making… and I was just thinking that it might be kind of nice to allow
people to submit their highscores…

Trouble is… I can’t think about how I could do this in an open source game
without people cheating!

Is it at all possible? I could the scores to be submitted over the internet,
but since the source is available, it is perfectly possible for someone to
submit a bogus score by changing the code.

Anyone got an clues on this?

Cheers,

Stevie

---

SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl

Trouble is… I can’t think about how I could do this in an open source
game without people cheating!

Very complex issue. I recently got into that trouble as well, as I work on
a client for an online game server. Initial releases have been open source
with the result some players modifying the sources to gain an advantage by
cheating, greatly pissing off the rest of the users. The server
maintainers, who pay me for the work, were anything but amused. As result,
my application is now closed source, with the number of cheaters
significantly dropped (except those who still use the old open-sourced
version). However, another result of this is I now get a lot of flames and
threats from some Free Software zealots who think anyone publishing
non-open sourced software is the incarnation of evil or something and must
be on the payroll of Microsoft.

I really like open source software, but I made the experience it just
isn’t suited for every task.

Sorry for the OT ranting, but the above story frustrated me somewhat, and
it’s comforting to see I’m maybe not the only one who has these problems.
(Btw, remember the discussions about cheaters when Doom went open-source?
Slashdot had some articles about that.)

PeterOn Tue, 30 Dec 2003 19:04:07 +0000, Stephen Sweeney wrote:

One way, albeit aggravating, to allow this would be to send the
players whole gaming session as recorded input (like recording a game
replay) which has to be submitted, it would then be played back on a
verified client and the score recorded from there.

Stephen Sweeney wrote:

Hi people

I’m just putting the finishing touches to another craaaaaaaaaaazy game I’m
making… and I was just thinking that it might be kind of nice to allow
people to submit their highscores…

Trouble is… I can’t think about how I could do this in an open source
game
without people cheating!

Is it at all possible? I could the scores to be submitted over the
internet,> but since the source is available, it is perfectly possible for someone to
submit a bogus score by changing the code.

Anyone got an clues on this?

Cheers,

Stevie

---

SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl

Release binaries that connect to a different port of your server. You
will simply be able to see which scores come from a source code version
to a binary version.

Make some scores impossible to obtain, like 10000. Put in something
like:
sendScoreToServer(score * 3)
Only scores divisible by three are acknowledged by the server, so if
someone changes it to four most (11 in 12) scores will not be
acknowledged. I soggest that this number is a reasonably high prime
number.

David BeanOn Tue, 2003-12-30 at 19:04, Stephen Sweeney wrote:

Hi people

I’m just putting the finishing touches to another craaaaaaaaaaazy game I’m
making… and I was just thinking that it might be kind of nice to allow
people to submit their highscores…

Trouble is… I can’t think about how I could do this in an open source game
without people cheating!

Is it at all possible? I could the scores to be submitted over the internet,
but since the source is available, it is perfectly possible for someone to
submit a bogus score by changing the code.

For an offline game, the session itself could be faked.

However, this solution is the one used by full online games - each move
is sent to the game server, and one of the server’s role is to check at
real-time whether the information received is valid (eg the player
cannot have infinite ammor in a FPS, or make an illegal move when
playing chess).

Binary solutions are not a solution IMHO. Just look at all the trainers
& cracks. I reduces the risk but does not eliminate it, so you still
have a chance to see one cheater - and usually #1 in the hall of fame.

I do not see any solution for an offline game… Actually how can you
trust a set of data that must be generatable by a program from an
anonymous machine?–
Sylvain

One way, albeit aggravating, to allow this would be to send the
players whole gaming session as recorded input (like recording a game
replay) which has to be submitted, it would then be played back on a
verified client and the score recorded from there.

Really though, the amount of effort needed to subvert a input reading
system is pretty massive, you would basically have to hack the client
to play itself, and play itself well. No solution will be perfect so
it’s a matter of using a method not easily beaten.

Sylvain Beucler wrote:> For an offline game, the session itself could be faked.

However, this solution is the one used by full online games - each move
is sent to the game server, and one of the server’s role is to check at
real-time whether the information received is valid (eg the player
cannot have infinite ammor in a FPS, or make an illegal move when
playing chess).

Binary solutions are not a solution IMHO. Just look at all the trainers
& cracks. I reduces the risk but does not eliminate it, so you still
have a chance to see one cheater - and usually #1 in the hall of fame.

I do not see any solution for an offline game… Actually how can you
trust a set of data that must be generatable by a program from an
anonymous machine?

–
Sylvain

One way, albeit aggravating, to allow this would be to send the
players whole gaming session as recorded input (like recording a game
replay) which has to be submitted, it would then be played back on a
verified client and the score recorded from there.

---

SDL mailing list
SDL at libsdl.org
http://www.libsdl.org/mailman/listinfo/sdl

I’m just putting the finishing touches to another craaaaaaaaaaazy game I’m
making… and I was just thinking that it might be kind of nice to allow
people to submit their highscores…

Trouble is… I can’t think about how I could do this in an open
source game without people cheating!

Obfuscating the code that submits the score is one way to do it, but
then people can cheat by altering the code that plays the game itself.

Frankly, I think the only easy solution to this, short of going
closed-source, is to make it so simple to fake score submissions that
there isn’t any challenge to it. In fact, one of the best approaches
is to forgo the automatic submission, and just have a web form where
people can send their scores to you manually. In a situation like
that, most people won’t feel it is worth the effort to cheat, because
who’s going to be impressed?

b

Really though, the amount of effort needed to subvert a input
reading system is pretty massive, you would basically have to hack
the client to play itself, and play itself well.

Actually, you can just change the FOV, run the game in slowmotion,
make walls translucent or whatever you need, and then play the game
manually. A bit closer to your solution would be helper bots. In
games that have bots already, you could probably have a bot play in
your name without too much work.

No solution will
be perfect so it’s a matter of using a method not easily beaten.

Right. As always, all you can do is make cheating harder. Not even
on-line real time games are remotely safe, unless the client is
reduced to little more than a video console. For example, FPS games
with local map data and info about other players make perfect
platforms for helper bots that aim, dodge, find enemies and whatnot,
all without the server having a clue about it.

//David Olofson - Programmer, Composer, Open Source Advocate

.- Audiality -----------------------------------------------.
| Free/Open Source audio engine for games and multimedia. |
| MIDI, modular synthesis, real time effects, scripting,… |
`-----------------------------------> http://audiality.org -’
— http://olofson.net — http://www.reologica.se —On Tuesday 30 December 2003 22.55, Phoenix Kokido wrote: