Gamemaker, Construct2: Security concerns

[Ellie]

Some of you might not know - I have an active MMORPG http://afar.ws

I want to add to this some minigames, which would replace point and click for getting materials to craft items etc.

The only real ways I can do this are HTML5 or Flash, and neither are particularly secure.

What I want to know really is:

- Can Construct 2 or Gamemaker be secured in such a way to make it at least difficult to hack? I used to play a game called Adventure Quest, which was massive, but easily hacked using packet editors.
- If not, which is the more secure?

I don't want to fall into the trap of gimping legitimate users just in the name of security. I don't want to hamper some peoples' gameplay just because a minority would choose to hack the system.

In terms of gameplay itself, would you play a game where you could say, complete Sokoban-like levels to get resources, knowing full well that other people will just be editing packets to get the same thing? Would you mind? What if there was a limit, would that hurt you or hurt them more?

Would you rather play a basic game, or a flashy but hackable game?

 

[rosareven]

If the purpose is to make a particular aspect of Afar more interesting, like you said for crafting and getting materials, I definitely prefer the flashy game.

As for security, I honestly have no idea =( If said mini game is going to be sending data back to Afar main game, it might not entirely be the HTML5/Flash mini games' responsibility to handle security. The main game itself could have a certain rule that determines what data is accepted and what data isn't. That thought is no where near a practical solution but just tossing the idea out there.

 

[valkyriegames]

I think hacking is an inevitable part of games but you could build your game to be more resilient to it - eg disable trade - or have code to flag suspicious behaviour (eg levelling up 10 times in a minute. Also, couldnt you just encrypt everything you pass from the client to the server? Although if players were changing memory directly that would be a problem.... But shouldbt the OS stop this? Since each program eg the browser gets its own memory?

 

[Glitchfinder]

I think hacking is an inevitable part of games but you could build your game to be more resilient to it - eg disable trade - or have code to flag suspicious behaviour (eg levelling up 10 times in a minute. Also, couldnt you just encrypt everything you pass from the client to the server? Although if players were changing memory directly that would be a problem.... But shouldbt the OS stop this? Since each program eg the browser gets its own memory?

With regard to the last bit, that is the entire purpose of a little download called Cheat Engine. It is used to locate and edit active memory for any given game or application.

Wyatt, in respect to your problem, what you need is decent encryption/decryption. I'm not saying it has to be state of the art or anything like that, just that it has to be decent enough to prevent on-the-fly editing. The most basic example I can think of would be to do something like converting numbers to strings, taking the current time to create a seed, using that seed to "salt" the string (in this case entering randomized characters between the ones you want), and then prefixing the string with the seed you used (which should be the timestamp of when it was created) This would make it so that you could check to see if someone is using a packet editor (hey! they just sent the server a packet from a month ago. I know because the timestamp says so!). Further, it would mean that people would have to do significantly more work to create a valid packet. In fact, if you used Construct 2, while they would technically have access to the source code, it wouldn't exactly be anywhere near legible, even for an advanced programmer. I took a look at the javascript for my construct project, and before I would have any hope of understanding it, I would not only have to spend a massive amount of time reformatting it, I would have to essentially reconstruct what everything meant without help from the original variable names. (Because everything is obfuscated too) The best part is, with such a simple algorithm, you could change it in a minor way and leave an autodetect for older formatting that would flag accounts as having sent an illegal packet.

If you're curious about what the final code for a construct project looks like, you can find an example from mine here.

 

[Xhukari]

Did someone say Flash? :D
I know some defenses can be put in place to defend against edits, though this was done with Flash's shared object files... And I have no idea how he did it. But the later versions, most of the 'bigger' hacks which were done using Sol Editor and such, pretty much locked out the character because it was detected! (Murloc RPG was the game)

I'm sure similar defenses could be put in place, such as a timer to check how fast a minigame is finished, and if it is finished in under X seconds, then the player obviously hacked and you can bring up a message box saying it was detected, and not send it the data back to the main game.

No matter what defenes you put in place though, people will always get around it, and you don't want to mess around with your legitimate players *coughDRMcough*.