I was curious if anyone knows the current situation with map security with regards to banks.
From what I found on past threads, a determined individual can eventually cheat the bank system of any map to get the best stats, rank, etc. since the encryption algorithm/secret key can always be recovered.
Is this still the case now? How do popular maps with bank systems like Mafia deal with this? I cannot imagine Dark.Revenant would tolerate such things...
Nothing has changed. Banks are still saved on the user's computer and cached maps can still be opened.
Blizzard's signature algorithm has been figured out and programs can resign banks already. So, signatures only stop the normal edits via notepad.
Currently, the best way to protect your bank, is to make it more difficult to properly edit it. For example, you can save has values in your map and the hash value that you generate with the saved data needs to be identical to a hash value that you store. Then, the cheaters need to do more than resigning the bank.
Mafia protects itself via active Moderators playing the game and player handle bans (which can be spoofed afaIk... but I've read it only once quite a while ago).
Right, that's basically still the case. A determined and knowledgeable player can get into your bank if they want. That said, I'd guess that a good 90-99% of players on bnet have no idea how to even break the bank signature. Your best bet is to use some type of hash security along with an encryption (starcode is a good option for both). If you're very concerned about security, you can obfuscate the map code. That makes your mapscript nearly impossible to read, which can make it more difficult (or at least more time consuming) to break your security. We've got a few obfuscation tools available on mapster if you;re interested. I wrote a more detailed writeup on the whole subject here if you're interested- it should be mostly up to date.
Rollback Post to RevisionRollBack
Feel free to Send me a PM if you have any questions/concerns!
People can rip your map open, publish it to b.net with whatever edit they desire, and have your own map create a new bank file.
Totally impossible to circumvent. Waste of time even trying to protect banks beyond deterring casual hackers while this exists.
Really disappointing. Will also make any form of paid arcade (should it ever happen) completely impossible, as any arcade map could be "pirated" on Blizzard's own service by republishing a ripped map for free.
Ah, I was hoping that things might have improved (the threads I found about this were 2-3 years old) but I guess Blizzard really doesn't care?
Two of you mentioned that signatures can now be faked and maps easily broken into now; what about 3rd party map protection? Surely there are some powerful tools out there that at least prevent a player from opening a map, even if the galaxy script is always recoverable? I suppose with an active community it would make it hard for someone to come out of nowhere and fake their stats, etc. While it is a lot of overhead, is there any way for the author to have a list of all the bank files made for their respective map? If you could do that, you could simply throw out the ones that stand out which you know are false (this requires a lot of grunt work though). I imagine if someone does cheat their way, they would usually give themselves imba stats, or at least those very close to top level players. Or perhaps even make players register with you to allow them to make a bank file (they have to contact you, and then you add their name, etc. to some list of allowed savers in the next map update?).
I know Warcraft 3 had really good map protection that even mainstream unprotected could not break (e.g. xdep), though the JASS code was very easy to recover.
I'm sure all this stuff has been said before, but I think you guys underestimate the average player. A lot of people have college degrees in computer science, and there are a lot of communities dedicated to cheating maps (d3scene for example), so even the average guy could find success.
You can also make your bank file/security triggers a series of math formulas and fake labels. Then just make it so if one thing is out of place, the player is marked as a bank hacker. I do this for my rank system in Total TD, but like others have said, it is impossible to make security 100% effective, especially when files are saved locally.
You can also make your bank file/security triggers a series of math formulas and fake labels. Then just make it so if one thing is out of place, the player is marked as a bank hacker. I do this for my rank system in Total TD, but like others have said, it is impossible to make security 100% effective, especially when files are saved locally.
Absolutely wrong.
1) Download your map.
2) Hack it and open it in the editor.
3) Add a trigger for whatever reward you want.
4) Publish and play on battle.net.
Your map file itself is not safe, so no amount of messing with the bank files is going to help.
I was curious if anyone knows the current situation with map security with regards to banks.
From what I found on past threads, a determined individual can eventually cheat the bank system of any map to get the best stats, rank, etc. since the encryption algorithm/secret key can always be recovered.
Is this still the case now? How do popular maps with bank systems like Mafia deal with this? I cannot imagine Dark.Revenant would tolerate such things...
Just do like mine is, Convert it to hexadecimal, and then convert it to a unique system of vigesimal(meaning dont use 1-k, use a-t or something). you wont have any problems. no one is going to break something that has over a million possibilities.
There are some good ideas for encrypting your own banks here, and i like what obscenecereal said. And i woudlnt be so quick to shoot down good ideas Eiviyn its better to try than do nothing and say there is no hope. Also i think most of you are over estimateing the average person who does this kind of thing. Most SC2 players are young, pre-teens to maybe 17 or 18. The kind of person who would try to hack a bank to get rewards they didnt earn is probabbly in this age group.
If map making is too hard for alot of people that actually want to get into it, do you think the average SC2 playing 12 year old is going to be able to crack player made bank encryption to get new stats, they dont even know what a bank is or how they could go about altering it to get what they want, in fact they know literally nothing about programming.
The fact that map stealing and bank corruption are do-able and yet these things literally never happen is proof of this. I would estimate the percentage of people who are both capable of this and actually want to do this are at less than .001%, maybe 1 in 100,000. You can have one of these very rare players crack the map protection algorithm, but protection you put in for your map only would again require that 1 in 100,000 guy to crack your encryption, and i dont think hes going to put in all that work so the 12 year olds that actually want to do this but cant can do it too.
And in terms of map stealing which IMO is worse, if someone tried to steal mafia that obviously wouldnt work and i think the players SC2 account should be perma banned on the spot for doing something like that. Blizzard could keep track of who published a certain map first, and a player could report a duplicate, and blizzard could look into it and ban that person for doing so. Ya they could change it slightly but by looking at the map you can easily tell.
And has anyone heard of someoen stealing peoples maps and putting htem on battle net, i saw it happen in WC3 a good bit as there was no built in protection but i havent seen it on SC2, and no maps that were origonaly published as being available for anyone to download do not count?
Also i dont know alot about banks, but do players have to be identified by their SC2 account ID, if you encyrpted the player IDs a player cant give themselves more points if they cant find themselves in the bank?
And signature forgers are actually a real thing that exists? Or is it some made up boogey man meant to scare map makers.
things to consider
1) how valuable is the information your saving (is it just a unimportant score or godly units)
2) secure deters many users
If you store a score that has no real meaning in the game a determined player will change their score to 1337 or 666.
If your bank store a godly overpower data, they will be more motivated to get in and get that item. (especially if they like your game or its popular)
Summary:
Security is good, but avoid storing things that can permanently ruin the game for players who r victims of hacking(this means mostly pvp type games) .
Making the banks unimportant in the game is the idealistic solution I can think of, but this has to be considered from the beginning..
Binding player id's into bank should do fine on most occasions. That way even if someone actually manages to break the code the others are unaffected.
..actually I think we need some kind of similarity verification system on maps. you know, for republished maps.
Banks r stored individually anyways, if it gets broken that person cant get into someone elses bank. there is no need to try to link banks to handles unless you want to make a unique line of data in the bank.
Banks r stored individually anyways, if it gets broken that person cant get into someone elses bank. there is no need to try to link banks to handles unless you want to make a unique line of data in the bank.
Linking banks to handles is necessary to provide even a minimum bank security. If your banks are not linked to handles, one person can hack your bank, publish it and everyone on the Internet will be able to use it with a minimal effort.
Making the banks unimportant in the game is the idealistic solution I can think of, but this has to be considered from the beginning..
yep stop storing game breaking unlocks in banks. Everything put in a bank should be mostly cosmetic and with no real value. Not doing this is bad in regards to new players anyways. And then you just don't care, if a player wants to hack to enable some skins, who cares at all? who?
@zeedu: Go
My bank is stored at
\Documents\StarCraft II\Accounts\54920080\1-S2-1-568242\Banks
My handle is 1-S2-1-568242
in my last game i played the other players handles were
1-S2-1-766244
1-S2-1-7536753
1-S2-1-8746596
Handles don't do anything and players don't share banks a player bank doesn't interact with other players unless their strenuous game says it does which is a very very bad idea for the obvious. Adding a handle into a bank just puts a unique line of data that add a minimal amount of security only in combination with encryption and obfuscation.
@SoulTaker916: Go
Linking banks to handles is necessary to provide even a minimum bank security. If your banks are not linked to handles, one person can hack your bank, publish it and everyone on the Internet will be able to use it with a minimal effort.
or you can use player handles as a part of the encryption key XD
yep stop storing game breaking unlocks in banks. Everything put in a bank should be mostly cosmetic and with no real value. Not doing this is bad in regards to new players anyways. And then you just don't care, if a player wants to hack to enable some skins, who cares at all? who?
Some types of maps just have to be built around bank dependency in mind, such as RPG maps. The idea of not depending on banks just clashes with the fundamental aspect of certain genre.
But rpg maps are mostly played solo aren't they? At least there, why would you care?
A multiplayer rpg map, well. You could verify data integrity. Like games played vs existing exp.
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
Hi everyone,
I was curious if anyone knows the current situation with map security with regards to banks.
From what I found on past threads, a determined individual can eventually cheat the bank system of any map to get the best stats, rank, etc. since the encryption algorithm/secret key can always be recovered.
Is this still the case now? How do popular maps with bank systems like Mafia deal with this? I cannot imagine Dark.Revenant would tolerate such things...
Nothing has changed. Banks are still saved on the user's computer and cached maps can still be opened.
Blizzard's signature algorithm has been figured out and programs can resign banks already. So, signatures only stop the normal edits via notepad.
Currently, the best way to protect your bank, is to make it more difficult to properly edit it. For example, you can save has values in your map and the hash value that you generate with the saved data needs to be identical to a hash value that you store. Then, the cheaters need to do more than resigning the bank.
Mafia protects itself via active Moderators playing the game and player handle bans (which can be spoofed afaIk... but I've read it only once quite a while ago).
@sethmachine: Go
Right, that's basically still the case. A determined and knowledgeable player can get into your bank if they want. That said, I'd guess that a good 90-99% of players on bnet have no idea how to even break the bank signature. Your best bet is to use some type of hash security along with an encryption (starcode is a good option for both). If you're very concerned about security, you can obfuscate the map code. That makes your mapscript nearly impossible to read, which can make it more difficult (or at least more time consuming) to break your security. We've got a few obfuscation tools available on mapster if you;re interested. I wrote a more detailed writeup on the whole subject here if you're interested- it should be mostly up to date.
People can rip your map open, publish it to b.net with whatever edit they desire, and have your own map create a new bank file.
Totally impossible to circumvent. Waste of time even trying to protect banks beyond deterring casual hackers while this exists.
Really disappointing. Will also make any form of paid arcade (should it ever happen) completely impossible, as any arcade map could be "pirated" on Blizzard's own service by republishing a ripped map for free.
Ah, I was hoping that things might have improved (the threads I found about this were 2-3 years old) but I guess Blizzard really doesn't care?
Two of you mentioned that signatures can now be faked and maps easily broken into now; what about 3rd party map protection? Surely there are some powerful tools out there that at least prevent a player from opening a map, even if the galaxy script is always recoverable? I suppose with an active community it would make it hard for someone to come out of nowhere and fake their stats, etc. While it is a lot of overhead, is there any way for the author to have a list of all the bank files made for their respective map? If you could do that, you could simply throw out the ones that stand out which you know are false (this requires a lot of grunt work though). I imagine if someone does cheat their way, they would usually give themselves imba stats, or at least those very close to top level players. Or perhaps even make players register with you to allow them to make a bank file (they have to contact you, and then you add their name, etc. to some list of allowed savers in the next map update?).
I know Warcraft 3 had really good map protection that even mainstream unprotected could not break (e.g. xdep), though the JASS code was very easy to recover.
I'm sure all this stuff has been said before, but I think you guys underestimate the average player. A lot of people have college degrees in computer science, and there are a lot of communities dedicated to cheating maps (d3scene for example), so even the average guy could find success.
Yeah none of that stuff exists for sc2.
You can also make your bank file/security triggers a series of math formulas and fake labels. Then just make it so if one thing is out of place, the player is marked as a bank hacker. I do this for my rank system in Total TD, but like others have said, it is impossible to make security 100% effective, especially when files are saved locally.
Absolutely wrong.
1) Download your map.
2) Hack it and open it in the editor.
3) Add a trigger for whatever reward you want.
4) Publish and play on battle.net.
Your map file itself is not safe, so no amount of messing with the bank files is going to help.
@Eiviyn: Go
That alone isnt enough to hack the bank of the original map though.
Just do like mine is, Convert it to hexadecimal, and then convert it to a unique system of vigesimal(meaning dont use 1-k, use a-t or something). you wont have any problems. no one is going to break something that has over a million possibilities.
Add a signature forger and yes it is.
There are some good ideas for encrypting your own banks here, and i like what obscenecereal said. And i woudlnt be so quick to shoot down good ideas Eiviyn its better to try than do nothing and say there is no hope. Also i think most of you are over estimateing the average person who does this kind of thing. Most SC2 players are young, pre-teens to maybe 17 or 18. The kind of person who would try to hack a bank to get rewards they didnt earn is probabbly in this age group.
If map making is too hard for alot of people that actually want to get into it, do you think the average SC2 playing 12 year old is going to be able to crack player made bank encryption to get new stats, they dont even know what a bank is or how they could go about altering it to get what they want, in fact they know literally nothing about programming.
The fact that map stealing and bank corruption are do-able and yet these things literally never happen is proof of this. I would estimate the percentage of people who are both capable of this and actually want to do this are at less than .001%, maybe 1 in 100,000. You can have one of these very rare players crack the map protection algorithm, but protection you put in for your map only would again require that 1 in 100,000 guy to crack your encryption, and i dont think hes going to put in all that work so the 12 year olds that actually want to do this but cant can do it too.
And in terms of map stealing which IMO is worse, if someone tried to steal mafia that obviously wouldnt work and i think the players SC2 account should be perma banned on the spot for doing something like that. Blizzard could keep track of who published a certain map first, and a player could report a duplicate, and blizzard could look into it and ban that person for doing so. Ya they could change it slightly but by looking at the map you can easily tell.
And has anyone heard of someoen stealing peoples maps and putting htem on battle net, i saw it happen in WC3 a good bit as there was no built in protection but i havent seen it on SC2, and no maps that were origonaly published as being available for anyone to download do not count?
Also i dont know alot about banks, but do players have to be identified by their SC2 account ID, if you encyrpted the player IDs a player cant give themselves more points if they cant find themselves in the bank?
And signature forgers are actually a real thing that exists? Or is it some made up boogey man meant to scare map makers.
@lemmy734: Go The folder the bank is stored in on the computer is the ID, plus anyone can just make a quick map that shows them the id.
but theirs some points u r right about that i will elaborate
@sethmachine: Go
things to consider
1) how valuable is the information your saving (is it just a unimportant score or godly units)
2) secure deters many users
If you store a score that has no real meaning in the game a determined player will change their score to 1337 or 666.
If your bank store a godly overpower data, they will be more motivated to get in and get that item. (especially if they like your game or its popular)
Summary:
Security is good, but avoid storing things that can permanently ruin the game for players who r victims of hacking(this means mostly pvp type games) .
Making the banks unimportant in the game is the idealistic solution I can think of, but this has to be considered from the beginning..
Binding player id's into bank should do fine on most occasions. That way even if someone actually manages to break the code the others are unaffected.
..actually I think we need some kind of similarity verification system on maps. you know, for republished maps.
@butterflo: Go
Banks r stored individually anyways, if it gets broken that person cant get into someone elses bank. there is no need to try to link banks to handles unless you want to make a unique line of data in the bank.
Linking banks to handles is necessary to provide even a minimum bank security. If your banks are not linked to handles, one person can hack your bank, publish it and everyone on the Internet will be able to use it with a minimal effort.
yep stop storing game breaking unlocks in banks. Everything put in a bank should be mostly cosmetic and with no real value. Not doing this is bad in regards to new players anyways. And then you just don't care, if a player wants to hack to enable some skins, who cares at all? who?
@zeedu: Go My bank is stored at
\Documents\StarCraft II\Accounts\54920080\1-S2-1-568242\Banks
My handle is 1-S2-1-568242
in my last game i played the other players handles were
1-S2-1-766244
1-S2-1-7536753
1-S2-1-8746596
Handles don't do anything and players don't share banks a player bank doesn't interact with other players unless their strenuous game says it does which is a very very bad idea for the obvious. Adding a handle into a bank just puts a unique line of data that add a minimal amount of security only in combination with encryption and obfuscation.
or you can use player handles as a part of the encryption key XD
Some types of maps just have to be built around bank dependency in mind, such as RPG maps. The idea of not depending on banks just clashes with the fundamental aspect of certain genre.
But rpg maps are mostly played solo aren't they? At least there, why would you care?
A multiplayer rpg map, well. You could verify data integrity. Like games played vs existing exp.