The average good hacker will spend more than 8 hours to hack my ranking, and I would spend about 1 hour to change everything and clean the ranking without reseting everyone's score. [ How? Get the id of the player in the ranking (Debates admins can do that). Then set > if (player ID == hacker ID) reset scores and change ID. Else, convert the score of the player to the new system). Ps.: The ID is the Debates ID, something secret :D ] And the hacker cannot change the ranking ID because it is stored in other's people bank. Also, there's more. I don't want to talk too much. The truth is, I can clean.
It is just NOT WORTH to hack! The question is, why people keep hacking?
But there is a message for hackers in my code explaining that I won't allow hacked scores for more than a day. So, why would they waste a day of work to be in the first place just for an hour?
But there is a message for hackers in my code explaining that I won't allow hacked scores for more than a day. So, why would they waste a day of work to be in the first place just for an hour?
What's the point in asking? Those people are probably not on this website, and if they are, they wouldn't tell you.
Just ban their nicknames, eventually they won't be able to play.
Well, you could still find the "id generation algorithm" and just generate yourself a new id while keeping your score.
The goal in hacking a system is not only to modify your bank, but also to gain full access to the system itself so you can use it just like the mapmaker does.
Do admins have a special ID which you use to recognize them? Would be fun to extract them and play admin yourself :D
fishy..... lol... By the way, I know about the search-and-replace. The question is, replace by what name? LOL
Well, yea no one could restore the original names of course. That measure is mainly to just be able to understand the code again. ||[||||+|||] just doesn't tell you as much as a[b+c] :)
One way or another, I guess there isn't really much more you could do to prevent hacking. And the measures you have in place will really scare away most, if not all, cheaters.
RSA works SOMEHOW with random numbers.... just saying.
RSA uses pre-generated prime numbers. The randomness comes from them being multiplied and divided a lot.
So basically it's not much better than a fixed random seed.
The real advantage of RSA is that you cannot access the Private Key that you need to decrypt a message, even if you have the Public Key with which it is encrypted in the first place.
We can't hide our private key, tho. We could store it in the map itself, as a constant. But that means the encrypted values would be the same for every player. We could store it in the bank but that's just insane.
We could generate a number that "links" to our key or prime numbers and store it in the bank, but that would defeat the idea of having a random key as we're just generating it again.
Real encryption is 256 bytes and includes multiple stages. This is single stage and 1 byte. I hope this puts things in perspective. It isn't easy to decrypt something unless the person who encrypted it is a tool.
True that!
If Blizzard could just find a way to make our maps (near) inacessible to hackers then all problems would be resolved. Encrypting our banks is the least of all problems.
1. How do you implement the global alltime top scores? The best way I know how with data banks would be with a viral method - each player has data values corresponding to 1st 2nd 3rd (names and points), and you take the max of them prior to the game and save it to everyone, and also check after every score change in the current game. Doesn't really work for newbies or not-well-connected players, though.
2. Suppose I had a memory editor program like Cheat Engine (http://www.cheatengine.org/aboutce.php) that would be able to locate critical variables directly by successive filtering (e.g. variables that increased since the last scan) and a little guesswork, and then modify them. It's obvious that data bank read/write encryption and anything to do with the SC2 editor names don't really do any good against such an attack. What do you have that guards against this? I only remember because in SC1 someone did it to my map. Fortunately I was only hiding 1 small integer value, so I just broke it into bits at the end of the trigger cycle, and reassembled it at the beginning of the next one. The trigger cycle time was very small against the memory editor's scan time, so the memory editor would detect a lot of ones and zeroes changing (which are ubiquitous anyway and not very helpful).
@RodrigoAlves: Go
1. How do you implement the global alltime top scores? The best way I know how with data banks would be with a viral method - each player has data values corresponding to 1st 2nd 3rd (names and points), and you take the max of them prior to the game and save it to everyone, and also check after every score change in the current game. Doesn't really work for newbies or not-well-connected players, though.
That's exactly what I did, but there's also the player ID. Each player has a 22-random-digits ID that they get the first time they play. This ID is useful to ban players, reset scores, identify admins, and to avoid the same player twice in the ranking. There's no way to avoid the same player twice in the ranking without this ID, since you cannot compare Texts, and names - differently from the warcraft editor - are texts on galaxy editor.
@RodrigoAlves: Go
Do admins have a special ID which you use to recognize them? Would be fun to extract them and play admin yourself :D
Yes. It's possible (I would ban if I find out, though). That's why I don't allow admins to reward players. That would be a gun in the hacker's hand. Also, admins can be kicked out of the game by the players (it happens sometimes).
If someone mimics and admin that's because they used the admin I'd, thus banning him = banning the admin, the person could then just switch to his old I'd which you don't know.
Rollback Post to RevisionRollBack
Random Information
Tutorials - Map Development - Galaxy wiki
|Issues? PM me|
If someone mimics and admin that's because they used the admin I'd, thus banning him = banning the admin, the person could then just switch to his old I'd which you don't know.
That's like fighting an evil spirit that can possess humans. You can shoot it's host in the head and kill him, but the spirit can just float away and possess another one :D
I love analogies.
2. Suppose I had a memory editor program like Cheat Engine (http://www.cheatengine.org/aboutce.php) that would be able to locate critical variables directly by successive filtering (e.g. variables that increased since the last scan) and a little guesswork, and then modify them. It's obvious that data bank read/write encryption and anything to do with the SC2 editor names don't really do any good against such an attack. What do you have that guards against this? I only remember because in SC1 someone did it to my map. Fortunately I was only hiding 1 small integer value, so I just broke it into bits at the end of the trigger cycle, and reassembled it at the beginning of the next one. The trigger cycle time was very small against the memory editor's scan time, so the memory editor would detect a lot of ones and zeroes changing (which are ubiquitous anyway and not very helpful).
Well, first of all these memory editors don't work in online play (at least not in Wc3). They'd cause a desync if you try to edit any in-game values and kill the game.
But the prevention is basically what you said - just obfuscate your score somewhere. You can store it in a string, chop it into bytes, use a fixed that you multiply or part it up into several integers. You can use a Data Table entry (maybe?) or save it in hexadecimal.
If someone mimics and admin that's because they used the admin I'd, thus banning him = banning the admin, the person could then just switch to his old I'd which you don't know.
Then I just cast a spell to change the admin's body. In other words, there is a trigger to generate a new ID to the player. I just call the admin to a private game and activate the trigger (by typing something in the chat box). This will give the admin a new ID and I will replace his old ID in the admin's list to the new ID. So, the hacker loses his admin powers. The next step will be changing the crypt and adding new features secretly. At this point, I know the hacker's ID. So, I can add a trigger that if the player is the hacker, do nothing, else, convert the player's bank to a new crypt in a new bank. For a few months everyone gets this update, and the hacker won't realize any changes (the banks have the same name and looks the same). When the hacker realizes the game was updated, it will be too late, and even if he has a backup of the bank, it won't work because now everyone already has a different bank, and I will disable the old bank trigger, making him lose his score (and everyone that didn't play the game within these months). In this way, I change all the crypt and save most of the player's score. I've done that already, and no one never realized. I was able to save more than 95% of the scores and get rid of a hacker forever, with a new and improved crypt.
If at least Blizzard could allow us to use our account's space to store not only maps, but also banks.......
Im a full noob to the bank system (im learning how the editor work at the moment to make my own map), but I had an idea for hackers...
Is it possible to make a "black list" ? I mean if the player sUpERr0x0r is cheating, I re-publish the map with his name in the black list, so the map will ignore all the scores coming from him.
If some of you can tell me if it is possible or not :)...
I think there should be a way to create blacklist. But there are some problems with it. If you make it saved as only one players computer, then they can remove themselves from the list. If you create in a way that saves all blacklisted players for all players, it would crate somewhat global player blacklist, but then there might be a way for other people to add non blacklisted players to the blacklist.
If you decide to create blacklist I would do it so that it saves every banned player for everyplayer in form of a code, so it would be hard to add innocent players to blacklist. (and im not sure how many names would the blacklist able to hold)
map get players scores (sync) and update. but is it possible to fix the blacklist in hard in the map, set by the map creator each update (ie variable or I dont know what) and so the map will ignore score from the players in the blacklist at sync ?
You could type in the blacklisted players as variables as often as you like, but then you need to republish the map everytime you do so...banks are saved in each players own computer.
I dont see any other way to do it...you have to do it manually if you want the blacklist to be inside the map
"but then you need to republish the map everytime you do so" => yes that was the idea. I know it is boring, but as there is not that much hackers... I think if the name of the blacklisted players is displayed it will have a psychological effect too.
as im here I ask you : If I re-publish a map all the players will play on the last version ? or they can still play the old maps on bnet (if it is like that it fail hard oO) ?
I remember a time when disassembly was rampant, and software protection needed to go to some fairly extreme measures to obfuscate itself. I'm not sure if these sorts of things still occur, but the tactics I read about have stuck with me for some time:
The principal revolved around making the code a lot more complicated than it needed to be. Since they were assuming that someone would disassemble their code, the purpose was to make it as hard to follow as possible. Sure, an encryption routine can be housed in a single function, but it's a lot hard to follow if it's broken up (arbitrarily) into four functions, and the physical locations of those functions is purposefully seperate. Instead of a constant encryption key, the encryption key could be "built", across several functions. Another common tactic was to introduce code that does nothing, which surrounded the meaningful code. It all just goes to make the hackers job more difficult. Perhaps a branch that never happens, a function that's never called, all create the illusion of complexity that simply isn't there. Illusion or not, the hacker still has to wade through it all in order to sort it out. Lastly, you can remove the symoblic information - the function and variable names. Fortunately, the map designer lets you change a variable or function's name, and all references to it are changed automatically. Sure, the hacker can do the same in reverse, but their faced with the burden of figuring out what the variable or function is used for in the first place. If the variable or function isn't actually used, that job gets harder. Say you have variables named Variable001 through Variable008, and only 2,5, and 7 are used, it can be hard to figure out. The other variables should be referenced, but in code that doesn't really do anything.
The down side is that you now need a map of your encryption routines in order to maintain it. You need to know what to switch your variables back to, and what is and isn't actually used inside the functions. It's a burden to be sure. Security and usability are, unfortunately, polar opposites.
You also want to be sure that your players aren't modifying their RAM, and not their banks. If they're using a hacked client, they can jsut modify their RAM directly and bypass all your encryption. If that's the case, they're little you can do. You've done your due dilligence, and all you can do is wait for Blizz to ban them.
Rollback Post to RevisionRollBack
Pocket Warriors - A pokemon-style game with SC2 units and full banking. New demo coming soon!
If you re-publish your map with the same name it will update the map for all players (so they cant play earlier versions). If you change the name then they can play different versions.
Is it possible to make a "black list" ? I mean if the player sUpERr0x0r is cheating, I re-publish the map with his name in the black list, so the map will ignore all the scores coming from him.
If some of you can tell me if it is possible or not :)...
Yes, it is. I have a similar one in Debates. However, the user can easily unban himself just by deleting or editing his score. But, if they do that they would also lose their scores. This system works well if you want to suspend a player. The player won't touch the bank because he doesn't want to lose his score. They'd rather wait a few days than lose all their points.
To do it, you have to assign a really huge random number and store this number when the bank is created for the first time. This number is the player map id, and you can identify the player through this id. Bigger the id = harder for 2 players to have the same random number.
You can do things like (if player[i] id == BlackList[j]) Send message to player[i] ("You are suspended until Saturday"). Defeat player[i]
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
Not going to happen. That would make sense, you know.
The average good hacker will spend more than 8 hours to hack my ranking, and I would spend about 1 hour to change everything and clean the ranking without reseting everyone's score. [ How? Get the id of the player in the ranking (Debates admins can do that). Then set > if (player ID == hacker ID) reset scores and change ID. Else, convert the score of the player to the new system). Ps.: The ID is the Debates ID, something secret :D ] And the hacker cannot change the ranking ID because it is stored in other's people bank. Also, there's more. I don't want to talk too much. The truth is, I can clean.
It is just NOT WORTH to hack! The question is, why people keep hacking?
@RodrigoAlves: Go
Because they can't win fair and square?
But there is a message for hackers in my code explaining that I won't allow hacked scores for more than a day. So, why would they waste a day of work to be in the first place just for an hour?
Because it's fun :)
What's the point in asking? Those people are probably not on this website, and if they are, they wouldn't tell you. Just ban their nicknames, eventually they won't be able to play.
@RodrigoAlves: Go
Well, you could still find the "id generation algorithm" and just generate yourself a new id while keeping your score.
The goal in hacking a system is not only to modify your bank, but also to gain full access to the system itself so you can use it just like the mapmaker does.
Do admins have a special ID which you use to recognize them? Would be fun to extract them and play admin yourself :D
Well, yea no one could restore the original names of course. That measure is mainly to just be able to understand the code again. ||[||||+|||] just doesn't tell you as much as a[b+c] :)
One way or another, I guess there isn't really much more you could do to prevent hacking. And the measures you have in place will really scare away most, if not all, cheaters.
RSA uses pre-generated prime numbers. The randomness comes from them being multiplied and divided a lot.
So basically it's not much better than a fixed random seed.
The real advantage of RSA is that you cannot access the Private Key that you need to decrypt a message, even if you have the Public Key with which it is encrypted in the first place.
We can't hide our private key, tho. We could store it in the map itself, as a constant. But that means the encrypted values would be the same for every player. We could store it in the bank but that's just insane.
We could generate a number that "links" to our key or prime numbers and store it in the bank, but that would defeat the idea of having a random key as we're just generating it again.
True that!
If Blizzard could just find a way to make our maps (near) inacessible to hackers then all problems would be resolved. Encrypting our banks is the least of all problems.
@RodrigoAlves: Go
2 questions:
1. How do you implement the global alltime top scores? The best way I know how with data banks would be with a viral method - each player has data values corresponding to 1st 2nd 3rd (names and points), and you take the max of them prior to the game and save it to everyone, and also check after every score change in the current game. Doesn't really work for newbies or not-well-connected players, though.
2. Suppose I had a memory editor program like Cheat Engine (http://www.cheatengine.org/aboutce.php) that would be able to locate critical variables directly by successive filtering (e.g. variables that increased since the last scan) and a little guesswork, and then modify them. It's obvious that data bank read/write encryption and anything to do with the SC2 editor names don't really do any good against such an attack. What do you have that guards against this? I only remember because in SC1 someone did it to my map. Fortunately I was only hiding 1 small integer value, so I just broke it into bits at the end of the trigger cycle, and reassembled it at the beginning of the next one. The trigger cycle time was very small against the memory editor's scan time, so the memory editor would detect a lot of ones and zeroes changing (which are ubiquitous anyway and not very helpful).
That's exactly what I did, but there's also the player ID. Each player has a 22-random-digits ID that they get the first time they play. This ID is useful to ban players, reset scores, identify admins, and to avoid the same player twice in the ranking. There's no way to avoid the same player twice in the ranking without this ID, since you cannot compare Texts, and names - differently from the warcraft editor - are texts on galaxy editor.
Yes. It's possible (I would ban if I find out, though). That's why I don't allow admins to reward players. That would be a gun in the hacker's hand. Also, admins can be kicked out of the game by the players (it happens sometimes).
If someone mimics and admin that's because they used the admin I'd, thus banning him = banning the admin, the person could then just switch to his old I'd which you don't know.
That's like fighting an evil spirit that can possess humans. You can shoot it's host in the head and kill him, but the spirit can just float away and possess another one :D
I love analogies.
Well, first of all these memory editors don't work in online play (at least not in Wc3). They'd cause a desync if you try to edit any in-game values and kill the game.
But the prevention is basically what you said - just obfuscate your score somewhere. You can store it in a string, chop it into bytes, use a fixed that you multiply or part it up into several integers. You can use a Data Table entry (maybe?) or save it in hexadecimal.
Then I just cast a spell to change the admin's body. In other words, there is a trigger to generate a new ID to the player. I just call the admin to a private game and activate the trigger (by typing something in the chat box). This will give the admin a new ID and I will replace his old ID in the admin's list to the new ID. So, the hacker loses his admin powers. The next step will be changing the crypt and adding new features secretly. At this point, I know the hacker's ID. So, I can add a trigger that if the player is the hacker, do nothing, else, convert the player's bank to a new crypt in a new bank. For a few months everyone gets this update, and the hacker won't realize any changes (the banks have the same name and looks the same). When the hacker realizes the game was updated, it will be too late, and even if he has a backup of the bank, it won't work because now everyone already has a different bank, and I will disable the old bank trigger, making him lose his score (and everyone that didn't play the game within these months). In this way, I change all the crypt and save most of the player's score. I've done that already, and no one never realized. I was able to save more than 95% of the scores and get rid of a hacker forever, with a new and improved crypt.
If at least Blizzard could allow us to use our account's space to store not only maps, but also banks.......
Hem,
Im a full noob to the bank system (im learning how the editor work at the moment to make my own map), but I had an idea for hackers...
Is it possible to make a "black list" ? I mean if the player sUpERr0x0r is cheating, I re-publish the map with his name in the black list, so the map will ignore all the scores coming from him.
If some of you can tell me if it is possible or not :)...
I think there should be a way to create blacklist. But there are some problems with it. If you make it saved as only one players computer, then they can remove themselves from the list. If you create in a way that saves all blacklisted players for all players, it would crate somewhat global player blacklist, but then there might be a way for other people to add non blacklisted players to the blacklist.
If you decide to create blacklist I would do it so that it saves every banned player for everyplayer in form of a code, so it would be hard to add innocent players to blacklist. (and im not sure how many names would the blacklist able to hold)
@zenx1: Go
mhhh, I understood the bank system like that :
players <=> map on account
map get players scores (sync) and update. but is it possible to fix the blacklist in hard in the map, set by the map creator each update (ie variable or I dont know what) and so the map will ignore score from the players in the blacklist at sync ?
you see the idea :p ?
You could type in the blacklisted players as variables as often as you like, but then you need to republish the map everytime you do so...banks are saved in each players own computer.
I dont see any other way to do it...you have to do it manually if you want the blacklist to be inside the map
@zenx1: Go
"but then you need to republish the map everytime you do so" => yes that was the idea. I know it is boring, but as there is not that much hackers... I think if the name of the blacklisted players is displayed it will have a psychological effect too.
as im here I ask you : If I re-publish a map all the players will play on the last version ? or they can still play the old maps on bnet (if it is like that it fail hard oO) ?
I remember a time when disassembly was rampant, and software protection needed to go to some fairly extreme measures to obfuscate itself. I'm not sure if these sorts of things still occur, but the tactics I read about have stuck with me for some time:
The principal revolved around making the code a lot more complicated than it needed to be. Since they were assuming that someone would disassemble their code, the purpose was to make it as hard to follow as possible. Sure, an encryption routine can be housed in a single function, but it's a lot hard to follow if it's broken up (arbitrarily) into four functions, and the physical locations of those functions is purposefully seperate. Instead of a constant encryption key, the encryption key could be "built", across several functions. Another common tactic was to introduce code that does nothing, which surrounded the meaningful code. It all just goes to make the hackers job more difficult. Perhaps a branch that never happens, a function that's never called, all create the illusion of complexity that simply isn't there. Illusion or not, the hacker still has to wade through it all in order to sort it out. Lastly, you can remove the symoblic information - the function and variable names. Fortunately, the map designer lets you change a variable or function's name, and all references to it are changed automatically. Sure, the hacker can do the same in reverse, but their faced with the burden of figuring out what the variable or function is used for in the first place. If the variable or function isn't actually used, that job gets harder. Say you have variables named Variable001 through Variable008, and only 2,5, and 7 are used, it can be hard to figure out. The other variables should be referenced, but in code that doesn't really do anything.
The down side is that you now need a map of your encryption routines in order to maintain it. You need to know what to switch your variables back to, and what is and isn't actually used inside the functions. It's a burden to be sure. Security and usability are, unfortunately, polar opposites.
You also want to be sure that your players aren't modifying their RAM, and not their banks. If they're using a hacked client, they can jsut modify their RAM directly and bypass all your encryption. If that's the case, they're little you can do. You've done your due dilligence, and all you can do is wait for Blizz to ban them.
@xJeliel: Go
If you re-publish your map with the same name it will update the map for all players (so they cant play earlier versions). If you change the name then they can play different versions.
Yes, it is. I have a similar one in Debates. However, the user can easily unban himself just by deleting or editing his score. But, if they do that they would also lose their scores. This system works well if you want to suspend a player. The player won't touch the bank because he doesn't want to lose his score. They'd rather wait a few days than lose all their points.
To do it, you have to assign a really huge random number and store this number when the bank is created for the first time. This number is the player map id, and you can identify the player through this id. Bigger the id = harder for 2 players to have the same random number.
You can do things like (if player[i] id == BlackList[j]) Send message to player[i] ("You are suspended until Saturday"). Defeat player[i]