A few words on bank signatures, encryption, and obfuscation
Introduction
As a map developer, you have only one option when it comes to saving and recalling information between game sessions- banks. Bank files are great for the majority of players, and allow them to experience progression over many game sessions. But ponder this situation- You've just finished creating the best RPG ever, complete with features so great that you would rise to "#1 Top Played" in a day. You launch the map, and it explodes, launching you into "internet legend" status. But then, out of the darkness, comes a single bad apple- a player, intent on ruining your day, and the day of every player who loves your fantastic map. That's right- it's a hacker. And he has his greedy little eyes set on your map, ready to pounce- will you be ready?
So, silly introduction aside, bank security is important for any map that includes banks. While it's certainly more important for maps that offer more important features through banks, like levels in an RPG, it's something that everyone should consider. Here's the overriding principle when it comes to bank security, though:
You will never be able to protect your bank files completely. Your only option is to make hacking your bank as brain-meltingly challenging as you possibly can.
I will not be discussing detailed instructions on how to use these tools, but instead discuss bank security in more general terms. This tutorial may be a useful read for anyone who is interested in protecting their banks, but it will not provide you with line-by-line instructions. That said, there's 2 big areas we're going to be dealing with today- Securing your bank files, and obfuscating your map data.
Securing Your Bank Files
The first thing you should do to protect your bank is make it impossible to simply pop open the bank file, edit it, and save it. And luckily for you, it's actually easy to do this. You have two methods, each of which I'll into detail in below:
Bank Signatures
Pros: Extremely easy to add, will prevent 90% of hacking Cons: "Real" hackers won't have any problem breaking this, and cracks are available if you know where to look
If your map has a bank, it should use bank signatures. The only exception to this is if you want people to edit their banks for some reason, but this is not normally the case. Bank signatures are incredibly easy to implement- it requires you to add only one action to turn the feature on, and a single condition to check for hacking. Here's how it works, should you choose to turn on the feature:
Every time the bank is saved, the content inside is used to generate a 'signature'. This is a large string of letters and numbers that is based off the bank contents, map name, map author, and player handle.
You can use the function "Verify Bank" to check this handle. If the player has modified anything, the bank signature will not match, and this function will return false. If this happens, you can just delete their bank file or kick them from the game.
Bank Encryption
Pros: Not quite as easy to add, but will prevent any hackers who are not smart and dedicated. Also lowers file size Cons: Dedicated hackers can locate your encryption within the map file itself, if they're smart
Before we discuss what bank encryption is, let's take a look at what the inside of a bank file actually looks like. Below is an example bank file, typical of what you might see.
As you can probably tell, it's pretty easy to see exactly what each of those numbers represents, and change those values. If a hacker manages to break your signature (which, again, is definitely possible), he can easily modify whichever values he wants. Say I want to change my high score- I'll just replace 1000 with 10000. Encryption takes all of those values, squashes them together into one much smaller value, and then scambles them to be unreadable. Here's an example of that same bank, but encrypted:
So what would happen if I wanted to change my high score now? I wouldn't know what to change, because my entire bank has been squished down to just "a843j-6anf1!", and I have no idea what that means. How do we do this to our banks? You could create your own encryption/compression script, but that's a lot of unnecessary work. S3rius created an awesome library called Starcode, which you can use to encrypt your bank files. I'm not going to cover the actual details of how to use starcode (An example map is included at the link earlier).
But there is one weakness that we can encounter when using encryption. We need to have an encryption key to decode our bank. Think of the old encrypted messages used in wars- you needed to have the encrypted message itself as well as the cipher that told you how to read it. The cipher, in our case, is called our encryption key. If our hacker learns what our encryption key is, then he can easily decrypt our values, rewrite them, and then re-encrypt them.
That's where the problem lies...Unfortunately for us, we need our encryption key to be inside the map. Hackers can download the map off battle net (even if it's locked, there are ways around it), view your mapscript, and find your encryption key. We can't prevent this from happening, but we can try to make it as painful as possible for hackers by obfuscating our map data.
Obfuscating Your Map
Mapscript Obfuscation
Pros: Makes locating your encryption much more difficult Cons: Prevents both yourself or others from opening your map (keep a backup!)
We've already dealt with bank security- that keeps our banks safe and difficult to edit. But all of that falls apart if the hacker can discover our encryption key. Like I said earlier, it's impossible to prevent that from happening, but we can make it as hard as possible to do. One way we can do this is to obfuscate our mapscript file. Obfuscation takes our mapscript file and rewrites the entire thing to make it unreadable, but still functional. For example, your variables would be named "iiIillIllI and illliiilliii" instead of "player_life and player_health", making them unreadable to humans. Zeedu has a mapscript obfuscator available here (Make sure you keep a backup of your maps before obfuscating it!). You can obfuscate your map using this tool, making it impossible to open in the editor and impossible to read.
Final Thoughts
On top of what's discussed here, feel free to think outside of the box- it can't hurt! What if you encrypt your bank more than once, using different pieces of data to do it? What if you include a 'checker' function inside your map that checks your banks to see if a player's stats are suspiciously high. What if you assign players a randomized ID number and use pieces of that number to encrypt their banks?
Hopefully this tutorial was useful for providing you with a better idea of how to secure your bank files. As I mentioned several times, there is no way to totally secure your bank files. The best you can do is encrypt them well, and then obfuscate your map data to help hide your encryption key. If you do this, the vast majority of potential hackers will likely be dissuaded. And as always, feel free to send me a PM if you have any comments, questions, or suggestions ;)
A futile effort since whole maps can be cracked like raw eggs... No matter how you rename stuff it all breaks down to the programming language used in the game. With the triggers used to create and interpret the banks at hand it is only 30 mins work to make a code generator.
It all comes down to Blizzard making bank files server side, everything else is pretty much useless.
This was requested since years and we did never really get an answer. Not only that it prevents hacking, it also makes a lot more conceptional sense to link banks to your account rather than your hard drive. This would make it possible to switch computers/format your HDD without losing any progress.
It'll never happen, as much as they love their players, they won't store data on their servers because if one of their employees accidentally wipe their hard drives, then they are liable for the lost data. The only data they'll risk it for is the official ladder.
I find this whole situation funny because map makers want to protect their precious banks. I'm not trolling here, be honest do you think the mapping community has a problem with people cracking banks? I say not, I say less 2% would use the program to generate a signature. Thats a lot of effort alone, if you encrypt it how many people would go out of their way to crack the encryption? Probably less than .1%, if that.
Honestly the take away from this is that if your just tracking gameplay stats that has no impact on gameplay then use the blizzard signature. If you have gameplay impacting data in banks that you want to sacrely protect then I would go beyond with the options above. The take away from this is that there is a few slim chance people want to crack your bank, and even then its not worth going through the effort just to add some digits to your stats, if I detected someone modifying their banks than I would just ID ban them if I felt like it, which probablybwouodnt happen anyways.
What you say is mostly true, this is useless if you`re only storing/recording game statistics.
Nonetheless, for games which will heavily rely on banks for gameplay will be threaten by outside modifications; e.g. levels, unlocks, standings, etc.
As OP said, more-or-less dedicated hack edits will happen so a detective ban system should still be used but at least the occurrence will be smaller.
Hacking can fuck up ELO like score tracking. One hacks its ELO or similar score to ridiculously high and it will spread through all players like a virus...
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
How to make your banks as safe as possible
A few words on bank signatures, encryption, and obfuscation
Introduction
As a map developer, you have only one option when it comes to saving and recalling information between game sessions- banks. Bank files are great for the majority of players, and allow them to experience progression over many game sessions. But ponder this situation- You've just finished creating the best RPG ever, complete with features so great that you would rise to "#1 Top Played" in a day. You launch the map, and it explodes, launching you into "internet legend" status. But then, out of the darkness, comes a single bad apple- a player, intent on ruining your day, and the day of every player who loves your fantastic map. That's right- it's a hacker. And he has his greedy little eyes set on your map, ready to pounce- will you be ready?
So, silly introduction aside, bank security is important for any map that includes banks. While it's certainly more important for maps that offer more important features through banks, like levels in an RPG, it's something that everyone should consider. Here's the overriding principle when it comes to bank security, though:
You will never be able to protect your bank files completely. Your only option is to make hacking your bank as brain-meltingly challenging as you possibly can.
I will not be discussing detailed instructions on how to use these tools, but instead discuss bank security in more general terms. This tutorial may be a useful read for anyone who is interested in protecting their banks, but it will not provide you with line-by-line instructions. That said, there's 2 big areas we're going to be dealing with today- Securing your bank files, and obfuscating your map data.
Securing Your Bank Files
The first thing you should do to protect your bank is make it impossible to simply pop open the bank file, edit it, and save it. And luckily for you, it's actually easy to do this. You have two methods, each of which I'll into detail in below:
Bank Signatures
Pros: Extremely easy to add, will prevent 90% of hacking
Cons: "Real" hackers won't have any problem breaking this, and cracks are available if you know where to look
If your map has a bank, it should use bank signatures. The only exception to this is if you want people to edit their banks for some reason, but this is not normally the case. Bank signatures are incredibly easy to implement- it requires you to add only one action to turn the feature on, and a single condition to check for hacking. Here's how it works, should you choose to turn on the feature:
Bank Encryption
Pros: Not quite as easy to add, but will prevent any hackers who are not smart and dedicated. Also lowers file size
Cons: Dedicated hackers can locate your encryption within the map file itself, if they're smart
Before we discuss what bank encryption is, let's take a look at what the inside of a bank file actually looks like. Below is an example bank file, typical of what you might see.
As you can probably tell, it's pretty easy to see exactly what each of those numbers represents, and change those values. If a hacker manages to break your signature (which, again, is definitely possible), he can easily modify whichever values he wants. Say I want to change my high score- I'll just replace 1000 with 10000. Encryption takes all of those values, squashes them together into one much smaller value, and then scambles them to be unreadable. Here's an example of that same bank, but encrypted:
So what would happen if I wanted to change my high score now? I wouldn't know what to change, because my entire bank has been squished down to just "a843j-6anf1!", and I have no idea what that means. How do we do this to our banks? You could create your own encryption/compression script, but that's a lot of unnecessary work. S3rius created an awesome library called Starcode, which you can use to encrypt your bank files. I'm not going to cover the actual details of how to use starcode (An example map is included at the link earlier).
But there is one weakness that we can encounter when using encryption. We need to have an encryption key to decode our bank. Think of the old encrypted messages used in wars- you needed to have the encrypted message itself as well as the cipher that told you how to read it. The cipher, in our case, is called our encryption key. If our hacker learns what our encryption key is, then he can easily decrypt our values, rewrite them, and then re-encrypt them.
That's where the problem lies...Unfortunately for us, we need our encryption key to be inside the map. Hackers can download the map off battle net (even if it's locked, there are ways around it), view your mapscript, and find your encryption key. We can't prevent this from happening, but we can try to make it as painful as possible for hackers by obfuscating our map data.
Obfuscating Your Map
Mapscript Obfuscation
Pros: Makes locating your encryption much more difficult
Cons: Prevents both yourself or others from opening your map (keep a backup!)
We've already dealt with bank security- that keeps our banks safe and difficult to edit. But all of that falls apart if the hacker can discover our encryption key. Like I said earlier, it's impossible to prevent that from happening, but we can make it as hard as possible to do. One way we can do this is to obfuscate our mapscript file. Obfuscation takes our mapscript file and rewrites the entire thing to make it unreadable, but still functional. For example, your variables would be named "iiIillIllI and illliiilliii" instead of "player_life and player_health", making them unreadable to humans. Zeedu has a mapscript obfuscator available here (Make sure you keep a backup of your maps before obfuscating it!). You can obfuscate your map using this tool, making it impossible to open in the editor and impossible to read.
Final Thoughts
On top of what's discussed here, feel free to think outside of the box- it can't hurt! What if you encrypt your bank more than once, using different pieces of data to do it? What if you include a 'checker' function inside your map that checks your banks to see if a player's stats are suspiciously high. What if you assign players a randomized ID number and use pieces of that number to encrypt their banks?
Hopefully this tutorial was useful for providing you with a better idea of how to secure your bank files. As I mentioned several times, there is no way to totally secure your bank files. The best you can do is encrypt them well, and then obfuscate your map data to help hide your encryption key. If you do this, the vast majority of potential hackers will likely be dissuaded. And as always, feel free to send me a PM if you have any comments, questions, or suggestions ;)
A futile effort since whole maps can be cracked like raw eggs... No matter how you rename stuff it all breaks down to the programming language used in the game. With the triggers used to create and interpret the banks at hand it is only 30 mins work to make a code generator.
Contribute to the wiki (Wiki button at top of page) Considered easy altering of the unit textures?
https://www.sc2mapster.com/forums/resources/tutorials/179654-data-actor-events-message-texture-select-by-id
https://media.forgecdn.net/attachments/187/40/Screenshot2011-04-17_09_16_21.jpg
It is futile but so is any encryption(encryption just gets rid of the undedicated hackers).
@XenoZergNid: Go
True.
Contribute to the wiki (Wiki button at top of page) Considered easy altering of the unit textures?
https://www.sc2mapster.com/forums/resources/tutorials/179654-data-actor-events-message-texture-select-by-id
https://media.forgecdn.net/attachments/187/40/Screenshot2011-04-17_09_16_21.jpg
It all comes down to Blizzard making bank files server side, everything else is pretty much useless.
This was requested since years and we did never really get an answer. Not only that it prevents hacking, it also makes a lot more conceptional sense to link banks to your account rather than your hard drive. This would make it possible to switch computers/format your HDD without losing any progress.
It'll never happen, as much as they love their players, they won't store data on their servers because if one of their employees accidentally wipe their hard drives, then they are liable for the lost data. The only data they'll risk it for is the official ladder.
Still alive and kicking, just busy.
My guide to the trigger editor (still a work in progress)
I find this whole situation funny because map makers want to protect their precious banks. I'm not trolling here, be honest do you think the mapping community has a problem with people cracking banks? I say not, I say less 2% would use the program to generate a signature. Thats a lot of effort alone, if you encrypt it how many people would go out of their way to crack the encryption? Probably less than .1%, if that.
Honestly the take away from this is that if your just tracking gameplay stats that has no impact on gameplay then use the blizzard signature. If you have gameplay impacting data in banks that you want to sacrely protect then I would go beyond with the options above. The take away from this is that there is a few slim chance people want to crack your bank, and even then its not worth going through the effort just to add some digits to your stats, if I detected someone modifying their banks than I would just ID ban them if I felt like it, which probablybwouodnt happen anyways.
I will definitely need this, thank you. :)
@Sware: Go
What you say is mostly true, this is useless if you`re only storing/recording game statistics. Nonetheless, for games which will heavily rely on banks for gameplay will be threaten by outside modifications; e.g. levels, unlocks, standings, etc. As OP said, more-or-less dedicated hack edits will happen so a detective ban system should still be used but at least the occurrence will be smaller.
Hacking can fuck up ELO like score tracking. One hacks its ELO or similar score to ridiculously high and it will spread through all players like a virus...