If your game uses client side saving, and you wish to secure player save file data, you can use encryption. However, this can be cracked and the worthless.
So, what else can you do?
Well, I started out thinking why players would want to edit thier save files, the simple answer was to chnage thier stats, ie HP, gold etc. So I thought of a way to check for any changes that may have been made from when the files were saved by the server, to the point of reinitialising them
The solution was relativly simple. You could create a variable, for arguments sake, a var called save. Here you could use a variety of calculations to set this var, before saving, to a particular value by adding, subtracting, mulitiplying, dividing, etc all or some of the key vars used by the player, eg HP, gold, level, etc and then save the value.
Upon loading the file, do the exact same calculation and check if the safe var is the same as this. If it is not, you know the file has been tampered with and you can deal with it accordingly.
The more complicatted you make the calculation used for the safe var, the harder it will be to figure out how it is done. This won't be impossible, but far from easy, especially if you use this as a second level of protection in conjunction with encpyrtion.
Hope this helps anyone , any problems post here.
(Supaz)
ID:152621
 Apr 17 2006, 2:24 pm
|
|
|
Apr 17 2006, 2:34 pm
|
|
Daman3456
 |
As i said in game, this is a very good idea. Im not sure this is the right forum for it though. Maybe design philosophy would better suit it. You should make a demo, or lib of it.
|
Supanova wrote:
If your game uses client side saving, and you wish to secure player save file data, you can use encryption. However, this can be cracked and the worthless. Have you looked at the md5 hash function? You can hash the vars into a 'key' var, and save that with them vars. Then when it loads the vars, rehash it and check against the loaded hash. This would be almost impossible to crack unless you had a super computer, so its not worthless at all. | |
Dever wrote:
Supanova wrote: md5 isn't encryption. It's a hashing function, and also a perfect candidate for the "variety of calculations" step Supanova mentioned. :) That's the sort of thing it's used for. | |
md5 isn't encryption. It's a hashing function, and also a perfect candidate for the "variety of calculations" step Supanova mentioned. :) That's the sort of thing it's used for. Exactly. I use it all the time for client side saving. It works great. -- Though I do wander what encryption thing he was using that people were supposedly cracking. | |
If you encrypt the savefiles with completely bogus characters in place of actualy letters and numbers, you should be good, at least for a good amount of time, like a couple of months.
If you want it to last long, have it encrypt all of the symbols you can possibly hit on the keyboard and make nothing in the savefile readable. You can even encrypt the variable names. For example, F["HP"]<<src.hp would be something like F["#$%^%"]<<encrypt("[src.hp]"), making it completly unreadable for the most part. And saving lists would be easy. You could use list2params and encrpyt the string. | |
Dever wrote:
md5 isn't encryption. It's a hashing function, and also a perfect candidate for the "variety of calculations" step Supanova mentioned. :) That's the sort of thing it's used for. It was a combination of RC5 and md5, it hasn't been cracked, but, it can be. So I was thinking of other simple ways to protect files. (Supaz) | |
It was a combination of RC5 and md5, it hasn't been cracked, but, it can be. So I was thinking of other simple ways to protect files. But if someone did crack it, or if they already have, that person might hide it away from the general public anyway. *Edit, here's an idea for further encryption: Use pointer variables to save data, and pass it through an Encrypt() proc like so: //this code is untested Then decrypt it: //call this when mob logs in | |
That DM code is totally fubar. Not only are you not using findtext() and num2text() completely wrongly and writing textpos++ instead of textpos+1, but even if it did work it wouldn't put the replaced digits into the same order; 12 and 21 would both end up as "ab"!
There are numerous methods of obfuscating the contents of savefiles, and all of them are easily breakable for someone who wants to spend the time and the effort. That's not to say that they're completely worthless, but they are breakable and they're often rather complicated. If you really want to keep your client-side savefiles safe, before you save it compute an md5() hash based on any important variables (like HP and so on) and a random text string, like this: mob/var/hash="" Don't use the same string as I've used above; choose your own, and keep it secret (or anyone will be able to recompute the hash and change it when they edit the savefile). When you save a savefile, set hash to the return value of hashme(): src.hash=src.hashme() The hash variable needs to be saved to the file as well. Then, when you've loaded the savefile, check the value of src.hash: if (src.hash != hashme()) If any of the variables used in hashme() has been changed, the hashes will not match and you know that someone's been savefile editing. (Either that or the savefile has been corrupted, but through some freak coincidence is still valid.) | |
O well, I just did it off the top of my head. If I was actually doing it for real it'd work.
*Edit: Basically it would find 0, replace it with "a", then find "a" and replace it with zero. And since it's being added in the same order "bc" would not be the same as "cb". Therefore 12 would not equal 21, as it reads the first letter in the string, then moves it one space to the right, checks that letter and replaces it with the equivalent number. | |
Oh, I see what you're trying to do now. Your use of findtext() threw me off (copytext() and the == operator would be more logical in this situation).
Also, I just noticed that the condition in your for() loop is backwards - it should be less-than, not greater-than. =) And you're comparing to the value of M.hp, rather than the length of the text form of M.hp. Anyway, I get what you were trying to do, and I didn't mean to turn this into a thread criticising your DM skills, so I'll stop posting now. =) | |
Supanova wrote:
Dever wrote: They are more likey to crack your system before a good RC5 password. check out this site to see how long it takes to brute force a good password http://lastbit.com/psw.asp. here is a good read about how long it takes to crack rc5 as well. http://www.distributed.net/rc5/ | |
Crispy wrote:
mob/var/hash="" Crispy, would you mind if I used that method in my game? One of my most trusted MGMs is tampering with his savefile to get certain verbs that are only accessable to other people, and I would must rather encrypt the savefile then remove his MGM or something like that... | |
If he is tampering with his savefile, it might be better to remove him from his GM position. But, you could always find a different way of giving someone verbs rather than saving them.
But, of course you can use it. If people didn't want you using their systems and coding, they wouldn't have posted it in the forum. I'm sure it wouldn't bother him. | |
As CaptFalcon said, if your GMs are cheating why are they still GMs? =P
But yes, of course you can use that code; in fact, please do. I posted it so that people would use it. | |
I don't know how he does it but he gets verbs that arn't even saved in the savefile. He's not using one of those hackers you can download just by searching "savefile" on the top-right corner.
| |
Are you saving a variable in people's savefiles that indicates what level of GM they are? If so, he's probably editing that. (And that's a terrible way of saving GMs, by the way, for exactly this reason. =) A better way is to use a server-side savefile that contains a list of GMs.)
If he's the host he might be using a memory editor. | |
KirbyRules wrote:
He is the host... Ah. Well in that case all bets are off. =) Using md5() as described should prevent casual editing, though. | |
It was a combination of RC5 and md5, it hasn't been cracked, but, it can be. So I was thinking of other simple ways to protect files. Yeah, that's like saying "USA Missle Launch" hasn't been cracked, but it can be. No one is going to take that much time to de-hash something (well, they CAN'T.) | |