Cheat Engine

[BenT9]

Hey there,

I'm currently working on a game which is allready in pre-alpha. Because everything is client-side it's not really save. I'm working on two solutions for that.
I had an idea today and created a test scene in Unity. I sent it to two friends who tried to change the values via Cheat Engine. But both of them failed.

I hope this is the right subtopic for such stuff. Would be nice if someone of you could test the level and try to change values via Cheat Engine and post the cheat table.

But think at this, if the game crashed without error your account would be banned at the real game.

The test scene includes nickname, level, exp, hp and mp as values. It's complete isolated and has nothing to do with the game client.

Size:
20.1mb

Download:
file-upload.net/download-10250365/CheatTestLevel.zip. html

regards BenT9

[Dark Byte]

if your health is 118 this groupscan will find it:
4:118 f:118.0000

change them both at the same time (experience is a f:value f:value )

the username is more difficult. But just nop out protectedstring.tostring+22 (the jne that checks if the hash matches the hash of the current string) and you can easily edit it

Seriously dude,

[atom0s]

Unity as a whole is very insecure so do not plan on keeping any data that is sensitive handled by the client if this does plan on being a multiplayer game you make. For one, all of your data / code is put into Assembly-CSharp.dll and is by default 100% unprotected.

For example with this demo you posted, your code has:
- ProtectedFloat
- ProtectedInt
- ProtectedManager
- ProtectedString

As your custom protection objects. Because of it being in .NET its entirely viewable code wise. Such as:

[BenT9]

Hey,

thanks for your quick replies. Then I have to find a way to check this at the backend. Cause everyone can host a own game I also can't trust the server.

I just could say that every match is hosted at my server then I could do everything at the server. But that wouldn't be scalable for much hosted games.

[atom0s]

If you want people to host a server themselves it's best to enforce the servers copy of the values rather then let the clients decide what's what. Although you will still have the issue of the host of the server being able to manipulate the data, it stops the widespread hacking on the server from many to one though.

[zm0d]

Doing some double checks might increase the security, too.
So, lets say Player X and Player Y play a strategy game against each other. Both of the palyers start with 10000 gold. Player X is going to build something for 1000 gold and has 9000 left. While Player X raised the building event, he transmitted an event ID to Player Y, who also calculates Player X' new gold value. So 10000-1000 = 9000. Now you WONT compare those values. Player Y checks for the validity of Player X' gold amount (e.g. equals/greater than 0). If so, everything is fine, if not, you know that Player X is cheating and you can take care of this. The thing is you never transmit the actual gold value of any player. You work with IDs. If you encrypt the data transmission, it's even more saver for sniffing attacks. It's overall really save to do so and there wont be a host being able to cheat. )

Vulnerability:
Faking event ID: If you fake the transmitted event id (e.g. always sent the event-id for the lowest cost building) you could hack and probably never come below 0.
To avoid this, randomly sent parts of the event table from Player X to Player Y and compare if the event-ids match with the sent event-ids... Again here, the bad boy could fake those event tables on transmission, but it's getting more and more complicating.

Cat and mouse at it finest.