Not sure if right section… I’m working on networking in blueprints
So this question is prompted by the game “reign of Kings”, which is plagued by hackers.
How can hacking be prevented in a multiplayer game?
For example, speed hacking. A hacker can modify the speed of the character. I’m trying to think of a way to setup the networking in order to prevent this, but I can’t.
Would you have a max speed that the server knows about… and have the client send his current speed to compare?
The networking tutorials by Epic do mention having the server handle certain things that are very important. For example, if you have a landmine, and a player walks over it, you make sure the server sets off the landmine, and applies the damage. However, what is to stop a hacker from sending the explode + damage request to the server in any area he wants? (it may sound silly, I don’t know much about hacking)
Any reading material about this would be appreciated, as I can’t find much.
If someone says that with 100% confidence then their credibility just went to 0% because sadly you will be fighting a losing battle. Basically you can prevent all the script kiddies from being able to do it but you won’t stop any of the professional hackers. You can make it take them months or more but eventually no matter how intuitive your security is it will eventually get cracked. Look at all the AAA studios having all their games being modded, cracked etc. They have the money and manpower to prevent that and there are those that do try but they still only delay the inevitable as that is all you can really do. The only way to prevent it is to keep it to yourself and never release your game as the moment you release your game you allow them to use their tools to hack your game. First they usually just reverse engineer it and make it free, for multiplayer it is more work for them as they would need servers for it but the process is pretty much the same.
Just my two-cents, not claiming to know it all but from my general knowledge/experience that is what I have found to be true. I wish you luck!
Well now, there’s a difference between cracking and cheating.
I will agree that there’s basically nothing you can do to stop people from tooling around in the guts of your game; you don’t control the software on their machine.
But you DO, theoretically, control the software on YOUR servers, and owing to that, anti-cheat is a much more realistic proposition. This is the reason many single-player games use online authentication check-ins these days; the only way to beat it is to spoof the existence of the server to pretend you’ve gotten authentication, and spoofing the existence of the server doesn’t do much for multiplayer since you need to be able to talk to the ACTUAL server to, you know, play.
Now, you can use server-based authentication checks to look for modified game files pretty successfully. Players who can move at triple speed or never run out of health or ammo because they changed the game’s code, they can be caught.
What’s TRICKIER is players who use mods to grab data from the game at runtime, then feed it to external software which in turn supplies input commands to the game itself. Since no disallowed code is being executed by the game, the server doesn’t know that the player is grabbing the locations of other players and using it to feed an auto-aim-bot. That’s the really tricky cheating to beat, because it’s not YOUR software that’s being used, it’s third-party stuff that doesn’t even talk to the server… Meaning technically the player isn’t CHEATING, in that he’s not doing anything outside the scope of what the software allows by default, he’s just using tool assistance to perform those allowed actions with an unfair degree of accuracy.
Cheating is basically just catching the packages that the server sends to the client and sending modified packets back to the server. Cracking is basically the same as reverse engineering the executable to get all the needed information and modifying to remove the check or simple NOP it out. There are huge differences in all I was just explaining that it is fighting a losing battle because hacking happens to huge companies that have paid tons of money for secure servers and have people working on the clock to keep it that way and still get hacked.
There are many ways but for server the main thing I have seen is catching the packages and sending modified ones or doing those gold farming teleporting all over the place. Yes you can code an algorithm that would be constantly looking in the background for people moving outside the boundaries set by the server and instant banning them or locking their account but all the top MMO’s are still having this issue and it will never really be fixed. Like you said the ones that code programs that catches and modifies the packages and sends back to the servers are the tricky ones. There are ways to deal with it as first they have to reverse engineer your game to get all relevant addresses and information and then they can code such tools and all they would need to do is keep updating their tool or allow their users to just update the address or add their own scripts.
This is where things get tricky as once they have reverse engineered your game executable and figured out how it works they can search for the functions over and over again every time you update and find what they need to update their softwares. I agree with what you said 100% though as it is true but there is a core difference between hacking, cracking and reverse engineering. Those tools you talked about only come about when they reverse engineer the games executables and or .dll libraries. I just mentioned cracking because it is generally the same as reverse engineering and what a lot of people do is make their own servers so they can easily cheat at the game or to revive old dead games.
But yeah for games that do support modding they have left themselves vulnerable right there and shouldn’t be made multiplayer if you are wanting security.
Anyways I wish the OP luck and hope he is able to keep his game secure enough that it won’t be reverse engineered the very day it is released.
Maybe using ‘replication priority’ in UE4 will help a bit?
Only other players within a certain proximity are given data to you, the problem is with a shooter or something that has a long visual view distance of other players, you can get the locations of them.
Aimbots are really tricky I bet it wont be long before Unreal tournament ue4 version is filled with them once it gets more popular…
Best way to combat that is using spectating features by human catching/reports and a “fair fight” stat system like warZ/apb implemented
Fairfight is interesting (I can think of ways to even enhance it) Basically if your crosshair is too accurate and lines up with enemies too quickly or nonhumanly it keeps track of that, along with your shooting accuracy % and even your proximity of how often/fast you run directly to enemies.
The hacking coders on many different sites are talented guys, some of them make a good living at it, and like it was already said if big studios with almost unlimited budget cant prevent 3rd party tools then what chance do we have? Well stat tracking is certainly not enough…
So for the ultimate control, which is what I think the best method is, I personally would do a revolutionary reporting system so if a player is flagged as cheating like 3 times in a short time it will send a notification to either an Admin/GM or a selected respected group of ‘anti hacking players’ that are rewarded for spectating and catching them almost immediately as long as they dont abuse it.
Also now that UE4 has a replay feature maybe it can be used to replay your death, like in some shooters i think cod had it, it would jump back in time a bit and let you spectate through your enemy killing you,
then you will easily be able to screengrab / report it
Hardest ones to catch are the ‘closet hackers’ the ones who have evolved to hide their esp/aimbot with smooth aim and pretending not to know where you are so you can almost not even tell that they are hacking. They do slip up sometimes though, ‘catching hackers’ could be a game in itself within the game. My friend used to be an admin for a popular DayZ mod server and not only did spectating allow him to catch so many hackers it was actually fun, like watching a movie
Yes but it’s also a question of your game’s relevance.
Just because we can say “a crack of your game IS possible” (and it is, that is a statement of fact. As far as I’m concerned it’s a fool’s dream to believe your game to be even theoretically uncrackable) that doesn’t mean that it is necessarily easy. There are steps you can take to make it more difficult, and subsequently make it less likely that any given person will succeed.
Now, the deterrent effect isn’t much in the world of software because once SOMEONE overcomes your deterrent, all they have to do is slap it up on a site somewhere and everyone has access. But it’s also worth bearing in mind that the multi-million dollar games with “uncrackable” new anti-tamper packages being touted in all the magazines are like a dare to the cracking community. Those companies are basically begging the best and brightest to give it their best shot.
A moderate and sensible degree of anti-cheat won’t stop the powerhouses who are writing custom cheat bots for 4-figure sums to people who have a pathological need to have the best killstreak in Battlefield 4… but you also have to ask yourself whether those people will really be interested in YOUR game. My house doesn’t have the same degree of security as a bank vault but that doesn’t mean I just go leaving my front door wide open, you know. I’m sure my front door’s lock wouldn’t stop some Italian-Job-esque heist attempt but it helps deter amateur opportunists. I think taking the same approach to anti-cheat is sane and sensible; you won’t stop the select few who can crack freaking anything, but as long as those people aren’t feeling motivated to crack your game you can definitely stop the few people (from the much larger pool of amateurs) playing your game who might know a little bit and want to cheat but aren’t good enough to overcome moderately competent security measures.
Hack provider ‘companies’ hook right into DirectX API, they don’t even have to reverse your game code to make bots. If your game is a generic FPS, a simple tweek to their ‘engine’ and your game is hacked in minutes.
Reasons why I have no interest working on indie multiplayer.
If the NSA can’t prevent basement hackers from breaking into their systems, what makes you think you can prevent your game from getting hacked?
The only way to make your game 100% unhackable is not to create it in the first place!
So then, the question should be how to minimize it. However, keep in mind the fine balance between security and functionality.
There is a saying that in order to know how to make something secure, you need to know how to break security… so with that in mind, look at how games are hacked, then come up with a plan to minimize it.
One good prevention is to make your game not Free-to-play and require authentication, then you can ban the player and block his credit card from registering again. By updating your code frequently the hacker will have to buy the game with a different cc again and again.
I think the most vulnerable point in games are values, stored in variables. If you prevent the values from appearing directly in the variables and calculations, hackers can’t see the values they are looking for, then they don’t have a spot to inject values from the clientside. Improving complexity might in this case help you to cast a shadow above your important values, but you won’t be able to make it 100% safe, even if you change your methods according to values that are only known to the server. But you can give hackers a hard time, they might be motivated to find profit another way more quickly and keep away from your game
Ofc you have to combine various methods that have been mentioned in this thread so far, to guarantee the highest possible security.
Same , working as an indie (or hobbyist or whatever) on a multiplayer game will most likely lead you to you falling on your face. Many indie multiplayer games suffer from this, since there is no way of preventing cheats. In a generic FPS you could check the players reaction time and look out for suspicious actions (inhumane reaction time or following another player through the wall for an extended period of time for example), but this will also lead to a bunch of false-positives. I think the FairFight AC did that and got flamed for being too strict.
You can prevent certain types of hacking like unlimited ammo or god mode by making the server calculate everything, so basically leaving the client with the rendering and input only. But that won’t stop ESPs, Aimbots, Triggers or alike.
Basically there is no way to prevent hacking 100% and as an indie you will have to be lucky to get the most obvious sorted out.