Not many can claim 25 years on the Internet! Join us in celebrating this milestone. Learn more about our history, and thank you for being a part of our community!
Suppose we developed a desktop game that saves players high scores on the server. how can we prevent (or at least protect in some degree) the player from cheating by using a software such a cheatengine to alter the result and then send a higheerr record to the server?
I know about dotfoscator. But i don't think that would be enough .
Any data from a computer you don't have control over you should regard as compromised. Have the game simulation and scoring run on a server you control, that's the only way to prevent it.
If the gameplay is only run on the client, then there is no way to prevent this. A user can construct a HTTP request that looks just like what your game would construct (same headers and payload) and post it to your server, and put whatever data they want into that. If you add some kind of cryptographic signature (which might be a good idea in general,) then the user CAN still extract the key from your client, and sign their own payload. Dotfuscator doesn't help with this at all. Any network level sniffer (including sniffing HTTPS) won't even attach to the game process, so not even anti-cheat-engines that "protect the process" will work. You can easily man-in-the-middle a HTTPS connection if the client is under your control, which the desktop running the game client is. Add your own root HTTPS certificate, and the certificate issued by the MitM will be trusted.
There are a few things you can do, though.
First, have the player upload a replay of the full game. Re-run that replay, and compare the score that you get from that replay, to the score posted in the request. Perhaps only do this for some fraction of all games played (1/100?) and for scores that claim to be in the top 5% of all scores, or something like that.
Second, have your client check in with the server when it is started, and occasionally during play. When a score is posted, look back to see how long the game was going on for that player/game session, and reject the score if the game wasn't being played for long enough.
Third, you can go cryptographic on the cheaters, using wrapped variables that stores the score, and various game state, using XOR with some random number, determined during start-up, and installing the client-side certificate for your server with the client, and ONLY trust that certificate over HTTPS. Have the server issue a unique cryptographic key to use to hash the score, when the game starts, to make simple scripts harder.
Fourth, when you think a score is suspect, you shouldn't immediately reject it. Accept it like any other score, but make a note of it on the back-end. Then process it separately, after the fact (hours or days later) to remove it. Or you might accept it, and show it back to the player who played, but hide it from anyone else looking. Your SQL query for "top scoring games" would then look something like "select * from gamescores where game_cheating = false or game_player = $current_player order by game_score desc limit 20" -- every player sees their own game scores even if they are hidden from everyone else by being tagged as cheats.
