Cheat Engine

[gage808]

Hey guys,

I'm currently developing an MMO and we're just about to launch into Alpha. For the time being, the client is authoritative and as such, position hacking and speedhacking are a problem. I took a few hours to work on some basic encryption, but I haven't found any ways to prevent memory from being modified or detecting when memory doesn't match up (freeze value).

If you guys could link me some resources about detecting CE drivers, or any basic encryption that would deter the n00b hacker, that'd be great. It's really annoying that I can hook CE and hit speed hack and have it work, I want to figure out a way to detect it clientside. Need be I can do a packet interval check on the server and boot players that are hacking. What do you guys think?

Thank you for your time!
-Gage808

EDIT: I wrote a dumb little loop that runs in another thread that checks all of the process names and window titles. If it contains Cheat or Pack, it sends a Process.Kill() command. Super dumb and simple, but it kills cheat engine. You guys got any other dumb little tricks I can implement to annoy my Alpha testers?

[Csimbi]

If you need to worry about client-side hacks, CE is the least of your worries because obviously your design sucks.
CE is only a tool - any other tool (even a new or a specially tailored version of CE) can be used to exploit the flaw(s) the same way. You'll end up chasing ghosts.
My reply does not help, I know. But at least it gives you a hint to start from scratch because your design obviously broken (i.e. a client shall never be authoritative/trusted in any way).

During the alpha stage I would not worry about any exploits however. Alphas are meant to be broken, to "test the waters".

[Dark Byte]

[gage808]

We've got the infrastructure setup already for serverside movement and world simulation. I completely understand that trusting the client is silly. For now though, our goal is to get content pushed and figure out exactly what will be in the game before we start designing a serverside world that bogs down our machines. I'm not concerned in Alpha about players hacking for the most part, but in testing it's going to be a pain to see people speedhacking when we're trying to balance weapons.

I'll tweak the world filter to only search for Cheat Engine specifically. Just tested opening a cheat engine page (this one) and opening notepad (Cheat Engine.txt), but it's not closing it. I'm going to set it so that it just reports to the server that they're hacking and I should be able to just flag them for later. Passive systems work better, I think.

I'll check out that tick count thing. That sounds much more reliable and just overall better than this method, which I realize is very basic. There's a pretty big lack of C# client-side checks for CE or other tools on the net.

Again, I stress that this is in no way the final design. Once we have better servers we'll be designing everything to full function on the server. We're still in startup phase so renting a server that's a quad core to handle the players is not in our budget. Give me 6 months and I'll have it implemented. There's only 3 devs on the team and we're all college students.

Thanks for the feedback guys, I appreciate it.

[Slugsnack]

Having an authoritative client is a fundamental design flaw. You can essentially never trust what comes from the client. Continuing down this path in the expectation you will come back and 'fix' this later is at best a huge waste of your time. Similarly, attempting encryption and the like without proper server-side checks is simply security through obscurity. The correct way to do it is to properly sanitize all inputs from the client. For example, if you are expecting a client to not be able to perform a certain action more than once per X amount of time, make this check on the server! This is the only 'proper' way to prevent your game from being hacked. You should be moving as much of these sorts of checks to the server side as you can afford (bandwidth and server processing-wise).

[atom0s]

Still looking for more alpha testers? Wouldn't mind hacking up the client some for you.