Craig Mattson (Personal Website)
Home - Blog, News, About MePrograms - C#.Net, Java, VB6MusicWebsites

My Blog

7 Great Disasters (24/01/2009 04:03:31 PM)
House Fires
Steam Train Crashes

[0 Comment(s)]

High Scores and Hacking (04/01/2009 05:49:06 PM)

Ever wanted to create a High Score system, but couldn't think of a way to prevent (or at least, deter) hackers from submitting fake scores? It's something I'm facing at the moment, and I have developed a few theories with Advantages and Disadvantages below. Hopefully it may be helpful to you!

PHP Script using Challenge (Public/Private Validation)

1. Client requests challenge from Server (i.e. random value between 0 and 100, lets say 3 in this example)
2. Client processes using own algorithm (i.e. 3 / 22)
3. Client responds with result (i.e. send 3 / 22)
4. Server validates the result (i.e. checks to see if a request was made by an IP, then checks itself using the same algorithm - 3 / 22 == 3 / 22)
5. Server waits for score (encrypted of course)
6. Client submits the score (i.e. 500)
7. Server checks the score is within reason (i.e. below 1000) and stores it

The problem with this method is that it relies on a server that accepts any input. What is stopping me reverse engineering a client and obtaining the algorithm? All I have to do then is query the server for that value, calculate it myself, then send it a random score.

A replacement for an algorithm based problem could be an image validation problem. If I make my own image format up (which could be cracked), I could display it in the program and request manual input. May not be ideal on mobile phones or PDA's, but a PC based game could utilise it. Be creative! Algorithms don't specifically mean an equasion.

Direct connection to the database in a client

1. Client requests password from server (encrypted of course)
2. Client connects to server
3. Client runs SQL Code

Secure right? Wrong... If it's decrypted in memory, it can be seen. You could obfuscate it by declaring lots of variables, but at the end of the day, some function has to restructure it. Also, what is stopping a protocol analyzer detecting the password when it is sent to the server?

Capture User Input and Validate

1. Game Starts with an Array for moves declared
2. On each game update, add to the array a move type
3. Compress and weed out unimportant data (a couple of kilobytes per update at 60 frames per second can be in excess of 1MB per 10 seconds!!!)
4. Send to Server the Array with Score
5. Server validates all input
6. Server stores the results

This is probably one of the most secure ways but at an expensive bandwidth cost. You can reduce the updates to just each keypress at a given timestamp (pending your game is programmed not to skip frames), but as soon as you remove data - there's room for doubt which must be factored in. It would still be pretty hard to predict most of the game output. In something like Tetris however, you could seed the time and pass that to the server. This almost makes for a foolproof way, as a PHP script could detect an applications output.

Maintain a persistent connection

Basically it just involves one of the following methods:

  • getUrl() in Flash (or whatever is the equivalent now)
  • WebClient in .NET Framework
  • Url in Java
  • wget in Unix/Linux
  • javascript in HTML

The URL to request would be a heartbeat monitor which naturally would have a threshold as to what is an appropriate delay in respect to the internet. For instance, a gap of 2-3 seconds may be appropriate, or if you're really smart, use a Ping request to get the maximum delay and multiply by 2. This doesn't exactly solve a memory hack problem unless used in conjunction with the above.

- - - - -

So with that all out of the way, it's clearly evident that the best security is a big problem in regards to usability. This isn't practical, in particular in a game that has more than just a player update. What if we look at a phychological approach?

- - - - -

If any of you know me when it comes to security, you know I love honeypots (a mechanism to isolate "caught hackers" in a play pen to simulate a real target). For a honeypot to work properly (and not catch legitimate traffic), what needs to be done? We need to check the process.

Lets assume a .NET game at this stage. We use a php script to collect a score at We use the first method described as normal (i.e. numbers / compute the challenge etc...). Unless the server (or client) is dodgey, this challenge should always register true. You know something is wrong if many logs start appearing from all sorts of IP addresses. What we can do is check for normal application use. That is; lets say the game is delayed 30 seconds from replaying packets. We can use this to our advantage as a hacker may try multiple times rapidly to log a score.

What we do is instead of going "HA HA! YOU'RE A HACKER AND YOU'VE BEEN BLOCKED" (which would only result in a more determined hacker), we simply black list the hackers IP address (or username if applicable), and still post the score with a mark next to it. In a getscores.php file, you would read that blacklist and if the hackers IP address exists, then return all scores (otherwise return a clean set of scores). The hacker thinks he is successful when in actual fact - all you're doing is simulating the scores he wants to see.

After a few days, you could run a clean up and simply ban any user with a blacklisted IP address. Simple as that. (The reason I would use IP addresses is the hacker may log out / in and check the scores are right. You would also want to blacklist any usernames at the time too!).

This method isn't 100% secure either. If the hacker gets wind of this, the system is ruined (which is why a closed source server is the only protection).

- - - - -

At the end of the day, there's no one method that is always going to work. Everything can be spoofed, so all we do is make it harder. Some hackers like the challenge, others will go for an easier target with more damage. For instance, what type of hacker is going to spend 6 hours trying to crack a Tetris High Score list, when he could spend that same amount of time getting money in Habbo Hotel?

Anyway, this is just some food for thought. Good luck!

- - Craig Mattson

[0 Comment(s)]

The best way to stir up controvesy is to declare PS3 the Winner (04/01/2009 01:19:41 AM)

Hi All,

Unless you've been carbon frozen for the last three years, you know that the console wars for the current generation are potentially causing more fanboi's now with the expansion of the internet through mobile devices. So, how do you stir up people of Australia? Simple. Just declare using some pretty charts from Microsoft Excel that the Playstation 3 is the winner for 2008.

That's what IGN Australia did in it's recent Console Showdown 08 article, and you have your regular crowd of gloaters (Playstation 3 Fanbois), whingers (Xbox 360 Fanbois) and non-fanboi's (Nintendo Wii Fanbois). Apparantly, according to the four part series, IGN Australia ranks the consoles Playstation 3, Xbox 360 and Wii in that order, stating that the Playstation 3 had a better range of releases this year.

Is it true? Well, maybe for the core demographic IGN Australia targets (that is; blood thirsty 16 - 35 year old males), which is why articles such as the IGN Australia series produces a large proportoin of hilarious comments.

1. "WE WON WE WON!!!! PARTY!!!"

What exactly did the Playstation 3 owners win? What respect do they command by having the perceived best games? LittleBigPlanet is the only thing on the list of 11 games that I have been remotely interested - much like my interest in Spore. Don't get me wrong, I'd sooner have a Playstation 3 due to the lack (lesser) of hardware faults over the Xbox 360. There's only so many times you can send an item back and declare it the most warranty repaired device you've ever owned.

So apart from LittleBigPlanet (and how on earth did a Golf game make the charts?!?!), the Playstation 3 list looks pretty bleak to me. That's not to say though that the console is terrible. Clearly games like Metal Gear Solid 4 are proof that the console is of good quality - if you like that type of thing.


The Xbox 360 as most of you know is plagued with hardware faults, although - since my last repair in early 2007, my Xbox 360 has suffered a fall and lots of Grand Theft Auto IV without fault. But what about exclusives? When the prices drop a bit, there are three games I would like to try. Banjo-Kazooie (being a fan of the N64 variant), Fable II (Fable was most disapointing due to story line, I still enjoyed what I got out of it), Viva Pinata Trouble in Paridise (Rare of course) and Ninja Gaiden II (Again a Nintendo favourite).

Even the arcade stuff is improved this year, with my only purchase being Worms all year. Granted, if I had a Playstation 3, I'd have downloaded Lemmings - but some old Rare titles such as the original Nintendo 64 Banjo Kazooie, and a potential merger in the future (i.e. Nintendo and Xbox 360 to release Rare games) could be interesting to watch.

At $228 in Big W, the console probably is worth buying now - even as a solution to buying an ATi Radeon 4850...


Well, not entirely surprising - it's my only console purchase myself... As in, I shelled out 1/2 price on a Nintendo Wii on Catch of the Day last year. Why did I buy one, after already having access to one in the house? I must say I have had some very good enjoyment out of it. Anyway, of the 13 exclusives, I'm quite surprised to see only two show up:

  • Mario Kart
  • Super Smash Bros: Brawl (including the 300 songs in the soundtrack)
So yeah, of the list this year, I have selected 2 that I wanted to play (and did buy... twice!). However, the Wii was also the source of other games too... such as:
  • Harvest Moon
  • Mario Party 4 (GC)
  • Mario Party 5 (GC)
  • Mario Party 8 (Wii)
  • Zelda: Twilight Princess

At the end of the day, I think the Wii is still the best console, with the Xbox 360 coming in close second - in particular with their cheaper price and half decent lineup this year. I was almost tempted to sell the Xbox 360 earlier last year, but I'm glad I didn't. Some of the games (such as Burnout, Flatout and GTA) are released on both PS3 and Xbox 360, and that's why I have no need for a Playstation 3 *yet*.

Also, it's not IGN Australia and their pick for best console based on "Worst Games below 4.0, Worst Games below 4.0 as a Percentage, Most reviewed games, best exclusives, Highest scores etc..." which ultimately turns graphs upside down and back to front (I suppose it's the equivalent of counting 1, 2, 3 and then 3, 2, 1 to get the same results from a different view-angle). They specifically make mention in their article:

This was a ...strange... year for Wii owners. On one hand, Nintendo has aggressively expanded in the market, forging forwards in the sales charts off the back of massive successes with Wii Fit and the continued popularity of the Wii Sports pack-in. Of course, unless you count yourself amongst the most banal of mainstream Wii-owning society (and come on, you're reading IGN, so clearly you've impeccable taste and common sense), then jaunts of Wii Fit and the occasional tennis match just aren't enough to keep you going long-term. <snip>

Clearly, some of the people forgot to realise that IGN Australia is followed by a lot of hardcore gamers, and naturally - the ones that are going to consistently win are First Person Shooters with new Physics, better Guns, better Team Play, better Explosions, better Replayability for HOURS of fun (not the hour or two I spend in a blue moon on my Wii). And who's to say that it's not the best for their audience? Clearly their reviews look upon highly on it, but I'll stick with my PC, Wii and Xbox 360 for the time being - until I win a Playstation 3... Then I might get LittleBigWorld.

N.B: A not surprising statistic, Grand Theft Auto IV has been my most played game for the year, which is followed by Microsoft Train Simulator et. al. Quite funny to see Grand Theft Auto IV being disappointing and the most enjoyable game this year to own.

[0 Comment(s)]

[Print View]