Re: Hacking The Leaderboards

Well there we are. I’ve been backstabbed (/s) by former partner Developer Doge. He’s basically created a tutorial for how to cheat on the Unipop leaderboards. But what can we learn from this?

The first takeaway is to never trust the client. This is a very important part of basic security, and I do have some validation in place. My server only accepts alphanumeric names up to (and including) 32 characters long, numerical scores up to 3 chars long, plus a sanity check hash.

A diagram showing Developer Doge fooling my computer into believing he is ranked the best.

But what do we do other than trust the client? We could run the game on a server, as I think is common with MMORPGs, but that’s slow, and requires both a semi-decent server and the user to have a stable internet connection. The latency simply wouldn’t be suitable for Unipop.

A demonstration of the latency introduced by processing game actions on a server using a tick system.

Of course, there’s also alternatives to making your own leaderboards. How about something as reputable as Google Play Games? After all, Google says it “provides a leaderboard tamper protection feature that checks for suspected tampered scores and hides them automatically.” Nope — it isn’t tamper-proof in the slightest.

Google Play Games leaderboard with clearly-cheated scores.

The only thing I think we could do about this is to capture as much data as possible, to store a replay of the play session and more, to either automatically or manually verify the run’s legitimacy. But that involves more effort than I was going to put into a jam game.

What else can we learn from the video? Well, he uses the Firefox debugger whatsit to set a breakpoint and dig into the code to learn more about how my sanity check hash is produced. Could this be avoided? I think it could be made harder, but it can’t be avoided entirely.

A view of my code in the debugger, where it can be seen that the useragent string is used somewhere.

See, any code that runs on the user’s computer can be browsed, to a degree. My rule of thumb is that the higher-level a language is, the easier it is to reverse-engineer. So it would be easier to work out English than assembly code. That’s a terrible explanation.

So let’s say we didn’t use JavaScript, and instead had a downloadable Windows executable of some description, not even created with a game engine. Someone would still be able to open up this executable in IDA Pro, Ghidra or goodness knows what other tools to poke around.

We also see in the video how a game’s method can be replicated in even a different language, albeit after a little help from eyeing the original unobfuscated source code. This could easily be run on multiple computers around the world, destroying the leaderboards.

A Python script that submits some phony scores to the Unipop leaderboard.

You can also catch a glimpse of another anti-cheat method in the video. I have this antiBallsPopped variable, which aims to make it harder to cheat in the game by using memory editors such as CheatEngine and Game Conqueror.

Some of my source code shared in the video WITHOUT MY PERMISSION!

Since I’m on the topic of memory-editing, let me confess my sins. Back in the day, I loaded up The Simpsons: Tapped Out into BlueStacks and used CheatEngine to acquire more Donuts (the premium currency) and buy things. Don’t know why they didn’t at least ban people who did that.

Eventually, EA patched this. They probably just made it slightly harder to do, but it was enough to keep me out. So at that point I just started using those modded APKs you find online, where someone else has already cracked the game for you.

In conclusion, someone with enough time will always find a way to cheat. If they don’t have experience with such h4x0r things, they can always get experience. In my opinion, it’s definitely worth adding some obstacles to keep casual cheaters out.

Just don’t spend too much time creating your obstacles. I’ve found that one individual has been unable to submit any further cheated scores since I added the sanity check hash, so even if my measures seen here won’t keep everyone out, they’re still effective to some degree.

A failed cheater attempting to mess with the leaderboards, only to get an easter egg video instead.

This post was originally on Twitter.

Comment on this post at itch.io