How to prevent so file hacking in so file - unity3d

In my app(unity5, il2cpp build), There is a function like
"GetScore()"
Unfortunately, i found the hacked version of my app in the black market. that hacked version's "GetScore()" function always returns 100. The original return value has to be under 10.
I guess this hacked App is repackaged by using like 'il2cppDumper' and changing my return value to 100;
Is there any way to prevent this problem?

Security is always a matter of making it harder for hackers - you can never make it impossible for them to tamper.
So here are some thoughts:
Obfuscation: GetScore() gets BananaJungle() - hackers cannot find the correct function without stepping through the source code for hours (hopefully)
Validate the score on multiple spots: the function calling GetScore() should do a sanity check: "is it below 10?"
In Addition to this: You may want to ignore scores above 10 to fool the hacker he succeeded. You may lock the app after 2 hours or so.
Add a ScoreLogger somewhere that logs the history of the score, so getScore() may return values <10 but someone might just overwrite the score in code to 999999. ScoreLogger will check the score history for jumps etc.
Validate Score with total playtime (approximately)

You won't ever keep hackers from hacking your games, even if it does indeed have a backing server. Just look at all the unofficial world of warcraft servers. You can keep things relatively safe if you have a server, you keep its source code secure, and your game is meaningless without its server (think Dota 2 with no multiplayer capabilities...). Even then, you can't actually validate the player's every move, unless it's a turn based game and you actually send every move the server to be processed (this works in Hearthstone, for example, but not in WoW, hence all the anti-cheating tools). EA couldn't do it, Rockstar couldn't do it, Activision couldn't do it, even the mighty Denuvo couldn't do it, you certainly can't do it.
However, you should stop and ask yourself why you want your game to be that secure. Out of every 1000 cheaters you stop, maybe one or two would actually pay. You should put in a moderate amount of effort on security (take KYL3R's advice), simply to keep honest people honest. Dishonest people will always find a way, so don't worry about them so much that you end up wasting time on (useless) security; time you could spend on making your game better.
Oh and by the way, that's also one way to keep hackers out: frequent updates to the game. They have no life, but they don't have enough time to keep making a hacked version of every game on the market every week.

Related

IDs in Scratch: Cloud Variables

I have a multiplayer project which has some forever loops with checking code inside of them.
The problem is, multiple computers might process this and change crabx or craby due to lag in the variables dvotes, uvotes, lvotes, or rvotes. Only one machine should change this, though.
This can be easily solved by giving each player an ID like many people do in SQL. I would just check if the ID is 1, and that would be the "operating machine". I would then do all of these checks on that one machine. It would do things a Scratch server would do if you could program it...
The problem with this is that there is no way to detect when a player leaves the game. There is no block that is called "on exit" or "on stop button pressed". How would I go about doing this? I have seen people have a button which people click to exit, but some people will not click it/not even see it.
Thanks in advance!
Option 1
I've never been especially successful with cloud data myself, but I've heard the theory on this before:
Essentially, each player gets a "counter". Their computer then constantly increases that counter. If the counter ever stops increasing (which will be detected by the other computers, who are all looking after one another), the project will know that the user has left and one of the computers will take care of removing their ID and other data.
Obviously, this is much easier said than done. (As I said, I've never gotten complex cloud data to work well for myself, but I've seen it done successfully and explained.)
Option 2
Alternatively, you might be better off taking advantage of this cloud api created by MegaApuTurkUltra. I find that stealing from others tends to be the best way of solving problems when it comes to code. ;)

iPhone games that continue even when you're away

Let's say, Tiny Tower. On this iPhone game, you can have shops in your tower. You can suspend or turn off the iPhone, but when you return to the game, you will be reported about the shop winnings during your time away.
There are also push notifications when a building is complete etc.
I fear I do not understand how that works, exactly. I'm not asking for the exact solution, I just need to know where to begin researching. One idea I had some time ago was like calculate the amount of seconds the user was away (current time minus the time when you left) and then calculate shop processing for every one of these seconds. But I'm not sure of that.
A better way would be to calculate before you close the app.
Figure out what time it is, then calculate when in the future certain tasks will be completed. This way, you can schedule push notifications to the server ahead of time.
If you calculate after you have re-opened the app, and you can't run processes with the app closed, how will it know when to push?
Take a look at this article about push notifications to understand a little bit better how they work.
http://blog.boxedice.com/2009/07/10/how-to-build-an-apple-push-notification-provider-server-tutorial/
For offline games you add temporal logic to your items and recalculate when game is launched. For online games you retrieve game state from the server, which is constantly recalculating for all users, even disconnected ones.
Game most probably does not actually process in the background (most apps are not allowed to do anything while in background). When you relaunch the game, it calculates how much time has passed, and then processes all the events that would have happened in the meantime.
Additionally, as Paul.s mentioned in comments below, as well as other people in other answers have suggested, on iOS4 you can use local push notifications scheduled before close.
It is either server side execution of the game or if it is a game of chance or something like Farmville where it's determined by time duration.
If you were to make a server and/or game like this then you would need to decide which route to take.
If it will be something where the user has good days and sometimes bad days then you'll need a lot more server power. however, if it's something like time based then you would be able to tell the last time they were logged in and the next time that they should be awarded. you can also take this idea and for each variable that you store, you store how long it takes to be complete and the start time. Then you would do a simple If then o see if the item is ready. The same thing can work for a number of visitors. Where you have 10 visitors per item per hour. If you have two items then each hour you will receive 20 visitors.

48 minute technique for entering and sustaining programmer flow

I have been working at entering and sustaining periods of flow while working, and while researching the concept I came across this site which addressed the idea of sustaining flow in short bursts. The technique specifies that one sets a timer for 48 minutes in which they focus purely on their work, and when the timer runs out they spend 12 minutes doing whatever.
However, in the paragraph directly above that statement is a quote from Peopleware saying that it takes at least 15 uninterrupted minutes to enter a state of flow.
When reading that point, the 48 minute technique seemed counter-intuitive, since every 48 minutes you are "breaking" your flow, and once you start up again you have to spend 15 minutes going back into it, so you really only get (at a maximum) 33 minutes of "flow time". Obviously these quantities aren't necessarily rigid, but you get the idea.
My question is to those who have tried a timing technique similar to the one described. As I see it, the only justification for this technique is that it possibly reduces the amount of time it takes to re-enter that period of flow. Can anyone who has used this technique provide some clarification?
I've tried the Pomodoro Technique for a week or so. I didn't focus too much on the details of maintaining check lists of completed and interrupted sprints, but rather I started the day with the tasks that I wanted to do on that day, and went through them as best as I could using the 25-minute sprints and five-minute breaks.
The Pomodoro Technique suggests to use the breaks to relax, stretch your legs, grab a coffee, etc. I've noticed that activities like those that don't require a total focus shift and can be done on automatic don't break the flow, but rather helped me cleanse my mind and refocus my attention. It's as if you're allowing yourself to step away from the trees to survey the forest for a bit before diving back in.
I dropped Pomodoro after that short trial period because I found that in my case I got the most benefit from simply sitting down in the morning and writing down what I wanted to do on that day. Once the decision is made and the work is started I found that I fall into a natural rhythm of sorts. I work until I'm bored, frustrated, or interrupted, then I take a break and continue. I didn't find that time boxing my sprints added much value.
YMMV, but it's worth at least giving it a try.
A timer would be terrible for me, because it might go off and interrupt my train of thought at a critical moment.
For me, maximizing flow would begin by (1) first preventing forthcoming distractions (ie, making sure phone calls and other interrupts are disabled and that anything scheduled, like a meeting, is sufficiently far off there's no possibility of running into it), then (2) working on the problem at hand as long as I can, but all the while trying to recognize when I'm not making progress.
If I think I'm making progress, no matter how slowly, I just keep going as long as I can. But if I appear to be stuck or going in circles, I stop, and do something else instead, even if that something else is starting on a different problem. I let my subconscious dwell on the original problem, and once I have a feeling I feel fresh or curious enough to restart again, I do.

Tips for finding things in your program that are broken that you don't know about?

I was working on something for a client today when I found a way to break some functionality in our program.
(The code is really legacy code, it's been in development for about 10 years and I've only been working here for about a year.)
It didn't cause an error, or cause the program to crash, but if a user was using the program and duplicated the behavior I'm pretty sure they'd be holding up their "WTF?" flag.
In our program we have named fields (textboxes) and static text (labels) that can be linked with the textboxes. When the textbox is not filled in the label(s) that were linked to them disappear.
The functionality that I broke was, when you change the name of a textbox that already has one label or more linked to it, and save the file, without re-associating the one or more labels associated with the textbox, the formerly-associated labels appear when the textbox is blank.
Now my thinking on the matter is that a simple observer pattern could have solved this problem in the first place, but then I didn't write the code.
I was thinking that if I could dig up more situations like this with the guys in my shop, that maybe I could talk them into considering unit testing, decoupling, applying patterns where they are called for and the like.
So for this reason I was wondering if anyone had any tips for finding broken (but not error causing) functionality in any sort of app (web-based, desktop, etc...)
For an app to fail usability, it has to have a defined set of expected behaviors.
"Is this textbox SUPPOSED to do nothing when the enter key is pressed?" Maybe it is, maybe it isn't. I've seen apps where a tester/reviewer reports something that they ASSUME should work another way, when in actuality the client specifically asked that they DON'T want the form submitted on a return key press, but only a submit button click.
So basically you have to define proper behaviour before you can determine incorrect behavior.
Hire some testers.
If it has an interface, then one of my favorite unconventional test is putting 5-10 year old children in front of it. You'd be surprised what they can come up with (especially the younger ones). While this may sound like a joke, it isn't -- it really works, because children don't have the mindset of only going through "mindset" paths.
And yeah, children are the experts in "breaking things" xP.
Code inspections, i.e. reading the source code: if you had taken time to read/inspect the source code, looking for "smells" or even just looking for code whose behaviour you don't immediately understand and agree with, you might have been holding up your "WTF?" flag too.
Test, test, test.
Do unexpected things. Start doing one task and switch another to see if anything goes haywire. Use the back button when you're not supposed to. Open it in two windows. Let it time out.
Test in all browsers, especially IE.
You can find database connections/sessions aren't released by:
working out the minimum number of connections you need to do something
setting resource limits to that minimum number
ensuring one "run" of the scenario that should use exactly that number (and release it afterwards)
then run it again a few times... do you run out of connections?
I used to work in a company where programmers regularly used to forget to de-allocate db connections. The standard answer was to reduce the resource to a minimum to see if there's a leak - and to try to work out where it is by restarting the system and running different scenarios repeatedly.
The first hour of code review, with the first reviewer, will do the most to find quality problems. But here's the thing: You don't need to convince people of quality problems. You need to convince them of the value of fixing bugs, and of rewriting only when the present quality absolutely justifies it.
I've dealt with some seriously bad code in my time. But you can't just rewrite. You need a spec before you can even tell if the rewrite is an improvement.
Sometimes, you have to infer the spec from the code and then check it against some human somewhere. But by the time you've done that, you understand the code as written and are now better prepared to repair than to rewrite -- most of the time.
Repair proceeds by a process of small behavior-preserving modifications that render the spec more clear in the code. Then, when you find something that looks wrong, you don't just change it. You ask around until you find the person responsible for that decision, and you get them to show you where in the spec it says that behavior X is correct. (This conversation can take many forms.) If you're lucky, they'll tell you that behavior X is in fact incorrect, and then you've earned your pay.
assert()
Also unit testing with coverage analysis.
This is particular to the Visual Studio IDE, although it probably also applies to others:
During testing, always at some point run in the debugger with "Break when an exception is thrown" turned on.
This can often help expose exceptions which are incorrectly being silently caught and which represent bugs, but otherwise may not be evident.
Code reviews should always also include reviews of the unit test code.
The problem is that with ad-hoc testing it's impossible to know how much or how well a developer has tested their code. So, you're at the mercy of different developers definition of the word "done".
If you include reviews of the unit test code at the same time you review the production code you should have a good idea of whether the code is really complete; in that "complete" includes "tested". Not just "Hey, I'll throw it over the wall to the testers!".

Ideas for designing a Secure, "Low Cost" method for confirming client-side game results

This is more a system design question/challenge, than a coding question.
Basically, I'm thinking of throwing together a Bejeweled-esque game on Facebook using just HTML, CSS, and javascript. This is mostly out of a desire to learn all the little caveats of FBJS via a non-trivial project.
So here's the deal. When developing for Facebook, actual API calls are very expensive; not only is there an additional POST to the Facebook servers, there's also the api call limit and throttling to worry about. In a nutshell, the fewer calls to Facebook the better. Combine this with the timing concerns of even this simple puzzle game, and there's good reason to aggressively minimize the number of callbacks in general.
Not being a security expert, here's the design I've come up with:
Embed a random seed in the game page.
Use that seed to create the game board (As well as additional pieces as needed).
Tweak the seed (xor, concatenate and hash, something like that) after each player move, based on time since last move. Edit: I should probably also include the actual move taken in mutating the seed.
Upon game completion post back the following: game start time, each move taken and when, and the client side results.
On the server, re-run the game with the given data, sanity checking the start time and move times, and then confirm that the results match.
To mitigate denial of service, the game itself will be tweaked to have a win by turn X condition.
To discourage the server being used as a "oracle" of sorts, a user posting back an invalid game will be banned for some constant time X (X being on the order of minutes).
This design requires three Facebook call per game played: one to store the random seed before the game is played, one to fetch it after the game is finished, and one to update the player's score if the game is valid.
What I'm trying to proof the system against is straight up score spoofing (http://...?myscore=999999999, or similar). I'd also like to mitigate "look ahead" attacks, wherein the user can tell what pieces are coming to the board next. Denial of service attacks on the hosting server (intentional or otherwise) should also be prevented.
The actual question, can anyone see a flaw in this design? Equivalently, is there a simpler design that meets my criteria?
Note: I am aware how unnecessary this probably is, but its an interesting question none the less.
I'm going to try and throw some numbers up here to futher illustrate my reasoning, these are pretty rough but I hope helpful.
Assuming a 10x10 game board, there are ~200 potential moves (swapping two adjacent pieces) most of which are invalid. Let's say there are on average 5 valid moves per "turn". If we constrain player actions to the frame of 50 to 30,000 milliseconds, there are 149,750 potential new hashes provided the "tweaking" algorithm doesn't discard bits; I feel confident in say there are at least 10,000 potential new hashes which must be calculated by an attacker assuming a cryptographically secure hash is used. If you throw a min-max algorithm at this, your decision tree explodes very quickly. Throw a game session expiration at this, say 30 minutes, and I believe the attack because equivalent in complexity to writing a little bot program to play for you which cannot reasonably be defended against.
If the client code calculates the next piece and you can't hide this algorithm very well, then some bored college student will figure this out. As a result, they will be able to generate a massive score and defeat your intentions.
I tend to say that it is impossible to do. Why? You cannot trust the client - I could just analyse and completly rewrite the client side code and return whatever values I like. The only way to protect you from cheating and all kinds of attacks is to perform the logic at the server - the client will just collect user input and display the server output. But this is completly against your design goal to minimize the number of server calls.