3

I want to write a little game where the users has to click on appearing elements/objects in a given time. In detail the objects appears in holes onto the ground and after x seconds the objects disappear. The gamer has y lifes and all clicks gets counted until he lost the game. After that his highscore gets posted to a database (via form post or AJAX). Long story short how can I avoid the user faking his highscore before sending? The program language is JS.

I know its not possible to hide all the code and make it not hack-able. But I think it's enough if the code is so difficult that the user has to do a lot of work to understand where he has to intervent to send faked data.

Has anybody some ideas howto make the code as difficult as its possible?

Thanks in advance for any ideas :)

dk1
  • 529
  • 5
  • 14
  • 1
    possible duplicate of [How can I obfuscate JavaScript?](http://stackoverflow.com/questions/194397/how-can-i-obfuscate-javascript) – Mike Samuel Nov 21 '12 at 21:16
  • You can't obfuscate the JavaScript enough to do this; network requests can be analyzed and faked too easily. If you dreamed for a while you might be able to come up with a way to validate the high score. – Brad Koch Nov 21 '12 at 21:18
  • [Garbled circuits](http://crypto.cs.uiuc.edu/wiki/index.php/Yao's_garbled_circuit) allow two machines to perform the same computation without one leaking too much information to the other. You could use that to ensure that clicks get counted, without leaking too much game state, but it's probably too cutting-edge-researchy for a Javascript game. Other existing SO questions deal with the state of JS obfuscators. – Mike Samuel Nov 21 '12 at 21:20
  • If you're really intent on securing high scores, your best shot is going to be communicating a user's game play actions to the server, and then identifying the differences between normal players and cheaters. I hear there's methods of probabilistic analysis that can identify abnormal behavior, but it's above my level of expertise. I would repost this, perhaps on [Game Dev](http://gamedev.stackexchange.com/), and make it about identifying cheating instead; you've got a very interesting question then. – Brad Koch Nov 21 '12 at 22:52

3 Answers3

0

You should never really try to make your source code unreadable. It will make as great a headache for yourself than any obstruction to anyone modifying it.

That said, you could refactor all your variable names to complete gibberish and play with whitespace, but anyone seriously trying to understand your code could revert that in a decent text editor. To make it any more complex would take away from the efficiency of your program - otherwise you could fill it with useless calls to functions that don't do anything and strange incrementation of counters that the program does not depend on.

Bertholt Stutley Johnson
  • 221
  • 4
  • 10
0

there are compressors that do exact the job you want! Some of them can be downloaded and used as offline tools, some are directly via web accessible:

http://javascriptcompressor.com

like jquery and others you can use your code to maintain the scripts and deliver a faster loadable packed version that is hardly readable

wegus
  • 282
  • 1
  • 9
0

How about this:

Create two PHP pages, with one containing the game interface and the other containing the game's code. Program the first one so that it creates a one-time-use string that the tag will pass along as a parameter when it calls the JS code from the second one. Program the second one so it checks the validity of the string sent. If the string is valid, the script should output the JS code, then invalidate the string.

Then, when the user copies the URL of the script, pastes it into his browser, and hits "Return," all he sees is either a blank page or a "not authorized" message.