1

I am creating a game where I use a file to record player stats (speed, level, etc) so you can keep using your character after exiting the game. My problem is in my test version I am using the basic Java Filewriter to save/read the stat file but someone could just open it up with notepad and change the stats (which I don't want).

Is there a safer and more secure way to do this and if there is could someone link a tutorial to it?

I had heard the using XML might help but I am clueless as to where to start on this.

  • 1
    Keep the data on your computer, not the players computer. – Eric Lippert Apr 07 '13 at 05:49
  • well the point is, if I give the game to a friend they can play it, its not online. Imagine it like a rpg for keeping track of party members levels and items –  Apr 07 '13 at 05:50
  • you could always store a salted hash of the stat file, and check the file against the hash every time you read it – Sam Dufel Apr 07 '13 at 05:51
  • Well at least don't store it in plaintext. That's the absolute easiest way for anyone to change it. – chris Apr 07 '13 at 05:52
  • 1
    If it is not online, what do you care if someone is editing the file? I would leave something like that in the game, for people to have fun with if they feel so inclined. – nicholas.hauschild Apr 07 '13 at 05:52
  • but would that work if the stat file is changing alot? As in if the player upgrades their speed 3 times the stat file would change which means the hash would to? / edit: Just because my friends already just go in and give themselves max speed, level, etc. I would prefer them not to be able to do so. –  Apr 07 '13 at 05:54
  • 5
    My advice is to spend your time making the game more fun and no time protecting the player from hacking themselves. If people want to cheat at solitaire that's their choice. – Eric Lippert Apr 07 '13 at 05:55
  • If it's really important to you then encrypt the data your write into your file. The web is full of such java code. You can start here: http://stackoverflow.com/questions/1205135/how-to-encrypt-string-in-java – PM 77-1 Apr 07 '13 at 06:08

1 Answers1

1

First, some general advice: If all of your stuff is on the client side, you can do nothing to protect it. You can only increase the time it takes someone to decrypt it. So if you are really worried about a player manipulating their save games, you have to turn your game into an always-online cloud-storage solution (which comes with its own problems, not just technical).

Second, why would you want to prevent players from editing their savegames if your game is not online? A lot of gamers (me included) like some good storytelling but not necessarily all games, and more than once I reached the point where I didn't like to play the game anymore but wanted to know how the story and characters go, or I just wanted to experiment. Without a savegame editor, I would've completely disengaged from the game, but thanks to cheating I had a great time seeing how the rest unfolded (and some guilty pleasure one-shotting certain tough enemies). If a player wants to cheat in a single-player game, why not? It's their experience, and it can keep them engaged.

The two reasons to prevent cheating are support and competetive scenarios. If one-shotting a boss character prevents an event that's supposed to run at 50% health to run and if I then complain that my game is in an unwinnable state, you have extra work figuring out that the savegame was manipulated and that it's not a bug on your side. On the competitive side, if you have achievements or leaderboards, cheaters are a problem.

But then again, you can't have competitive elements in a game that's 100% on the client since you can't do anything to prevent tampering.

Here are a few tips how to make tampering harder:

  • Using a checksum on the savegame
  • Encrypting it with a key stored in your code, or (brittle!) using the SHA1 of some file in your game as the encryption key
  • Keeping a list of "valid" states and detecting impossible situations, e.g. a Level 3 character with 9000 HP or a Level 20 character that hasn't progressed past Chapter 2 in the story, or a character wielding the Tainted Blade of Armageddon outside of the Cloud Castle dungeon
  • Detect that the savegame was manipulated but letting the player go ahead, just letting them know that technical support wouldn't be granted for issues with that savegame.
Michael Stum
  • 177,530
  • 117
  • 400
  • 535