2

I'm making a JavaScript game, and I don't want anyone to cheat. Is there any way that I can detect, and possibly log, commands issue in the JavaScript console? The skeleton of what I'd be looking for is something like: 

consoleCommands = "";
window.console.command = function ( thiscmd ) 
{
   consoleCommands += thiscmd;
}
window.onbeforeunload = function ( )
{
    // send log of commands to server
    $.ajax({url:'recordNewCommandLog',method:'POST',data:{cmdlog:consoleCommands}});
};

Of course, an attacker could overwrite that, but I'll try to obfuscate it enough to make it difficult for him to figure out that his commands are getting logged in the first place.

Gray
  • 7,050
  • 2
  • 29
  • 52
  • 1
    don't think there's much you can do. In chrome it still works even when you do `window.console =null`. Make sure to use closures in all your code – charlietfl Oct 19 '15 at 21:14
  • Possible duplicate of [Find out whether Chrome console is open](http://stackoverflow.com/questions/7798748/find-out-whether-chrome-console-is-open) – Paul Nikonowicz Oct 19 '15 at 21:19
  • Possible duplicate of [Best way to detect when a function is called from the console](http://stackoverflow.com/q/28000460/1529630) – Oriol Oct 19 '15 at 21:43

2 Answers2

4

In addition to the answers (and duplicate links) you've received, I want you to consider this:

Why do you care someone cheated?

  • If it's a single player game, let them cheat, they only cheat themselves and you can't stop them. If you block the console, they'll use a user script. If you block that, they'll use a memory altering program (like CheatEngine) and change values from there.
  • If it's a multi-player game, it makes sense to invest in anti-cheat so that they don't ruin it for everyone else. In that case, make the server make all the important decisions. Don't take the word of the client for anything, it's the server that's supposed to be secure, and it's the server that's supposed to be able to tell that a player couldn't have gotten 9999999 money from the monster drop, just because it said so.

Not to mention, how will you do your debugging without the console? You'll have a hard time reproducing bugs and fixing problems.

TL;DR

Don't block the console. Secure your server if applicable and leave the client "hackable" the client is the user's domain anyway, not yours.

Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
1
var arr = [];

console.log = function () {
  arr.push([].slice.call(arguments));
  // if `arr.length` , do stuff
  return console.log
}
guest271314
  • 1
  • 15
  • 104
  • 177
  • Huh. Didn't know you could override default functions in JavaScript. – Jaxkr Oct 19 '15 at 21:23
  • Why `return console.log`? Either hijack it properly and return `console.log.apply(console, arguments)`, or don't do anything. – Oriol Oct 19 '15 at 21:47
  • 1
    This will detect data passed to `console.log`. But won't detect code run directly in the console. – Oriol Oct 19 '15 at 21:48
  • @Oriol Minimal possible approach , adjustable as needed – guest271314 Oct 19 '15 at 21:52
  • @MadaraUchiha _"That won't prevent people from opening the console and typing commands, which is exactly what the question is all about. –"_ ? No . Text "prevent people from opening console" does not appear at original Question ? Not certain how that interpretation could be inferred ? Actual text of Question is _"Is there any way that I can detect, and possibly log, commands issue in the JavaScript console?"_ Question , as interpret here, is how to log commands to `console` not prevent them – guest271314 Oct 20 '15 at 14:32
  • @guest271314 This still doesn't solve the problem, it doesn't log anything actually done in the console. "Cheating" in a game entails either reading or writing to specific values in the game. This solution tracks neither. – Madara's Ghost Oct 20 '15 at 14:37