0

I know I can detect that they actually have the extension installed, but that is okay with me. Some users actually use these tools for good, like changing colors of the level to make it more appealing. But some evil users are using it to control their sprite and cheat through levels. I realize these scripts inject JS into my page... Can I run some kind of loop to look for exact matches of scripts? Or anything similar?

lilballs
  • 9
  • 1
  • Yes you can, but those checks can be tampered with as well. – GolezTrol Jan 13 '16 at 00:30
  • How would I go about doing something like this? Most of my users are not very tech savy and just read information on our forums on how to install the scripts. I know of atleast one script (that I actually found on pastebin) that atleast 2 users are using. I would just like a way for clear evidence. Any ideas? I am pretty sure the original script creator is long gone at this point... but I am worried people are still using his version. I just want a way to check. – lilballs Jan 13 '16 at 00:33
  • You cannot secure JavaScript code on the client. – Pointy Jan 13 '16 at 00:38
  • I understand, I just want to check for it. I know the users that are using it now have no idea how to block me checking for it. – lilballs Jan 13 '16 at 00:40
  • They can defeat the code you might deploy to check for it. If it's interesting enough to do what they're doing now, somebody will figure it out. It'll get posted to 4chan or something and then a thousand losers will knock themselves out (pointlessly of course). – Pointy Jan 13 '16 at 00:40
  • We have a community of about 100 players... It was one guy who came along and kind of ruined it for everyone.. I just want to check for the users that are still using his script. I UNDERSTAND that they can block the attempt to check for it, but they are going to know to check for it if it doesn't exist. Once I catch them it's over for them. It's a small community where everyone knows everyone. – lilballs Jan 13 '16 at 01:00
  • You can check and ping the server stating cleanliness. You'll probably catch them when they try tinkering with that check. Because the ping will be missing. They can falsify the ping.... but you can make this pretty obfuscated and difficult to reverse engineer. Perhaps by passing back a token in the body that's generated as a function of some other part of the page. – Catalyst Jan 13 '16 at 02:01
  • See the duplicate question. Your easiest bet is to change the CSS id's and classnames. More effective is to require secure events (check [`isTrusted`](https://developer.mozilla.org/en-US/docs/Web/API/Event/isTrusted)). Link to the script in question and add relevant code snippits and we may be able to suggest a Q&D fix (If you are SURE your users aren't tech savvy). – Brock Adams Jan 13 '16 at 02:04
  • Can't the code checking for isTrusted be overwritten anyway? What about the browsers that don't implement isTrusted? – Edge Jan 13 '16 at 11:14
  • @Edge, No, not by userscripts (except on FF where most scripters don't know the technique anyway). The Browsers that don't support `isTrusted` also don't support userscripts (except for Safari). But this is a GM/TM question anyway. *Strictly* speaking, that's just Chrome and Firefox. – Brock Adams Jan 13 '16 at 19:07

0 Answers0