1

I have made the html5 game, that users sometime may try to alter to get better highscores.

How can I count in the begin(and runtime) of game the hash of whole JavaScript game ( made with Construct2) so that I can compare if there was any changes runtime done by user.

Game is running inside iframe if it matters anything and sends highscrores after the game.

Tom
  • 6,725
  • 24
  • 95
  • 159
  • While creating the hash, store it in a constant, during the game loop get the hash of the current user and compare it with the stored value. Alternatively you can create a dictionary/object to keep track of users with their associated hash. – Ali Beyit Jan 09 '20 at 09:24
  • Thanks! My question is, how to create the hash from all JS classes. I am sending the HASH to game backend and there we can see if some users have a different hash than others – Tom Jan 09 '20 at 09:27
  • As a smart user can simply run an XHR call to your score service with no change to the code at all, it may be not a strong protection as you can think. And it is by far simpler than modify (a maybe minified) game source – Mosè Raguzzini Jan 09 '20 at 09:31
  • Good point, the communication to backend is protected and realtime communication prevents user from sending calls. The idea is to prevent user from making his/her own client . – Tom Jan 09 '20 at 11:34

1 Answers1

3

As said in my comment, hashing your source it's not an efficient anti-hack.

The strongest way to prevent cheating is to run your engine server-side, and validate each action with a predictive client/authoritative server strategy.

Predictive client

The client engine behave as no server is involved, sending data (Eg.) only when score changes along with some additional information (Eg. gametime, position, player state etc etc). The client receive a unique token stored server side on each game session to identify it.

Authoritative server

The server, once received the score and the additional information, can run a validation against those data, eg:

  • Is the player position valid ? (Eg: inline with enemy to shoot)
  • The state of the player is valid ? (Eg: can it shoot down the enemy with a single bullet ?)
  • The score vs gametime is suitable ? (Eg: can the player has a score of 1 Billion at 2s from start ?
  • etc etc

Once validation on server side happened, you can reconciliate the game state or invalidate the game by token once finished.

Mosè Raguzzini
  • 15,399
  • 1
  • 31
  • 43
  • Its a good answer, but I am looking for something like crc32( document.body ) solution where crc32 is https://stackoverflow.com/questions/18638900/javascript-crc32 – Tom Jan 09 '20 at 11:39
  • 1
    @Tom this is no an efficient solution; I can (Eg) store your hash, modify the code as I want and then resend the stored hash without problem, overriding the function that calculates it. If I am smart enough to modify the game engine, I could do it for sure. IMHO you can *discourage cheating* modifying your engine mixing some techniques with minimum effort: minifying it, taking advantage of Object.freeze() and adding some validation server-side. *Preventing cheating* at 100% require the answer solution (the solution used by online gambling platforms along with blockchains and other techniques) – Mosè Raguzzini Jan 09 '20 at 11:52