0

I hope you're doing well in these complicated times, good containment all around :D

So I come to my problem, currently I'm working on a game in Java and I know that it's possible to modify the jar file of my game which annoys me a little bit because it can give cheating possibilities for malicious players... I had thought of a solution even if it's not infallible, it would be to make sure to check if the jar file has not been modified. But the problem is that I don't know how to check this, I had thought of a system that would check the point of the file even if I doubt it would be the best solution.

If you have any other ideas to secure my game I would be interested :D

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
Antox
  • 15
  • 4
  • 2
    A hash. But they can just find the hash check. Obfuscation. Can still be defeated. Server call—effectively the same as the hash. Good luck! – Dave Newton Apr 18 '20 at 01:35
  • Java has the builtin ability for the creator to _sign_ a jar; the JVM checks this signature if present, and will detect if an entry in the jar has been _modified_. The signature uses publickey cryptography which no one else can fake. But a cheater can _remove_ the signature; if you code to check for lack of signature, they can remove/alter that code. Basically this defends against third parties (i.e. someone on the network where the code was downloaded, which was Java's original use-case) not your intended user. – dave_thompson_085 Apr 18 '20 at 07:40

3 Answers3

3

It is possible to check if a JAR file on your machine has been modified. Simply compare a cryptographic hash of the current JAR file with a previously recorded hash for a pristine copy. (Or just do a byte-by-byte comparison with the pristine copy.)

But you can't do this for JAR file on the user's machine:

  • You can't login to the user's machine and access their file system to look at the JAR file. (Even if you could, there is no guarantee that you would see the file that the cheater is actually using.)
  • If your application (running on the user's machine) tries to report on the integrity of its JAR files, this can be defeated by the cheater. All they need to do is to modify the JAR file containing the reporting code to report a fake hash.

Basically, there is no reliable way to detect that a cheater is running a modified JAR ... apart from detecting the anomalous behavior of the cheat itself.

But think of it this way. If there was a good (reliable, no circumvention) mechanism for detect that a cheater is running a modified client, then cheats would not be a problem in the many online games that exist out there. And (by extension) there would be no way to defeat software license enforcement schemes ... because software vendors would use a similar mechanism.

So, my advice would be not waste too much time on this approach. It only works against people with limited technical expertise or limited motivation.

The only way to completely prevent cheats is to control the platform on which the client runs. That is usually impractical.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
1

In regards to your question about other ideas, the best thing you can do is validate everything from the client. One thing you should always remember is that the client cannot be trusted because you cannot verify anything from it. All you can do is store the state on a remote server and when the client tells you something, validate it, and give a response if necessary or prevent the action if necessary.

Jason
  • 5,154
  • 2
  • 12
  • 22
0

You will need to somehow find out where the jar file is: Java - Search for files in a directory

Then you can check for the last modified date of the file: https://www.boraji.com/java-get-last-modified-date-of-a-file

However, I would not consider this a very powerful defense against cheating, because one can modify the jar file and remove the validation of the file date.

You will need to think about the kind of cheating that can occur and to come up with other security measures as well.

EDIT

As Dave Thompson pointed out, the modified timestamp can be changed as well, which makes the modification of the jar file unnecessary, even though reverse engineering is still needed by the hackers, because that's how they find out what the rules of the application are.

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
  • I don't even need to modify the jar, **I can trivially set the modified timestamp** to any value I want -- on every Unix since forever this is builtin (touch), on Windows for over a decade PS does it in one line and before that I could use VBS or write a C program in about 3 lines. – dave_thompson_085 Apr 18 '20 at 07:36