5

I have a javascript canvas game with pixi.js that requires a player to press a certain combination of buttons to complete a level. They basically have to press the button that matches a certain color.

It turns out that players are writing bots in python to do this task and they are getting the maxium score each time. The game is already live and users enjoy playing it so I can't really change anything gameplay wise.

So I thought about a few possible solutions but I have some concerns

  1. Captcha between each level
  2. Check the speed of the input
  3. Check how consistent the input is

The captcha will hurt user experience, and there are tons of video's how to bypass it. 2 and 3 will fail after the creators of the bots understand what is happening. So I am really stuck on what I could do.

anonymous-dev
  • 2,897
  • 9
  • 48
  • 112

2 Answers2

2

I would consider a random grace period before allowing the buttons to be clicked. this may stump some bots, but is circumventable.

Besides that, I would profile the timing of the clicks/interactions. Every time next level is requested, compare to the profile, and if they are consistently the same introduce a randomized button id, button shape (circle, oval, square, etc.), button placement (swap buttons) to avoid easy scripting. Also the font and the actual text could be varied.

I would also change the input element to <input type="image"> since it will give you the exact coordinates (if possible - I'm not familiar with pixi.js) and this will aid in the profiling.

You could also implement some sort of mouse position tracker, but people on touchscreens will not produce data for this. You could supplement with additional check if the user input is touch, but a bot would easily be able to circumvent it.

EDIT
I don't know if some library to detect other JavaScript imports and thereby detecting potential bots would be applicable. Might be one avenue to consider.

Doing something like this: Check whether user has a Chrome extension installed to verify that you are running in a browser and not in a python environment could be another avenue. It would mean that you restrict your users to certain browsers, and as a lot of other code, could be circumvented. Cost/benefit should be kept in mind here.
If everything is being run though the actual browser with some sort of headless interface it is not going to be useful at all.

EDIT 2
A quick googling of python automate browser game brings up a tutorial of how to automate browser games with python. based on a cursory glance, making your buttons move around and changing font would be effective, and even resizing the playing area "randomly" (even if you have a full screen function) may be a viable defense. Again, following the tutorial and trying to automate it using that, and seeing how to block it would be a good exercise.

You could also consider asking some students for help. This could be a good project idea for many computer studies courses that offer project based courses. It could also be a student job type deal - if you want to ensure that you get a result and a "report".

JoSSte
  • 2,953
  • 6
  • 34
  • 54
  • Hi thanks for you response! I think a grace period is certainly a good idea. Sadly this is a canvas game which means I don't have elements to work with besides the canvas itself, they are in a fixed location (which in hindsight probably wasn't such a good idea). The buttons also have a unique design, so it would be difficult to swap. I agree that tracking the mouse position is circumventable. – anonymous-dev Oct 05 '21 at 11:56
  • @MikeOttink I think the best approach is to try to circumvent your checks. I have watched engineerguy on youtube using python to complete android based games, using pattern recognition and such. It could be an idea to try writing your own bot and then try to hinder its operation. The goal in my view, is to spend the least energy to cause the most hindrance. I don't know if some library to detect other js imports and thereby detecting potential bots – JoSSte Oct 06 '21 at 08:26
  • 1
    We ended up going for a combination of browser detection with https://www.npmjs.com/package/detect-browser and checking the creation date of their social media account. Hoping for the best. And some other gameplay checks – anonymous-dev Oct 11 '21 at 23:27
0

I think your approach is valid. It seems a bit excessive to add Capcha between each level, perhaps add it before the game starts.

It might be a good idea to check interval between individual clicks, and define some threshold when you can safely assume that it was a bot who clicked the button.

Another approach you could take is to make it more complicated to look up the correct buttons. Approaches like randomizing the element IDs, not rendering the label inside the buttons but as separate elements (I assume it is a game with some fixed window size and you don't care about mobile that much).

I am not familiar with Pixi.js, but that could be an approach to consider.

----------------------- Edit -----------------------

What if you run your game in an iframe ?

Jiri Kralovec
  • 1,487
  • 1
  • 10
  • 18
  • Hi thanks for your response! With pixi js you don't really work with html elements, it is a canvas game so you have 1 element that you render the canvas in. What would be the advantage of running it in a iframe if I might ask? – anonymous-dev Oct 05 '21 at 11:46
  • Some additional level of obfuscation, but that is pretty much it. – Jiri Kralovec Oct 05 '21 at 11:48