Can’t you just encrypt the values?
I mean, everytime you save it, save it encrypted, and everytime you niid toi change it -> decrypt it -> modify -> and encrypt.
Let us know what you did at the end :blink:
How great was the scam?
One player, 10 players, 100 players, 1000+ players scammed you… ?
You have how many players, 1 million + ?
I assume if scam was less then 10% of the all buyers, then this is something “acceptable”…
I’m seeing a lot of confusion regarding the actual problem.
You guys all rock for trying to help, but @adrianm is not having a problem with the persistent storage (saved values).
Instead, he wants to find a way to prevent hex-edits of the in dynamic-memory values.
i.e. Some players are changing the values as the game is running, not the values saved to ‘persistent-memory’.
But how many players do you think will (are able to) do that? Under 5% … or?
Its a tiny percent (less than a hundred per million)… fake IAPs are much more common. I was noticing some weird values in my db. Values like 2147483647 for in game resources (which just happens to be the max value you can store in an Int).
I came across the YouTube video when Googling for hacks and it was something I had never seen before so was sharing it as much as asking for advice really.
I also get players asking for their user name (when the game doesn’t require one) as there are other websites saying they will hack but they need a user name. These force you to do surveys, download other games and probably get infected by malware in return for max game resources. Obviously this is impossible.
If it gets more prevalent then I might code an encrypted in memory data-store (and let Ed turn it into a plugin).
Sorry man.
I am guessing that is a rooted Android device, and I’m pretty sure as long as they are willing to root their device they can pretty much do anything with memory they want if they have the Skillz or someone has bundled up tools to help them do it.
I always figured that if I ever get as far as publishing a useful game, I’d add a IAP of ‘Cheat’ and see if it got me anywhere 
(Caveat that Cheat excludes you from Hi-Scores, Achievements etc.)
For currency games it doesn’t help, but for puzzles etc, why not!
You could do one thing to make this a little more difficult for them.
Right now, my guess is that your GUI elements are polling the values or they are the values:
-- Polling local gold = 1000 local goldLabel = display.newRect( ... ) goldLabel.text = gold local function enterFrame() goldLabel.text = gold end Runtime:addEventListener( "enterFrame", enterFrame )
If you do something like this, then they can hexedit values till they find ‘gold’ and when they change it the label updates, giving them a positive ‘found it’ feedback.
So, do this instead:
-- NOT Polling local gold = 1000 local lastGold = 1000 local goldLabel = display.newRect( ... ) goldLabel.text = gold local function setGold( newValue ) gold = newValue lastGold = newValue goldLabel.text = newValue end local function getGold() if( lastGold ~= gold ) then gold = lastGold end return gold end local function incrGold( value ) lastGold = lastGold + value gold = lastGold goldLabel.text = gold return gold end ... later local tmpGold = incrGold( 10 ) ... local tmpGold = incrGold( -10 )
This does a couple things:
- Now they cannot hex set the gold value and get immediate feedback.
- Also, having a ‘lastGold’ value helps protect against hacks. It isn’t great, but it is opaque and a bit more difficult to work out.
You could even get meaner:
local function getGold() if( lastGold ~= gold ) then gold = 0 lastGold = 0 end return gold end local function incrGold( value ) if( lastGold ~= gold ) then gold = 0 lastGold = 0 return 0 end lastGold = lastGold + value gold = lastGold goldLabel.text = gold return gold endHey Roaming… from the video what they are doing is working out the actual core double values for (in my case) money, gold and diamonds. I could store them in obfuscated strings but then things like money = money - 1000 becomes much more complicated and prone to errors.
I could force online playing only and store these values on my server but my players love that they can actually play offline and that is something I am not keen on changing.
If corona blocked any threads that were not owned by corona that would negate this type of hack completely
I don’t know if you want to do this, but you could always report this users activity.
I’m not sure Google would do anything about it, but s/he is (essentially) teaching folks to bypass the GooglePlay monetization system.
https://www.youtube.com/channel/UCX5BYlgl3gj54Oppmghkj2w/about
-
I don’t see them getting the variable names unless you call your variables’Value’?
-
If they are not getting actual variable names, i.e. They are hunting for values, changing them, and then checking to see if that updated the GUI, then… my suggestion of:
- using get(), set(), and incr() PLUS
- Phantom copies of key variables PLUS
- Only updating GUI from set() and incr()
will help protect you a bit more.
If they are running a ROOTed Android, and running an app as SU, then nothing Corona does will prevent this. They are literally reading and writing memory.
I’d get meaner
If money \> unreasonableamount then start\_weirdly\_killing\_characters() mess\_up\_inventory() If been\_playing \> 2weeks send\_happy\_cheating\_message end end
Easy to get around (set to <unreasonable_amount) but a great deal of fun to mess with them Set version code to C when people complain
This guy seems to make it his mission to hack games… we will call him low-life pond-dwelling wanker scum. I guess I should be flattered!
I encrypt my local game saves and all my internet data transfers. I guess I need to encrypt all my local in memory variables too!
I gotta go, but I’m pretty sure you can prevent casual hexedit hacking of your app with minimal changes focused on indirect access(), non-polling GUI updates, and phantom values for checking.
This shouldn’t cost too much effort or make coding too painful. It is simply a balance of whether you think it is worthwhile.
Again, sorry this is happening to you, but scumbags and jerkoffs abound (harsh words I know, but those who steal our hardwork deserve no consideration.)
Intriguing idea. A encryption protected get()/set() varaible system…
Up till now I allowed fraudulent purchases (as this is rife in certain countries) as this was actually a positive for my game. My game relies on players creating cities and players making fraudulent purchases to create great cities actually promotes average players making legitimate IAPs to replicate.
My stance is players that make fraudulent purchases will never actually make a real purchase so it is not affecting my income stream.
I will work on protecting my in memory variables as this is a new attack vector that is relatively easy to circumvent in pure LUA. I’m thinking a simple base64 string representation of the double value would stop this dead. Just a question of coding the get()/set() so it doesn’t interfere with normal game logic. A proper class and properties implementation (as per .NET) would make this so simple!
Why dont you try GGData module for Corona?
You can find it on github.
I saw this on the marketplace store
https://marketplace.coronalabs.com/plugin/save
Does that seem like it would help or can a rooted Android device bypass that safeguard technique as well?