Is compulsory downloading of files effective in preventing cheating?

Hello everyone.

Since my game contains “PVP” ingredients, preventing cheating has become very important.

My current thinking is that when I connect to GameSparks, I download the “PVP Lua file” at the same time, and register a random number on the server as a verification code.

After the battle,needs to pass this set of verification codes.

And because of the forced download, the battle data will become brand new even if it has been modified.

Because as far as I know, people usually unpack the package and modify the code of the file to cheat.

If the forced download, can this problem be avoided?

I would like to ask whether this understanding is correct?

Anything you do if somebody has enough time they can get around it. Most of the hacking that I have seen involves modifying memory values, not static files. In my PVP games for money (Skillz):

  1. I create a hash of the library (file) in memory and then sends a server request that returns a true or false if that hash matches the expected. The hash is checked multiple times during a game and it varies based on values that the server also knows. If it is false I still let them play but their score is docked significantly.
  2. All score calculations are done on the server and who wins and loses is also done on the server. At the end of the PVP match, I request the score and winner from the server that is displayed in the app.
  3. I also keep a log of the entire game in case there is a request to review.

Anyway, even with these precautions, I am sure somebody with enough time can find a way around it. What you have suggested is a good start, but nothing is foolproof. It all depends how much time you want to spend trying to protect the integrity of the game.


Thank you for your response, it is very helpful.

Let me talk about it first, almost all of my operations are running on the server. The client just tells the server to perform an event, and the correctness of the event is all running on the server, so I don’t worry about inventory or coins. The possibility of being modified.

But there’s no way to do this with regard to battles. I have many different cards with different abilities, so a battle will have tens of thousands of data, and the server’s fairness policy can only run 1,000 at a time, so I can’t let battle calculation is performed entirely on the server.

Although I have tried many ways, but all seem to be cracked…

One way I think now is that I manually update my Lua file at any time, give a set of super long UTF-8 random numbers at any time, and update the server file, and upload it to Amazon S3 at any time, after that, every time A file must be downloaded once for a game (approximately a few KB can be downloaded in less than 1 second), and that file contains the latest key, which can be paired with my server. Use this to check that he has downloaded the new battle logic lua file.

It’s just an idea, and it seems that it will be cracked, but it may make the other party feel bored and give up.

The safest and easiest way is to have an authoritative server that handles all gameplay logic. You can’t trust anything that is coming from the player’s end. Downloading a file every time just seems like an extra step and an extra cost, not extra security.


Although it is true.

But enterprise-level services are too expensive…

Except that I can make some judgments in the server, for example, the difference between the two sides in the battle is too large, but they won abnormally.

The only thing left is that when the player finds a strange point during the battle, report it to me, and then I will track the data of that person to judge this way.

Having said that, if I use Firebase to additionally record each step in real time to determine whether it can improve security?

Is your game turn-based or real-time?

real-time game

Anti-cheats in real-time games are substantially more difficult and costly to implement.

Also, the type of game and how it works plays into this significantly.

In some situations, if the players’ profiles (or relevant data) is stored on your server, then you could share the necessary information with both players at the start of each match.

As the match plays on, both players’ devices would locally track the actions of the other player. Then, at the end of the match, you’d compare the actions taken on both devices locally and if they don’t match up, then cheating may have occurred.

You could then create a trust based algorithm on a server that will ban people after a certain point or you could manually review these, but if your game becomes popular, then this would be an insurmountable task. Similarly, if your game doesn’t become popular, then this entire discussion about anti-cheat measures wouldn’t matter.

Regrettably, there isn’t a magic pill that can solve cheating in online games. This players AAA studios just as much as it does indies. The less code you have running on the client’s end, the safer it will be. The more you can verify, either in real-time or at the end of the matches, the better.

One low effort, low cost measure is to create a “report mechanic” in your game where users can report suspected cheaters. Then as a player receives enough votes, you’ll take a look (or outright suspend or ban them), but this kind of system is prone to abuse.

1 Like

Yes, the turn-based system is much easier than the real-time system.
But today’s popular games are almost all real-time games, or idle games.

And I do put everything in the server, although I have also thought that if someone plays a game, it will be sent back to my computer for simulation, but it seems not feasible. If there are many games at the same time, Then my computer can’t load…

Indeed, there are few games that can completely resist cheating. The popular “Overwatch” or the commonly heard “CS”, such as these big games, can’t completely prevent cheating.

But it seems that we still need to do something to make players think that I am blocking cheating.

I want to know, is it really invalid to download the overlay file?

If this method is useless, then I will use the reporting mechanism. Although there may be problems with abuse, this seems to be the most effective method. After all, the world’s most famous game "LOL"also has many cheatings. And their approach is the whistleblowing mechanism.

Downloading a Lua file every time poses certain problems. First, there’s the costs and “the logistics”. Then, you still have the same problem that the file would be processed on the user’s device where they can tamper with it.

You’d need to send the file either with or without encryption, but the problem again is that the user has access to the device and the source code, so if they know what they are doing, they can undo the encryption. Now if they have unencrypted it, they could write whatever code they want to such a file. Also, since the code would be sideloaded, you’d potentially run foul of Apple and Google’s store guidelines.

I’m not an authority on this matter, but I personally wouldn’t pursue that idea into production.

It’s more important that the game feels fair and that its anti-cheat measures seem effective. For instance, if a person reports someone, there should be some indication that their report mattered or that it was looked at, even if only a fraction of the reports lead anywhere. The system needs to feel like it’s working as expected.

1 Like

Oh, and I didn’t initially realise that you meant League of Legends. :smiley:

That game, while it does have report system, also utilises various advanced anti-cheat measures. The reporting system primarily exists to catch players who behave in a way that others players perceive undesirable.

Thank you for your comments.

Then I will adopt a reporting system. I will let the player know the combat power value of the opponent. This combat power value is completely performed by the server. If the player’s combat power against the opponent is significantly lower than itself, it is suspicious, then I Monitor that person’s data, check it out.

Having said that, the low end of LOL seems to have a very bad ecology. It seems that players will have various ways to crack, and in the end, they can only report as much as possible. :joy: