TIGSource Forums

Hello Tigs, I'd like to know if a server can detect client modifications remotely. I'm using Java for most of my projects and as you know JARs are modifiable. This is an issue especially for multiplayer games as hacking is easily doable (even with obfuscation it doesn't take long for hacks to appear)

Thanks

What kind of data are you trying to protect on client side? If it's code, don't bother because in the world of multiplayer you never trust the client. Modifying graphics or whatever else assets doesn't really matter.

Client only sends the input, server validates it, simulates the action and sends back the result.

Eigen is right. Even if you did something like an MD5 check to see if the client program has been modified, the response can be faked. You can never fully protect the client software, but you can prevent a modified client from ruining the gameplay for others. You'll have to do sanity checks on everything the serves receives, to make sure a client isn't trying to do something funny. Don't give out character positions and stuff, unless a player is close, etc. You basically treat the client like a dumb terminal.

I remember I was told a long time ago that punk buster somehow analyze the memory of the client and maybe send it to the server? No idea.
In any case, there are several things.
First, you can encrypt the communication between the client and the server which will make it harder to just sniff the data and see what is sent while playing.(I think).
You can also make the client a dummy "terminal". That means you don't trust the client with any calculation. A simple example you don't trust blindly the position the client report of it's player. In this case the client is only responsible to draw the graphics and send the input to the server.
Or... you can just not give a ffff and trust the client because if you will get to the point that people will want to hack your game you could by then refract your game and use the abundance of resources from all the people who want to play your game so hard they actually gonna bother to hack it.

md5 the executable and any dlls

That doesn't stop you from modifying outgoing/incoming packets. You simply can't have any important game logic on client-side.

It's one layer of protection of many.

Not to mention, the only way to directly modify outgoing or incoming packets without using dll injection would be to create a virtual network that the game connects to (think hamachi), have the executable that runs the network perform the modifications required, then redirect that traffic to the true network.

Or hell, you could just go into the executable and remove the md5 check. There is no black and white solution to this problem.

And yes, in a multiplayer environment, never have any game logic client side that isn't validated by the server. This is probably the most important precaution to take.

I thought of hashing the code and verifying them with the updated ones at the server but as I said, it's Java and the players can hash the files themselves, get results and edit the code so that it actually posts the fake legit hashes

the industry solution to the problem is to have a blacklist of cheating programs and to ban based on whether any matches are found

this bandage solution doesn't work at all, most games that rely on this are completely overrun with cheating, the first few posts are completely right, anything important keep it server side, client should only send REQUESTS for the actions it wants to do and simulate the effect client side, but the server should have the final say to all clients in every case.  Also NEVER send more information to the client than the client needs, 99% of games plagued by bots and cheats stem from this issue.  For instance if there's 30 players in a fps match and you have no way to visually see the other 29, the server should not be sending you their locations...etc...this also has the nice side effect too of keeping the network cleaner, and smoother running for all involved.

No matter how much punkbuster and other crap you force on the client it's still easily bypassed, and as a side effect tends to keep the game from running properly on many clients that ARENT cheating. (Punkbuster especially is absolutely notorious for this....which is why most mmo's that were using it are not anymore) 

Yep, there's no possible way to verify that a client is unmodified. Sending input events and letting the server run the simulation is the way to go.