I'm planning to make a web-based game (using three.js and socket.io), and one of my main concerns is protection against cheating.
I know the basics to make a secure game, i.e :
Never trust the client, client is only for rendering and input capturing
Put your game logic server-side
The best anti-cheat is the human
Knowing that, vulnerabilities for which i have no ideas how to be protected are precisely those that concern the client and that the server can't check. For example, as an attacker, i can :
modify the renderer or shaders to make walls invisible (wallhack)
modify position of the camera, that is simply in a variable
inject code that will input for me (aimbot)
In classic games (executables), there are programs that can detects illegals operations. Usually, anti-cheats inspect the assembly and check that no dlls are being injected.
Maybe there is an obfuscator that is specialized in this task (even if it means losing performance) ?
I haven't done all the research yet but I hope that some of you have already been confronted with this problem, and can save me a lot of time by orienting my research.
Thanks a lot
If you wanna do an "anti-cheat" engine, you'll have to do that. You can add anything you want client-side, to facilitate the server-side work, but you must never trust the client. All Logic you have must be at least server-side. You can reproduce it client-side if you want, but no client-side only solution will do it.
After the basics:
If you don't mind wrapping HTTP, then use ExpressJS
take a look at this code for express-blacklist and express-defend:
var expressDefend = require('express-defend');
var blacklist = require('express-blacklist');
app.use(blacklist.blockRequests('blacklist.txt'));
app.use(expressDefend.protect({
maxAttempts: 5,
dropSuspiciousRequest: true,
logFile: 'suspicious.log',
onMaxAttemptsReached: function(ipAddress, url){
blacklist.addAddress(ipAddress);
}
}));
as they aren't registered with socket.io, they will be only affected by the Express route
take a look at this: https://github.com/hrt/AnticheatJS
this is a good software you might want to look into: https://www.tuxbihan.org/software/top-05-anti-cheat-software-to-make-fair-for-gamers/
Hope this helps!
Related
I need to reduce the volume of a radio that plays in the browser, play a song in my Electron app, then raise the radio volume in the browser again. Is it possible to do it on Electron?
I searched for a library that made isos but I couldn't find anything.
Explained
You could simply do it via the DOM within a renderer process, keep in mind, you wouldn't be able to approach the problem like this if you desire to handle volume within the main process, simply because you cannot access the DOM within the main process.
I mean this may not be the best way, however, it's a simple way, at least in my opinion, and it saves having to include anymore dependencies into the project. Thus in my opinion, possibly making it more stable & reliable, with this approach, you wouldn't have to worry about 'x' dependency changing, expect for Electron itself. I may even go as far to say that it could also mean that it's more performance friendly, as you don't need to load in another dependency, although I'm not confident enough to say that all of this is a solid fact, this is, for the most part, opinion based.
I am trying to make an io game using Phaser and NodeJS/Socket.io. I realized to prevent cheating I need to make an authoritative server that runs the game.
While trying to architect the server, I wasn't sure what to do for collisions. Right now my idea is to divide the canvas into tiles and check each tile for collisions but that still seems like alot of work for each update. On the flip side I could loop through all attack sprites and look for overlaps with specific tiles, and then check the sprites in those tiles. I am afraid this is too slow, but I might be wrong. Does anyone have any better ideas?
And does anyone have any recommendations for server side physics engines so that maybe I don't have to do the math for collisions and movement?
Good thinking. The best way to do it afaik is to use a method called binary space partitioning, where you split your world up into chunks, then check for collision of objects only within those chunks. If you have an object on one side of your world, for instance, you will not need to check for a collision between that object and another object on the other side of your world in a different chunk.
If you haven't done it before, you might not want to write your own physics engine since there are so many options available. Even Bullet3D has a web port known as Ammojs. Iirc there is a version that works with node, but you'll have to do some work with multithreading or replace the webworkers to get it working right.
Here is a blog post by someone else who got a socket and node game up and running with Box2d as the physics engine:
http://paal.org/blog/2012/07/06/running-box2d-on-server-with-node-js-via-socket-io/
https://www.youtube.com/watch?v=5ty6wA2wSX4
Keep in mind, even if you're running it on an authoritative server at say, 60fps, at some point you might want to run it on the client as well, especially if the client is updating between renders from the server. You MIGHT have to write some prediction or interpolation code so that the animations don't look super janky.
Hope this helped.
I am designing a little soccer game where the game engine (that computes player moves etc.) runs on a server, and rendering and keyboard/mouse handling is done by the client. For the server (Haskell) I want to use
Happstack for client-server communication
Yampa / Reactimate for the game engine
Every 20ms or so, the client should send keyboard and mouse events to the server via HTTP GET, receive the current game status (JSON-encoded ball and player positions) and render it. I am thinking about using SDL infrastructure for the game loop, input handling and rendering.
The server basically runs two threads: A happstack server receives the HTTP GET, puts the keyboard / mouse commands in a queue, reads the current game status from a second queue and answers the HTTP GET request.
The second thread runs a Yampa game engine, as described in the Yampa Arcade paper: The game engine computes the new round as quickly as possible (no ticks) and puts the result in the render queue.
General question: Does this look like a feasible architecture?
Specific question: How would one design the server side rendering queue: Would one use a Chan for this? If the game engine is quicker on average than the "ticking" on the client side, the queue will get longer and longer. How could this be handled with Chan?
Your comments are very welcome!
Could you explain a bit more about the game itself. When I think of a soccer game I think of a game that requires real-time feed-back where input should be handled instantaneously and I would expect player input information to be sent over the network immediately. 20ms is quite a delay and I believe would be noticeable when the player holds down the key trying to move his/her character it will probably feel jerky the kind of jerky-ness experienced with certain types of garbage collectors.
I also do not understand why you would want to use HTTP for such a game (any game for that matter), almost all games use UDP and I would probably go down this route for your type of game. This tutorial looks great for learning about that kind of stuff.
I would also question your choice of network data format, why would you want a format that would require non-trivial parsing/formating when receiving/sending? I'd imagine that sending lots of data and frequently this would add up significant time. If I was going to use strings I would try to use the simplest format that requires very minimal parsing. On related system that I would work on it was a multi-process real-time system using sockets to communicate, and originally it used xml strings as network data format and it was terribly inefficient and all the processes where all on the same machine.
Regarding Yampa & server-side rendering, so if we think of FRP in the context of games as means of implementing game logic & entities I believe most networked games have server & client entities. Typically objects that are renderable are client entities and non-renderable are server entities, and I guess that some entities have representation on both. So in that case you probably want to have Yampa running on both the server & the client side and I would try to avoid anything related to rendering on the server-side. renderable objects should predominately stick to the client side I believe. Is there a specific reason why you want to have render commands coming from the server?
If you only want to ever give the latest game state, don't use a chan or a queue, use a samplevar: http://hackage.haskell.org/packages/archive/base/latest/doc/html/Control-Concurrent-SampleVar.html
In case you're interested, I also wrote a similar server-client based soccer game in Haskell once. You can find the source code at github (server, client). As I was quite a Haskell beginner back then, I ran into some problems regarding threading (and blogged about them) and never really finished the project, but you can at least see from the code how not to do it. (In the end I ditched the server-client architecture and wrote freekick2.) I do think the architecture itself is feasible, though.
However, like snk_kid writes, I don't know why you'd want to use HTTP. To have it running across a network without (noticeable) latency, you'll probably have to use UDP as well as client side prediction (here's some informative material).
I'm trying to build a Quicksilver style search system for the internal web app that we develop at work. There are plenty of examples of really cool front ends for this using JQuery or MooTools or whatever. None of these examples really talk about the back-end. As far as I can tell, these examples assuming the back-end is searching a single table or at least, performing a single query. What I want to do is design a system where you can, literally, type anything at all at it and find what you were looking for. Idealy, I want to be able to just write plugins for this system, drop them in, and start searching.
I have a solution where the back-end uses the observer pattern to send the query to different plugins for each type of search. However, this will return the results from all the plug-ins as one chunk. This could get noticeably slow if there are many kinds of searches. I'd like it to be quick and return the results in a more asynchronous fashion where results are displayed as they come in, a la OS X's Spotlight or Quicksilver.
Another solution is to write, on the fly, a javascript array with the names of the plug-ins to be used. I could then fire off separate calls to the server with the query, one for each plug-in. Something about this solution seems... off to me. I can't exactly put my finger on it though.
So, my question is: does anyone have any better solutions for building a plug-in based search system where the individual search types are not known before the page is loaded and the results are returned ASAP?
Another solution is to write, on the fly, a javascript array with the names of the plug-ins to be used. I could then fire off separate calls to the server with the query, one for each plug-in. Something about this solution seems... off to me. I can't exactly put my finger on it though.
This does not seem like that bad of an option. It gives you everything you need.
You need search results to come back as soon as they can.
It allows you to use your existing plugin architecture, I believe.
It follows the KISS principle.
It is not a new solution, but I think that it is the easiest.
Regards.
You could do a Comet style solution that used long polling in Ajax to get results for the search. Make one place for the script to call that will give back the results of all the plugins as they come in. This method allows you to get the quick results displayed sooner.
Having an array of plugins is an option but some browsers are limited to 2 requests at a time so that would limit the amount of request just being kicked off and could cause a fast process to have to wait for the slow processes.
It sounds like you are getting close with with back end you have just make it provide up the data as it comes in. Also this will allow you to add and remove plugins on the fly without effecting the JS so no worries about cached array lists.
A few thoughts on the back end from comment. Build a work queue so search requests can be farmed out to many workers. It would be possible to implement the work queue in a DB or through a web service so you could use other languages or even computers to do the work for each search. The work call would need some id to pass back to direct the data at the correct client. Also you would want a way to remove jobs from the queue or at least mark all work for a client as void if that client goes away. (You should be able to detect this if you are using long polling.)
Connection limits
IE7 for HTTP1 4
IE7 for HTTP1.1 2
IE8 for HTTP1 6
IE8 for HTTP1.1 6
From all the comments and talk it seems like you want to build this on the front end.
Don't build an array of plugins to call it forces you to worry about caching when changing out plugins you should do instead is build a bootstrap system. It would be a simple ajax call that got a list of plugins with there URL to call. This will allow you to turn on and off plugins from a central location and it will work better.
You will have to make each of your plugins into a web service instead of a plugin so each can be called independently. Make sure to use mediasalve's link about the number of connections because it will be limited by browsers if you don't get around it.
I want to code a trading bot for Magic: The Gathering Online. This bot should wait until someone offers to trade, accept, look through the cards available from the other trader (the information is shown on screen), and perform other similar functions. I have several questions:
How can it know that someone is offering a trade?
How can it know that the other trader has some card (the informaion is stored in pictures)?
I just cannot imagine right now how to do it, I have no experience with it, until now I've been coding only console programs for my physics neŃessities.
First, you should note that some online games forbid bots, as they can give certain players unfair advantages. The MTGO Terms of Service do not seem to say anything about this, though they do put restrictions on anything that might negatively impact the service. They have also said that there is a possibility they will add an API in the future, so they don't seem to be against the idea of automation, but are not supporting it at the moment. Tread carefully here, but it looks like it should be OK to write a bot as long as it is not harmful or abusive. This is not legal advice, and it would be a good idea to ask the folks who run MTGO for permission. edit since I wrote this, it has been pointed out that there are lots of bots already, so there should be no problems writing bots.
Assuming that it is not forbidden by the terms of service, but they do not have an API, you will have to find a way to detect what's going on, and control the game automatically. There's a pretty good series of articles on writing poker bots (archived copy), which has some good information on how to inject a DLL into an application, scrape the screen, and control the application. That might provide you with a starting point for doing this sort of thing.
You might also want to look for tools that other people have already written for doing this. It looks like there are several existing MTGO bots, but they all seem a bit sketchy (there have been some reports of them stealing passwords), so be careful there.
Edit
Since this answer still seems to be getting upvotes, I should probably update it with some more useful information. Since writing this, I have found a great UI automation system called Sikuli. It allows you to write programs in Python that automate a GUI. It includes image recognition features which make it very easy to recognize buttons, cards, and other UI elements; you just take a screenshot, crop it down to include just the thing you're interested in, and do fuzzy image matching (so that changing backgrounds and the like doesn't cause the match to fail). It even includes a custom IDE that allows you to embed those screenshots directly in your source code, so you can see exactly what the code is looking for. Here's an example from the documentation (apologies for the code formatting, doing images inline in code is not easy given StackOverflow's restricted subset of HTML):
def resizeApp(app, dx, dy):
switchApp(app)
corner = find(Pattern().targetOffset(3,14))
drop_point = corner.getTarget().offset(dx, dy)
dragDrop(corner, drop_point)
resizeApp("Safari", 50, 50)
This is much easier to get started with than the techniques mentioned in the article linked above, of injecting a DLL into the process you are debugging. Sikuli runs entirely at the UI level, so you never have to modify the program you are automating or worry about changes to the internals breaking your script.
One thing it is a bit poor at is handling text; it has OCR features, but they aren't all that good. If the text is selectable, however, you can select the text, copy it, and then look directly at the clipboard.
If I were to write a bot to automate something without a good API or text-based interface, Sikuli is probably the first tool I would reach for.
This answer is constructed from my comments.
What you are trying to do is hard, any way you try and do it.
Arguably the easiest way to do it is to totally mimic the user. So the application presses buttons, moves the mouse etc. The downside with this is that it is dependant on being able to recognise the screen.
This is easier if you can alter the games files as you can then just skin ( changing the image (texture)) the required cards to a single unique colour.
The major down side is you have to have the game as the top level window or have the game running in a virtual machine. Neither of which is ideal.
Another method is to read the processes memory. You may be able to find a list of memory locations, which would make things simpler, otherwise it involves a lot of hardwork, a debugger to deduce the memory addresses. It also helps (a lot) to be able to understand assembly.
The third method is to intercept the packets, and alter them. This is easier that the method above as it (at least for me) is easier to reverse engine the protocol as you have less information to deal with. It is just a matter of setting up a packet sniffer and preforming a action with one variable different (for example, the card) and comparing the differences.
The thing you need to check are that you are not breaking the EULA. I don't know how the game works, but most of the games I have come across have a EULA that prohibits (i.e. You get banned) doing any of the things I have mentioned.