Search Unity

  1. Unity 2019.2 is now released.
    Dismiss Notice

YouTube Video Shows How Easy It Is To Cheat On A Unity Game

Discussion in 'General Discussion' started by liquify, Aug 12, 2016.

Thread Status:
Not open for further replies.
  1. liquify

    liquify

    Joined:
    Dec 9, 2014
    Posts:
    82
    I tried to find a better way to stop cheaters by searching on Google using the following keyword: "how to hack unity games with cheat engine". Some YouTube video links appeared and one of them is disturbing:

    [LINK]


    It shows that Unity games are very easily hacked. Go to 08:00. The Iron Tanks game, the game used as an example, already used the Code Stage's Anti-Cheat Toolkit, one of the most popular anti-cheat tools on the Asset Store. The hacker easily bypassed the online game security and even manipulated the game logic (!).

    Another online game example by the same hacker:

    [LINK]


    I read from some post that the game developers should not be bothered with cheaters, unless the game has:
    - Real world value attached to scores (gambling).
    - E-Sports appeal (Starcraft, League of Legends, etc).
    - Mechanics that depend on scores (Earth 2025).

    And the same post says trying to stop cheaters is a time wasting, because nobody really cares about global leaderboards all that much and there will always be someone who cheats the system.

    But currently most mobile games are freemiums which involve in-app purchases and player-versus-player feature. The cheaters can make their character stats powerful, to get rare items and golds easily. Or simply beat other players without breaking a sweat. It is okay if he keeps the cheat method to himself. But some of the cheaters bragged about their cheat methods on social media like YouTube.

    I agree that there will always be someone who cheats our games, but I think there should be some good practices or workflows that we can follow to minimize the cheats. Is there any comprehensive tutorial about Unity game security? I found the Server Side Highscores tutorial from the Unity Wiki, but I think this method will easily be hacked.

    [BOLD]EDIT:[/BOLD]
    Thanks everyone for your inputs. I don't blame Unity for the security, I just wish there is a comprehensive tutorial or guidance on how to minimize the cheats and hacks by using server side checks or other methods. As we can see from the videos, the game developers have already tried to protect the variables by using an anti-cheat plugin. Is protecting or obscuring the variables still effective? Or no need to bother obscuring the variables, because the server side check method is more effective?
     
    Last edited: Aug 13, 2016
  2. Murgilod

    Murgilod

    Joined:
    Nov 12, 2013
    Posts:
    5,919
    Except these games will be handling most everything like player stats, inventories, and currency management with server side checks, which can't be so easily hacked.
     
  3. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,518
    Just use IL2CPP on mobile and watch "crackers" cry. Real crackers will find a way either way if they care enough, but script kiddies will not be able to do it so easily anymore.
     
  4. liquify

    liquify

    Joined:
    Dec 9, 2014
    Posts:
    82
    Will Unity provide a comprehensive tutorial about Unity game security? As what @Murgilod said, if the games handle most everything like player stats, inventories, and currency management with server side checks, the games can't be so easily hacked.

    It would be better if Unity has a complete tutorial on this server side check or other good method, because I think the game developers should focus more on the other aspects of the game development, not more on the security issue.
     
  5. APSchmidt

    APSchmidt

    Joined:
    Aug 8, 2016
    Posts:
    2,450
    Wow, I thought this was about stealing games made with Unity and redistributing them. Players who cheat only get what they deserve: boredom. :)
     
    Ryiah likes this.
  6. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,518
    No, we're not in business for that. It would also be kind of useless to do so, as most of those methods depend on them being obscure. If everyone followed it, it would be much easier to circumvent.
     
  7. liquify

    liquify

    Joined:
    Dec 9, 2014
    Posts:
    82
    I think a good hacker can steal Unity games and redistributing them, like what happened to several Android games. On the YouTube video, it shows that the hacker can copy the game logic with SWF Memory Dumper and Telerik JustDecompile. I read there are methods to steal the assets from Unity games.
     
  8. liquify

    liquify

    Joined:
    Dec 9, 2014
    Posts:
    82
    I understand. So I think I have to do a research and find the method myself, since no one will create such tutorial.
     
  9. APSchmidt

    APSchmidt

    Joined:
    Aug 8, 2016
    Posts:
    2,450
    Try people who are in the counter hacking business; a game is like any other software after all. Anyway, safety is an illusion.
     
  10. Dave-Carlile

    Dave-Carlile

    Joined:
    Sep 16, 2012
    Posts:
    961
    You should first spend your energy worrying about making a game someone might want to crack.
     
  11. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    6,434
    A lot of games are relatively easy to hack (to gain money/etc), if the programmer didn't implement any safety measures. Money hack is the easiest and can be usually achieved in seconds. More complex non-unity games aren't safe either.

    Here are examples of someone hacking dark souls 3 messages:

    In the end implementing anti-cheating features (assuming the game needs those - meaning it is competitive multiplayer) is YOUR job, not engine's.
     
    Ryiah and RavenOfCode like this.
  12. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,480
    This. In about 15 years IL2CPP will make hacking more difficult across all platforms. Until then feel free to browse the source code of any Unity game directly. ;)

    But ultimately server side checks and logic make more sense then trying to implement client side security.
     
    AlanMattano likes this.
  13. passerbycmc

    passerbycmc

    Joined:
    Feb 12, 2015
    Posts:
    1,470
    il2cpp will help for pretty small time stuff, since you can simply open it in ilspy and see all the sources while its still a mono app. But its not a means to the end since even engines where all engine code and logic is C++ you still find hackers. To prevent cheaters, it takes doing as much work server side as possible and getting creative with how you handle client data.
     
  14. ShilohGames

    ShilohGames

    Joined:
    Mar 24, 2014
    Posts:
    2,467
    That is not really a Unity specific flaw. That video simply shows how easy it is to cheat in an online game when the online game lets the game client choose how often a player can fire. When you are concerned about cheating, the server needs to be responsible for deciding if a player can fire, how quickly a player can move, etc. In the tank game video, it is obvious the server is simply trusting the clients about things like that. The hacker simply exploited that poor networking design. That vulnerability exists in any online game where the developers made the same choices about letting the server trust the client.

    Just to be clear, no amount of IL2CPP or anti-cheat tools will get around a poor networking design issue. I realize that the hack feels extra invasive because the hacker is using tools to tear apart the Unity game, but the core issue in this example is the networking design. This is an example of an online game where the server trusts the client too much.
     
  15. GarBenjamin

    GarBenjamin

    Joined:
    Dec 26, 2013
    Posts:
    7,442
    Also keep in mind it is the Internet. If you search enough you'll likely find content on any given thing. Doesn't mean it is a common thing. In this case the video has a total of 841 views at the time I checked (just now). Many of these may have even come from this thread Unity devs themselves.

    Basically figure out who your target audience is. If it is these hackers you'd probably be better off building a game about hacking from the ground up specifically for them. If they are not your target market then don't waste energy and time thinking about it.

    It's like this... I just watched part of the video and have no interest in digging into the source of people's games around here. I imagine most other people are the same.
     
    Last edited: Aug 12, 2016
    Ryiah likes this.
  16. Dave-Carlile

    Dave-Carlile

    Joined:
    Sep 16, 2012
    Posts:
    961
    Exactly. With a trusting server a person could create their own network proxy to intercept the packets and alter them at will without the need to even look at the game code.
     
    Ryiah likes this.
  17. ShilohGames

    ShilohGames

    Joined:
    Mar 24, 2014
    Posts:
    2,467
    Yes, exactly. That has actually happened in games over the years with many different games.
     
  18. zoran404

    zoran404

    Joined:
    Jan 11, 2015
    Posts:
    519
    Or obfuscate your assemblies. It even works on all platforms.
    Not a perfect protection, but would take a really long time (and knowledge) to break.
     
  19. AlanMattano

    AlanMattano

    Joined:
    Aug 22, 2013
    Posts:
    1,079
    Knowing what player is cheating can be simple. But what to do with him when we discover that particular bad head unfair player?

    I wish an asset example in the asset store about "Cripto Games". That let you make a game in the same way a cripto currency chain is made. This can help preventing cheating.
     
  20. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    14,529
    Teila and Meltdown like this.
  21. Aiursrage2k

    Aiursrage2k

    Joined:
    Nov 1, 2009
    Posts:
    4,807
    I guess if your game has enough players to worry about hackers thats a good thing
     
    Ryiah, zoran404, Kiwasi and 1 other person like this.
  22. Aiursrage2k

    Aiursrage2k

    Joined:
    Nov 1, 2009
    Posts:
    4,807
    . Look at steamspy even free games wont even crack 20k free downloads. good luck if its paid.
     
  23. TenKHoursDev

    TenKHoursDev

    Joined:
    Nov 9, 2014
    Posts:
    1,088
    Isn't that "security through obscurity" though? TBPH from what I know the counter argument is true: if your code is open sourced then anyone can find the bugs in it. Determined attackers will find a way to crack your code wide open whether you hide it or not. The people who would fix your bugs, not so much.

    For example: Windows is closed-source, and Linux is open source. Tell me which one has more issues with security?

    I do think it would be useless in respect to the fact that very few beginners who use unity would be able to comprehend the concepts much less implement the solutions effectively. You would additionally have a lot of rookies on the boards concerned about securing their games, 99.98% of which won't need it because they won't be very popular. Yet those rookies won't be knowledgeable enough to understand any of this.
     
  24. liquify

    liquify

    Joined:
    Dec 9, 2014
    Posts:
    82
    Thanks everyone for your inputs. I don't blame Unity for the security, I just wish there is a comprehensive tutorial or guidance on how to minimize the cheats and hacks by using server side checks or other methods. As we can see from the videos, the game developers have already tried to protect the variables by using an anti-cheat plugin. Is protecting or obscuring the variables still effective? Or no need to bother obscuring the variables, because the server side check method is more effective?
     
  25. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    14,529
    You're just approaching the problem from the wrong direction. Instead of researching ways to make your application more secure in general you should start by researching how those exploits are actually implemented. Just in case you're not aware the Cheat Engine is under an open source license (APL). You're free to download and analyze it all you want.

    https://github.com/cheat-engine/cheat-engine

    Or read the explanations given by those who have done so. You may even find a solution given in the process.

    http://stackoverflow.com/questions/17512906/how-does-cheatengines-speed-hack-work
     
    Last edited: Aug 13, 2016
  26. Lockethane

    Lockethane

    Joined:
    Sep 15, 2013
    Posts:
    114
    Most obfuscators I had tried in the past on Unity didn't really do that much things like function names never got obfuscated.
     
  27. liquify

    liquify

    Joined:
    Dec 9, 2014
    Posts:
    82
    Thanks :)
     
  28. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,480
    It's a bad comparison. Linux and Windows are both used by two different sets of people, for two different jobs. Linux would become just as vulnerable if you put it in the same use case as Windows.

    A more reasonable comparison might be between OSX and Windows. These both do the same job, and have very different security challenges.
     
  29. liquify

    liquify

    Joined:
    Dec 9, 2014
    Posts:
    82
    What is the tool to obfuscate the assemblies?
     
  30. Le_Tai

    Le_Tai

    Joined:
    Jun 20, 2014
    Posts:
    305
    Denuvo
     
  31. Malapropos

    Malapropos

    Joined:
    Nov 15, 2012
    Posts:
    22
    I used to make cheats for fun about 8-10 years ago. I used various tools available and later when I was better programmer made my own tools using C. Mostly offline cheats for single player games, but I found it funny that for example FFXI, a MMORPG, trusted player client with modifying location information. Bottom line is, if you want to make online multiplayer games, never trust the client. For offline games, you can try to obfuscate and hide your data as much as you want, but it'll never be safe from capable and persistent cheaters. This is also the reason you should never trust the client in multiplayer games.
     
    Kiwasi and zoran404 like this.
  32. zoran404

    zoran404

    Joined:
    Jan 11, 2015
    Posts:
    519
    The reason function names don't get changed is because when unity calls functions it does so by name. It's not that the obfuscators are bad, it's just that unity doesn't support such stuff.
    However functions names that don't correspond to unity's messages can be changed, but obfuscators don't change them most probably because those are public functions in a public class and changing them would make the assembly unusable.
     
    Ryiah likes this.
  33. CaoMengde777

    CaoMengde777

    Joined:
    Nov 5, 2013
    Posts:
    813
    wonderful!!!

    the Universe was made (the great machination wound) and God said:
    All machinations shall be unwound!

    its truly the beauty of nature
    lmao


    "Cheat Engine. A development environment focused on modding"
    excellent!!! modding of things abound!!

    "Read before download: Cheat engine is for educational purposes only. Before you attach Cheat Engine to a process, please make sure that you are not violating the EULA/TOS of the specific game/application. cheatengine.org does not condone the illegal use of Cheat Engine"

    pfft screw those laws, seriously, they go against the very nature of the universe, and the nature of the human mind and spirit (to embody the creative force) .. fools!!!

    .... man.. i should go to sleep, im getting all poetic or somecrap.. lmao
     
    Last edited: Aug 15, 2016
  34. Arowx

    Arowx

    Joined:
    Nov 12, 2009
    Posts:
    7,119
    Any news on Standalone IL2CPP as this build target has the best potential performance on the PC/Linux/Mac platforms and would provide some code obfuscation and hack protection as well?
     
  35. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,518
    It will always come down to security through obscurity, even if you put the important decision making on the server. Look at World of Warcraft, for example. While you cannot obtain items, cheaters use speed hacks and bots. As long as the code is executing on your machine and you have an ability to attach a debugger, you can make the game think whatever you want.

    No, we are not working on it at the moment.
     
    zoran404 likes this.
  36. zoran404

    zoran404

    Joined:
    Jan 11, 2015
    Posts:
    519
    On the topic of thread..
    Showing that unity code can easily be altered/hacked (the video shows the kinda harder way though) can be simplified to showing any Mono/.NET app can be easily hacked, since that's what unity uses.
    And since c# was kinda modeled based on java you could say that the same goes for any java app.

    But what about other high level languages? Most of them aren't even compiled and you can edit the source directly.
    (To be fair you can edit the source of a .NET assembly directly as well if you know how; or even at runtime)

    At this point you can change the title to:
    YouTube Video Shows How Easy It Is To Cheat On Any Game


    I've seen this thread pop up several times before.
    It's as if people think it's only unity games that can be easily hacked..
     
    TenKHoursDev and GarBenjamin like this.
  37. passerbycmc

    passerbycmc

    Joined:
    Feb 12, 2015
    Posts:
    1,470
    Java is just as easy to decompile as the IL assemblies from .net, and no matter what game it is you can intercept outgoing packets and modify them first, and look for patterns in the memory being used.

    If its a single player game, who cares if they cheat, if its a multiplayer game just never trust the client
     
    Last edited: Aug 16, 2016
  38. Bamoose

    Bamoose

    Joined:
    Jan 6, 2016
    Posts:
    3
    Sure, in a single player game. When it comes to a multiplayer environment, cheaters can not only harm the experience of other players but they can also completely destroy a games public image and reputation.
     
  39. APSchmidt

    APSchmidt

    Joined:
    Aug 8, 2016
    Posts:
    2,450
    Hardly, given the reputation they already have... :D ;)
     
  40. Rodolfo-Rubens

    Rodolfo-Rubens

    Joined:
    Nov 17, 2012
    Posts:
    1,100
    Well, I hope someday game streaming services become a thing. Players has no access to the game's files so there's no way to hack..
     
  41. tiggus

    tiggus

    Joined:
    Sep 2, 2010
    Posts:
    1,233
    I would have to look up the official stats on exploits recorded but I patch Linux systems on a weekly basis, I can't imagine it is that different anymore. Some of the really big remote exploits released over the last year have been targeted at the Linux libraries and services.

    Anyways in regards to games you simply cannot do everything serverside without making your game unplayable in many cases, so you have to try to validate or flag abnormal behavior after the fact sometimes.
     
    Martin_H likes this.
  42. Dave-Carlile

    Dave-Carlile

    Joined:
    Sep 16, 2012
    Posts:
    961
    Tell me which one is installed on 90% of desktop computers worldwide? That is a much more likely indicator of how many security issues will be found vs. open or closed source.
     
    Kiwasi and Martin_H like this.
  43. tiggus

    tiggus

    Joined:
    Sep 2, 2010
    Posts:
    1,233
    In case you are interested here are the 2015 numbers - scroll down for operating systems chart.

    http://www.gfi.com/blog/2015s-mvps-the-most-vulnerable-players/

    "Some specific Linux distros had more vulnerabilities than some specific Windows operating systems. There are no winners here, and by raising awareness we’re trying to be sure there are no losers."

    Also keep in mind there are many vulnerable applications that run on all of these OSes which are calculated separately than the OS itself.
     
    Ryiah and Dave-Carlile like this.
  44. PridefulDad

    PridefulDad

    Joined:
    Oct 9, 2017
    Posts:
    3
    Exactly. There is not much that can be done. Memory editing will always work on offline games. Even on mobile people are now using apps to edit memory. And honestly, if someone wants to tailor the game experience to their liking, what business is that of ours, as long as they dont sell it as their own product.

    And honestly, since a lot of especially mobile developers are now basically selling cheats, I do use apps like cheat engine myself as well. Simply because I am not willing to pay to change some memory values. Its not going to happen. And pseudo-online games that only use servers to make skipping buying cheats impossible, I do not even touch.

    We should sell content, not cheats, but that is what many of us are doing these days.
     
  45. wccrawford

    wccrawford

    Joined:
    Sep 30, 2011
    Posts:
    2,038
  46. Master-Frog

    Master-Frog

    Joined:
    Jun 22, 2015
    Posts:
    2,297
    Ahahahahah

    Back when you could just buy a game and own it, cheating was just one more way to enjoy your game.

    but in this money grubbing DLC/microtransaction world they want to tell you what you're allowed to do with their game, after you buy it... And you have to be logged in and registered to do it.

    bahahah

    Hell games used to have cheat codes built in
     
  47. SlothHawk

    SlothHawk

    Joined:
    Dec 3, 2018
    Posts:
    1
    To be fair, I've only cheated on games I've completed. For example, INSIDE is a game I'm currently working out how to hack, $20 is too much for a 5 hour game so I thought "why don't I squeeze some more playtime out of it"
     
  48. LIVENDA_LABS

    LIVENDA_LABS

    Joined:
    Sep 23, 2013
    Posts:
    199
    Most games make use of a number of AppID's for external services, multi-player, playstore, ect. So, where is the best place to put AppID's and related passwords username ect.?? AppID's are normaly just written to a public variable and even if you hardcode the username and password in your code, it can easly be viewed with programs such as .NET Reflector.

    So, this makes it very easy to hack EVEN if you're doing server side check!.. Essentially potential hacker can fully replicate app.
     
  49. zombiegorilla

    zombiegorilla

    Moderator

    Joined:
    May 8, 2012
    Posts:
    7,846
    Double necro!
     
Thread Status:
Not open for further replies.