YouTube Video Shows How Easy It Is To Cheat On A Unity Game

I tried to find a better way to stop cheaters by searching on Google using the following keyword: "how to hack unity games with cheat engine". Some YouTube video links appeared and one of them is disturbing:

[LINK]

It shows that Unity games are very easily hacked. Go to 08:00. The Iron Tanks game, the game used as an example, already used the Code Stage's Anti-Cheat Toolkit, one of the most popular anti-cheat tools on the Asset Store. The hacker easily bypassed the online game security and even manipulated the game logic (!).

Another online game example by the same hacker:

[LINK]

I read from some post that the game developers should not be bothered with cheaters, unless the game has:
- Real world value attached to scores (gambling).
- E-Sports appeal (Starcraft, League of Legends, etc).
- Mechanics that depend on scores (Earth 2025).

And the same post says trying to stop cheaters is a time wasting, because nobody really cares about global leaderboards all that much and there will always be someone who cheats the system.

But currently most mobile games are freemiums which involve in-app purchases and player-versus-player feature. The cheaters can make their character stats powerful, to get rare items and golds easily. Or simply beat other players without breaking a sweat. It is okay if he keeps the cheat method to himself. But some of the cheaters bragged about their cheat methods on social media like YouTube.

I agree that there will always be someone who cheats our games, but I think there should be some good practices or workflows that we can follow to minimize the cheats. Is there any comprehensive tutorial about Unity game security? I found the Server Side Highscores tutorial from the Unity Wiki, but I think this method will easily be hacked.

[BOLD]EDIT:[/BOLD]
Thanks everyone for your inputs. I don't blame Unity for the security, I just wish there is a comprehensive tutorial or guidance on how to minimize the cheats and hacks by using server side checks or other methods. As we can see from the videos, the game developers have already tried to protect the variables by using an anti-cheat plugin. Is protecting or obscuring the variables still effective? Or no need to bother obscuring the variables, because the server side check method is more effective?

 

Except these games will be handling most everything like player stats, inventories, and currency management with server side checks, which can't be so easily hacked.

 

Will Unity provide a comprehensive tutorial about Unity game security? As what @Murgilod said, if the games handle most everything like player stats, inventories, and currency management with server side checks, the games can't be so easily hacked.

It would be better if Unity has a complete tutorial on this server side check or other good method, because I think the game developers should focus more on the other aspects of the game development, not more on the security issue.

 

Wow, I thought this was about stealing games made with Unity and redistributing them. Players who cheat only get what they deserve: boredom.

 

I think a good hacker can steal Unity games and redistributing them, like what happened to several Android games. On the YouTube video, it shows that the hacker can copy the game logic with SWF Memory Dumper and Telerik JustDecompile. I read there are methods to steal the assets from Unity games.

 

I understand. So I think I have to do a research and find the method myself, since no one will create such tutorial.

 

Try people who are in the counter hacking business; a game is like any other software after all. Anyway, safety is an illusion.

 

You should first spend your energy worrying about making a game someone might want to crack.

 

A lot of games are relatively easy to hack (to gain money/etc), if the programmer didn't implement any safety measures. Money hack is the easiest and can be usually achieved in seconds. More complex non-unity games aren't safe either.

Here are examples of someone hacking dark souls 3 messages:

Spoiler

In the end implementing anti-cheating features (assuming the game needs those - meaning it is competitive multiplayer) is YOUR job, not engine's.

 

This. In about 15 years IL2CPP will make hacking more difficult across all platforms. Until then feel free to browse the source code of any Unity game directly.

But ultimately server side checks and logic make more sense then trying to implement client side security.

 

il2cpp will help for pretty small time stuff, since you can simply open it in ilspy and see all the sources while its still a mono app. But its not a means to the end since even engines where all engine code and logic is C++ you still find hackers. To prevent cheaters, it takes doing as much work server side as possible and getting creative with how you handle client data.

 

That is not really a Unity specific flaw. That video simply shows how easy it is to cheat in an online game when the online game lets the game client choose how often a player can fire. When you are concerned about cheating, the server needs to be responsible for deciding if a player can fire, how quickly a player can move, etc. In the tank game video, it is obvious the server is simply trusting the clients about things like that. The hacker simply exploited that poor networking design. That vulnerability exists in any online game where the developers made the same choices about letting the server trust the client.

Just to be clear, no amount of IL2CPP or anti-cheat tools will get around a poor networking design issue. I realize that the hack feels extra invasive because the hacker is using tools to tear apart the Unity game, but the core issue in this example is the networking design. This is an example of an online game where the server trusts the client too much.

 

Also keep in mind it is the Internet. If you search enough you'll likely find content on any given thing. Doesn't mean it is a common thing. In this case the video has a total of 841 views at the time I checked (just now). Many of these may have even come from this thread Unity devs themselves.

Basically figure out who your target audience is. If it is these hackers you'd probably be better off building a game about hacking from the ground up specifically for them. If they are not your target market then don't waste energy and time thinking about it.

It's like this... I just watched part of the video and have no interest in digging into the source of people's games around here. I imagine most other people are the same.

 

Exactly. With a trusting server a person could create their own network proxy to intercept the packets and alter them at will without the need to even look at the game code.

 

Yes, exactly. That has actually happened in games over the years with many different games.

 

Or obfuscate your assemblies. It even works on all platforms.
Not a perfect protection, but would take a really long time (and knowledge) to break.

 

Knowing what player is cheating can be simple. But what to do with him when we discover that particular bad head unfair player?

I wish an asset example in the asset store about "Cripto Games". That let you make a game in the same way a cripto currency chain is made. This can help preventing cheating.

 

Some companies have adopted unique ways to deal with the exploiter.

http://www.ibtimes.co.uk/guild-wars-2-hacker-publically-executed-mmo-cheating-1500648

 

I guess if your game has enough players to worry about hackers thats a good thing

 

. Look at steamspy even free games wont even crack 20k free downloads. good luck if its paid.

 

Isn't that "security through obscurity" though? TBPH from what I know the counter argument is true: if your code is open sourced then anyone can find the bugs in it. Determined attackers will find a way to crack your code wide open whether you hide it or not. The people who would fix your bugs, not so much.

For example: Windows is closed-source, and Linux is open source. Tell me which one has more issues with security?

I do think it would be useless in respect to the fact that very few beginners who use unity would be able to comprehend the concepts much less implement the solutions effectively. You would additionally have a lot of rookies on the boards concerned about securing their games, 99.98% of which won't need it because they won't be very popular. Yet those rookies won't be knowledgeable enough to understand any of this.

 

Thanks everyone for your inputs. I don't blame Unity for the security, I just wish there is a comprehensive tutorial or guidance on how to minimize the cheats and hacks by using server side checks or other methods. As we can see from the videos, the game developers have already tried to protect the variables by using an anti-cheat plugin. Is protecting or obscuring the variables still effective? Or no need to bother obscuring the variables, because the server side check method is more effective?

 

You're just approaching the problem from the wrong direction. Instead of researching ways to make your application more secure in general you should start by researching how those exploits are actually implemented. Just in case you're not aware the Cheat Engine is under an open source license (APL). You're free to download and analyze it all you want.

https://github.com/cheat-engine/cheat-engine

Or read the explanations given by those who have done so. You may even find a solution given in the process.

http://stackoverflow.com/questions/17512906/how-does-cheatengines-speed-hack-work

 

Most obfuscators I had tried in the past on Unity didn't really do that much things like function names never got obfuscated.

 

Thanks

 

It's a bad comparison. Linux and Windows are both used by two different sets of people, for two different jobs. Linux would become just as vulnerable if you put it in the same use case as Windows.

A more reasonable comparison might be between OSX and Windows. These both do the same job, and have very different security challenges.

 

What is the tool to obfuscate the assemblies?

 

Denuvo

 

I used to make cheats for fun about 8-10 years ago. I used various tools available and later when I was better programmer made my own tools using C. Mostly offline cheats for single player games, but I found it funny that for example FFXI, a MMORPG, trusted player client with modifying location information. Bottom line is, if you want to make online multiplayer games, never trust the client. For offline games, you can try to obfuscate and hide your data as much as you want, but it'll never be safe from capable and persistent cheaters. This is also the reason you should never trust the client in multiplayer games.

 

The reason function names don't get changed is because when unity calls functions it does so by name. It's not that the obfuscators are bad, it's just that unity doesn't support such stuff.
However functions names that don't correspond to unity's messages can be changed, but obfuscators don't change them most probably because those are public functions in a public class and changing them would make the assembly unusable.

 

wonderful!!!

the Universe was made (the great machination wound) and God said:
All machinations shall be unwound!

its truly the beauty of nature
lmao


"Cheat Engine. A development environment focused on modding"
excellent!!! modding of things abound!!

"Read before download: Cheat engine is for educational purposes only. Before you attach Cheat Engine to a process, please make sure that you are not violating the EULA/TOS of the specific game/application. cheatengine.org does not condone the illegal use of Cheat Engine"

pfft screw those laws, seriously, they go against the very nature of the universe, and the nature of the human mind and spirit (to embody the creative force) .. fools!!!

.... man.. i should go to sleep, im getting all poetic or somecrap.. lmao

 

Any news on Standalone IL2CPP as this build target has the best potential performance on the PC/Linux/Mac platforms and would provide some code obfuscation and hack protection as well?

 

On the topic of thread..
Showing that unity code can easily be altered/hacked (the video shows the kinda harder way though) can be simplified to showing any Mono/.NET app can be easily hacked, since that's what unity uses.
And since c# was kinda modeled based on java you could say that the same goes for any java app.

But what about other high level languages? Most of them aren't even compiled and you can edit the source directly.
(To be fair you can edit the source of a .NET assembly directly as well if you know how; or even at runtime)

At this point you can change the title to:
YouTube Video Shows How Easy It Is To Cheat On Any Game


I've seen this thread pop up several times before.
It's as if people think it's only unity games that can be easily hacked..

 

Java is just as easy to decompile as the IL assemblies from .net, and no matter what game it is you can intercept outgoing packets and modify them first, and look for patterns in the memory being used.

If its a single player game, who cares if they cheat, if its a multiplayer game just never trust the client

 

Sure, in a single player game. When it comes to a multiplayer environment, cheaters can not only harm the experience of other players but they can also completely destroy a games public image and reputation.

 

Hardly, given the reputation they already have...

 

Well, I hope someday game streaming services become a thing. Players has no access to the game's files so there's no way to hack..

 

I would have to look up the official stats on exploits recorded but I patch Linux systems on a weekly basis, I can't imagine it is that different anymore. Some of the really big remote exploits released over the last year have been targeted at the Linux libraries and services.

Anyways in regards to games you simply cannot do everything serverside without making your game unplayable in many cases, so you have to try to validate or flag abnormal behavior after the fact sometimes.

 

Tell me which one is installed on 90% of desktop computers worldwide? That is a much more likely indicator of how many security issues will be found vs. open or closed source.

 

In case you are interested here are the 2015 numbers - scroll down for operating systems chart.

http://www.gfi.com/blog/2015s-mvps-the-most-vulnerable-players/

"Some specific Linux distros had more vulnerabilities than some specific Windows operating systems. There are no winners here, and by raising awareness we’re trying to be sure there are no losers."

Also keep in mind there are many vulnerable applications that run on all of these OSes which are calculated separately than the OS itself.

 

Exactly. There is not much that can be done. Memory editing will always work on offline games. Even on mobile people are now using apps to edit memory. And honestly, if someone wants to tailor the game experience to their liking, what business is that of ours, as long as they dont sell it as their own product.

And honestly, since a lot of especially mobile developers are now basically selling cheats, I do use apps like cheat engine myself as well. Simply because I am not willing to pay to change some memory values. Its not going to happen. And pseudo-online games that only use servers to make skipping buying cheats impossible, I do not even touch.

We should sell content, not cheats, but that is what many of us are doing these days.

 

Necro!

 

Ahahahahah

Back when you could just buy a game and own it, cheating was just one more way to enjoy your game.

but in this money grubbing DLC/microtransaction world they want to tell you what you're allowed to do with their game, after you buy it... And you have to be logged in and registered to do it.

bahahah

Hell games used to have cheat codes built in

 

To be fair, I've only cheated on games I've completed. For example, INSIDE is a game I'm currently working out how to hack, $20 is too much for a 5 hour game so I thought "why don't I squeeze some more playtime out of it"

 

Most games make use of a number of AppID's for external services, multi-player, playstore, ect. So, where is the best place to put AppID's and related passwords username ect.?? AppID's are normaly just written to a public variable and even if you hardcode the username and password in your code, it can easly be viewed with programs such as .NET Reflector.

So, this makes it very easy to hack EVEN if you're doing server side check!.. Essentially potential hacker can fully replicate app.

 

Double necro!