My game cheat story starts way, way back, playing Wizardry on the Apple II. In this game, you go through a dungeon, killing monsters and collecting treasure and experience. Fun, but slow going. So I found out where in memory these values are stored and started manipulating them, giving myself tons of experience and new treasures.
Everything went fine until I put in an invalid treasure value which apparently caused some random memory locations to be modified, corrupting the game. Unfortunately, game state was written back to the same floppy disk that holds the game itself, rendering the game unplayable.
Fortunately, I could borrow a second floppy drive, borrow an uncorrupted copy of the game, and repair the game with a disk-to-disk copy. Unfortunately, I plugged in the disk drive connector crooked, sending -12 volts into a chip on the controller board that didn't want -12 volts. The result was a "pop" and a disk controller that no longer worked. Needless to say, my father wasn't happy.
Finding the problem was easy - it was the chip with a square hole blown out of it where the silicon had vaporized. Unfortunately getting a replacement chip wasn't easy when you live in the middle of nowhere. So I built a replacement circuit on a solderless breadboard and wired it into the controller board, and everything worked fine until I could get the proper replacement chip.
Neat story. I guess cheating by trial and error doesn't work so well when the impact of an error is physical...
I got into programming through cheating. When I was a little kid I wanted to win at some ZX Spectrum game - Treasure Island Dizzy or something like that. Fortunately, Your Sinclair magazine published a guide on how to PEEK and POKE your way to unlimited lives. That blew my mind, and I credit my interest in the inner workings of computers back to that experience :)
In 2009, when Farmville was the New Hotness, I checked it out to see what all the fuss was. After all, it was rumored to be minting $1 million per day. Soon after, I saw that a lot of my friends were playing. Girlfriends were getting boyfriends to tend their crops for them while at work. They were very scrupulous with the design of their farm and tending their crops. But I wanted to just be at the top of the leaderboard.
Unlike later games, it was possible to keep leveling up and making money by farming only instead of inviting friends. Plow fields, plant crops, and then harvest them hours later -- repeat as fast and as frequently as you can. TONS of tedious clicking. Of course, I wanted to automate it, and I wasn't alone. Searching around, I found a Perl script that someone had written and I adapted it for my PC.
I just fired up Farmville, and here's what my farm looks like: http://i.imgur.com/nrtkitJ.jpg. It's almost all crops (maximize $) and it requires the farmer to be trapped within hay bales. Otherwise, he walks to where you're clicking and can sometimes get in the way of the click. It would mess up every now and then, but was fairly reliable -- just run the script and let it do its thing for a few minutes. The trick was to flip the game into full screen mode, zoom all the way out, start at a known (x, y) position on your screen's resolution, and then loop through all crop positions by incrementing/decrementing (x, y). Only slightly tricky because of the isometric view and avoiding clicking on some non-crop positions. Picking the right crop was important too, to maximize yield. I just wanted to do two runs a day: first thing in the morning and then in the evening when I got home from work.
I moved up fairly quickly and quit when I beat all of my friends. Got some jeers from those who thought I was actually playing Farmville so much, but had a few requests for said script ...
http://www.sikuli.org Is my GOTO GUI scripting language for game scripting.
Graphic templates are fuzzy matched. Actual scripts are python. Inbuilt OCR. I can do that kinda thing very fast. Its really awesome and put of MIT
You just keep nuking that lava into jail where it belongs. People said it would never work, that you just couldn't police volcano eruptions with the threat of massive nuclear retaliation, but they don't say that anymore, do they? Not since they all died in the giant radioactive caldera, anyway.
I ended up coding my own version of something like this, with I think a few enhancements to make my life much easier.
First, I assumed the crops were laid out in a grid without any offsets. This then allowed me to define the grid in a 2d array and mark squares to skip over very easily.
Second, rather than assuming that my cursor is starting at some spot on the screen that I had to keep duplicating, I just start the cursor over the first farm plot.
Third, I actually never move the cursor to a new farm plot position. Instead, I scroll the screen and replace the cursor where it started.
Yes, the `int_csm` value is the checksum the server expected instead of the one I had passed. It would tell you "you're wrong. But here is the correct answer". I could then just re-submit with the proper value…
Hmm, if that was me (as the server programmer) I'd return a purposely different checksum[1] in the error message and then (internally) flag anything that was then submitted with that 'incorrect' checksum.
What you do with these flagged entries is up to you:-
a) Delete the scores after an hour or so (giving the chance for the user to check things)
b) Only display those scores to the user that logged in
c) Flag the entire account as 'cheat' and ban it after a few dodgy submissions
etc...
1. i.e. expected hash is hash(real_salt+data), supposed expected hash (returned to client in error message) is hash(cheat_salt+data). You obviously never return the real expected hash.
Maybe I'm overly cautious, but in today's world, where even simple URL manipulation can be regarded as hacking, I would be very reluctant to post exploits like this. It's crazy, but this can be construed as wire fraud or computer crime:
18 U.S.C. § 1030(a)(4)
Whoever—
(4) knowingly and with intent to defraud, accesses a protected computer
without authorization, or exceeds authorized access, and by means
of such conduct furthers the intended fraud and obtains anything of
value, unless the object of the fraud and the thing obtained consists only
of the use of the computer and the value of such use is not more than
$5,000 in any 1-year period . . .
shall be punished as provided in subsection (c) of this section.
"Protected computer" in this context means any computer that is connected to the Internet. And the value obtained would be unlimited use of the game, which would normally be a limited. True, that last part is up for debate, as it is possible to play the game without paying, but I wouldn't want to be forced to argue this in court...
Many countries have pretty aggressive anti-hacking laws. The UK, for instance, has a very similar piece of legislation that in theory makes URL manipulation illegal.
I've worked on a few flash games in my free time. Ultimately since the game code resides in the client, it will always be feasible to cheat. That, of course, doesn't mean you can't deter some.
One of the things that kept people from snooping around was encryption. All communication went to 1 vaguely named endpoint with 1 parameter, which was a an encrypted list of the parameters and the action to take. This will deter some, but not others.
At the start of a game, the client had to contact the server for a key. This changed each time you played. Any score submission required this key - if it was wrong I ignored it. Only 1 score submission per key.
Note that you have other useful information now: you know how long they were in game to get their score. I flagged scores that were abnormally high for the time it took to get them. I would then review them, and based upon their score history hellban them - they could still play, but no-one saw their high scores except themselves.
If Candy Crush did something similar, they would likely catch you. You wouldn't even know until you gloated and your friends said they can't see your score. Some people who got hellbanned would contact me, and I'd give them a free pass.
Of course you could cheat and get a normal score in a normal timeframe, but I didn't care as much about that.
Beyond trying to thwart cheating, I'm a big fan of cheating in games myself. It's part of why I enjoy eve online so much, because they encourage the usage of 3rd party tools more than any other game I've played.
The most extensive thing I've programmed for cheating is probably a custom MUD client to facilitate multiplay. The clients report to eachother information they know. All clients keep the state of the group and the things I'm fighting. They also keep track of which client can do what, so I can type into any client that I want to heal someone and the program will figure out which client is able to do that, and tell it to do so.
Even though it doesn't have a winning / losing condition, I had coded an automated bot[0] to draw for me in Doodle or Die[1]. Stopped using it when people started complaining though. It was supposed to be quick and dirty, that's why it's a windows forms application. But of course I kept improving it for a while. After implementing a very basic plug-in system, I realized I was spending too much time on it =) Here's an example drawing from a friend of mine, using my tool: http://doodleordie.com/c/EGXBBJeMU45#2
The drawing tool in the game and the anti-cheating systems are both things I created.
I'm impressed with your app. Instead of converting a bitmap to a pixel-by-pixel rendention (which people have done and it looks obvious) it re-draws it like a real drawing, picking one color at a time.
Paying users get a replay feature. It replays fairly realistically and that's difficult to detect as cheating.
Thanks, it's great to hear that from you. I was also going to implement the brush changing logic which would enable it to draw on large areas of single color with a big brush and further optimize other parts to make it even more realistic (detect shapes and draw them completely and draw over them like humans and so) but then I thought, that would ruin the fun. Actually I'm a paying user of the game[0] and never had the intention of ruining the fun for anyone, so I stopped. I'm a big fan of DoD and how it evolved.
Keep up the good work, and thanks for being nice =)
Back in the day I would log onto yahoo chess and beat everyone by simultaneously playing expert mode in windows chess and just mimicking the expert modes moves on yahoo as mine. Good times, never lost.
People still do that in chess.com. It is really annoying, because even if you are good enough to beat the computer, playing against a computer is very boring.
A few hundred? Hundred thousand, maybe. Here are several sites where volunteers run computer chess tournaments 24x7 and publish the resultant rating lists.
Ha, I used to be lazy and set the date forward by 1 month, instead of the hour or day. Then one day I realized the iPhone has a max date set in 2055 or something - you can't set your time past that. I wonder if iPhone dates will stop working when we reach 2055??
More like CFAA (unauthorized access). One might avoid certain penalties by staying under $5000 equivalent IAP. Of course this sounds ridiculous, but we live in ridiculous times.
I'm struggling to come up with a way in which the lives system could possibly be defended as a copyright protection mechanism (it's a mechanism to funnel users into it's in app purchases, not to prevent use of unauthorized copies... and in fact copies of the software are given away freely). This is basically Gamesharking your game, which has been upheld in courts IIRC.
Awesome breakdown. I wrote a blog post in late September - based on some industry rumors - that speculated on whether Candy Crush was "cheating" by varying the random seed to generate monetization or retention events:
Based on the "seed" going back and forth at the start/end of games, I'd have to assume that they are doing something with it. Anyway to see if that's happening?
They're probably generating the level with the seed. I don't think it's very useful, other than testing on their end (so they can check afterwards what the level was).
You could be right, but I think the seed is a lot more interesting. If you simply wanted to generate the level, you could use a random number generator on the device and wouldn't care about logging it.
As you showed by varying colors, the candy distribution determines how likely the player is to win, whether they fall just short of clearing the level, etc. This will have a significant impact on whether they pay to continue, buy boosts, etc.
They may not have done it at launch but as more and more people play and they collect the stats for each seed, I'm sure they can track how easy / difficult each seed is and send the seeds that they wish to do whatever objective they have.
Most of these F2P play games collect and analyze an insane amount of player activity and have sophisticated analytics that they then analyze to make the game more addictive or to increase player spending.
I just checked my old archive folders and it looks like the code was lost when Dreamhost borked up my home directory a few years back. I assure you it was pretty gross :)
I don't know how valid it is now, but in July of 2011 I reverse engineered some aspects of Zynga's Words with Friends and put it up online: https://github.com/v64/fiend
The most interesting part was the way they decided to do the random generation of letter tiles. At the start of the game, each client was given the same PRNG seed (in the case of Words with Friends, the PRNG was a Mersenne twister), and when tiles needed to be drawn from the bag, instead of having the server tell you what tiles you received, you would use the preseeded PRNG to randomly draw your tiles from the available pool.
Of course, as your opponent is also doing this with the same preseeded PRNG, this also allows you to determine what tiles your opponent has, and what order the tiles will be drawn in for the rest of the game.
I used to cheat at SongPop using the multi-finger multitasking on the iPad (pausing the game a fraction of a second after a song started playing, having plenty of time to guess the song properly). I could beat anyone using this technique, but it required manual work.
I expected a similar "hack" with Candy Crush, and was surprised by how "high-tech" their solution is. Good stuff.
Remember Draw Something? That game that was sold for $180 million to Zynga? I wrote an API library for that in Python https://github.com/bouk/drawsomething-api that allowed me to just add coins (the currency they sell for real money) through simple API calls.
A long long time ago before I ever wrote a line of code, I'd just play all the games I could. I was fascinated by how they worked. I later found a book on BASIC that introduced programming by having the reader write simple word games. After learning the basics, I then would wonder how FF1 managed to change states from being in a tiled map and exploring the world into a battle screen and back again, which led me to more learning and eventually I ended up making a very shoddy Zelda clone that ran in DOS. I think I was 11 or 12 at the time?
Anyway, one day a long time after that, I was playing this new mod for Half-Life called Counter-Strike. It was fun, and I had started learning C and about OpenGL to understand a bit more about how HL worked itself. But on this day I saw a guy just running through de_dust getting tons of headshots. Watching his camera, it seemed he had superhuman aiming. Comments about cheating flew, and this was long before the game was infested with cheats. He also seemed to know where everyone was. How?
A few hours later I discovered he was using a cheat called ViperG. It along with another cheat called XQZ were the only known public cheats at the time. ViperG was open sourced on a forum called clientbot at the time. Since I was learning C, I was actually able to read the code. Back then, HL only imported mod client function implementations using DLL imports, so you could write a DLL that exported fake client functions while also importing the real ones from a renamed client.dll, which let your cheat intercept all of the client API calls. Most in ViperG were just pass throughs, but one would gather entity information from a drawing API and another would draw some text on the screen in a HUD update API, etc. It was almost no code but it rendered little '+' signs on every player through walls and would let you automatically aim at their heads. Crazy.
This is when I realized that I could actually take software people had written and break it to make it do whatever I wanted, and that's when I feel like I really started learning things. Understanding how programs ran on my OS and learning how to reverse engineer came pretty rapidly. XQZ was closed source but had some really nice features, so I'd reverse its gl function exports and figure out exactly what it was doing so I could replicate them in my own cheat.
Doing what the author did here for modern MMOs can actually be a very difficult exercise, even for seasoned reverse code engineers. I've done it for several games, essentially reversing the entire netcode to write cheats that automate client actions, and there are all sorts of ridiculous traps I've seen to prevent you from doing so. One game even went so far as to require you to parse a terrain file and send the cell ID of your movement target in every movement packet, along with the absolute coordinates. This was slow as an iterative find process as a map had tens of thousands of triangles and you'd be sending these quite often, so naively you'd just loop over each triangle and check if your target coordinates were inside of it. This gave me a nice introduction into quadtrees and other algorithms that can make this operation asymptotically much faster. Yay learning.
To this day, I can only play a game so much before I get an overwhelming urge to break it. I think that despite the stigma of cheating, it's a great way to learn. It's comparable to taking something apart to see how it works and change it around a bit. Just don't take it too far and ruin games for other people.
If you think about it, I bet what you actually hate are the folks who just downloaded the cheat and used it, without knowing anything about it. But what if everyone wrote their own exploit? Eventually every game would devolve into Core Wars, but this would be kind of cool.
If everyone did write their own exploit, I'd still have hated it. Cheating in those kind of games really does ruin the game for everyone else. Enabling those people to do what they did was nearly as bad IMO.
I competed in a couple of the early CAL seasons legitimately (main and then invite). Most of us never condoned cheating in league play or even in most public servers. That's the part where you're ruining games for other people. There were, at one point, quite a few servers dedicated to cheating, however, and even a competitive scene to see who could make the best cheats.
But leagues actually made things more interesting. They started creating their own anti-cheats and those were just new shiny toys to break as well. It's quite satisfying to defeat them, even if the goal isn't to cheat in a league.
The worst cheaters seemed to be the guys that played in the [inter]national competitions. They would cheat, say "online doesn't matter, LAN noob", and ruin the game for everyone.
But like I said, I can see the appeal of creating the cheats at least. My first introduction to real programming was creating a mIRC script that would login and "vote" on a popular local website where there was a 15 minute delay between votes - where the developer kept changing forms and URLs to stop my script from working.
I was. Unfortunately it seems like they're all dead or generally inactive these days. I do wonder where the new communities are, because surely there are kids going through the same things we all went through in learning by breaking things.
I built a small app to cheat at Landlord (http://www.landlordgame.com) to check and buy venues from anywhere in the world. There was also a small script to get huge amount of coins (through faking twitter and facebook sharing).
After 10 days i was number one in the rankings. Scores and amounts of $ was so large that the iphone app was starting to bug... Of course it does not work anymore.
It looks like the author is decompiling the Flash SWF for the Facebook game. Would there be an equivalent way to do this for games on an iPad/iPhone without rooting the device?
For FarmVille we sent the actions back to the server and then validated against game state there. It's the only real way to protect against cheating. However, if I were building the game again today, I'd just do what King does and have the client manage the state. It turns out that the set of people that would do this and the set of users that would convert into paying users has very little overlap. The overhead of managing state on the server is that you'd have to write your game logic twice (once in your client-side language and once server-side, though with a scripting language you may be able to avoid this). Second, we benchmarked this approach and found that you can handle 10x the number of players with the same hardware by not doing any server-side logic/validation and just having the server be a dumb pipe to store player state.
Very, very informative, thank you. I too have been wondering about this exact thing - if it's worth the trouble in the end, to do server checks and whatnot. Seems it's not, in these cases :)
I guess the first question is: why prevent people from doing this?
In my opinion, with games like this the ultimate goal of the server is to make sure one person doesn't ruin someone else's fun. Seems fine to let them ruin their own fun.
A lot of people play games to compete with their friends. If everyone's just hacking to maximize their score, the legitimate players - and these are the ones who see the ads, and therefore are important to keep around - will leave your game.
For one, sanity checks (this level can't really be solved in two seconds, that score is too large, etc). For two, probably more signing of requests, but that's pretty easy to bypass too. You really shouldn't be able to get ten thousand of something when the most the game gives you is two or three per day, though.
I guess they did it this way because they don't care about people cheating, since pretty much only one person (me) will bother to do it, and it will have no benefit other than their friends being puzzled.
The best thing to do is basically to simulate the entire game for each player on the server side and verify every action the player does but this involves a lot more code and is also server intensive for many games.
There also things like signing each request and such but ultimately, the client can't be trusted and will always be able to cheat in some way (like automating clicks and actions via GUI scripting).
In one puzzle game I worked on, we recorded all the user's moves and sent them back to the server. Not too big for something like Candy Crush, and allows you to check the user actually played the game.
Of course, that doesn't stop the next obvious steps (implementing a full simulation, or controlling the game through the GUI), but neither of those can be stopped.
Candy crush does this, and circumventing it was one of the points of the article. It is hashed with a secret key from the flash client. He just extracted the key from the client and started signing the requests himself.
Cookie Clicker: http://orteil.dashnet.org/cookieclicker/
This game is all client-side so it's easy to cheat. The cool thing is you actually get achievements for cheating!
In 2007 I did the same level of digging with a facebook puzzle solving game. Game used to post daily puzzles and top scorers (solving the puzzle in minimum time) were shown on global leaderboard. At that time, the app was not using any kind of hashing or validation. It was simply posting the score to the server so tempering the data was easier. After staying on top of global leaderboard for a few days (with impossible score of 1 second), the app developer contacted me and requested to stop cheating the system. I suggested him some changes and the game became much better
Why spend unnecessary resources? People trying to cheat will find ways that are very hard to prevent.
Which brings us to another question - besides hackers, who is interested in cheating these kinds of games? Probably people who want to impress their group of friends who also play the game. I smell a market opportunity here.
Then you're either out in public, and they can retroactively fix the bug, or you're trying to sell them privately, in which case you're not gonna have much impact anyway.
It's the same as with hacking in mmo games. No one cares until you start publicizing your hacks, in which case they can just install your hack, see what bug it's abusing, and fix that.
Isn't that how Candy Crush makes money now? You spend money to buy your way to new levels, through the use of special items and bonuses. Or are you targeting the subset of people who want to pay to cheat, but want it to be secret.
I'd say that most people wouldn't consider paying for more lives cheating. But that editing the communication between the game and the client is.
It would be like playing an arcade game. Putting in quarters for more lives isn't cheating. Creating a device that you can put in the quarter slot and pull out to reuse that triggers the game to think it's just got a quarter is.
I have a setup with my own WiFi, SQUID as a transparent proxy with self-signed CA generating "legit" site certificates on the fly.
The CA is loaded into Android as trusted, internet is disabled on every app except target to reduce noise (yay! UNIX users/permissions!) SQUID's built-in logging spills all the magic beans.
I once lost a license key for a major enterprise system. It had to get a demo up and running ASAP. Luckily, it was an ASP.Net app. I was able to use .NET Reflector, find a code rewriting plugin, and I blanked out the function that did the cert check (always made it return true) and I was able to login.
This is one of my favorite exercises. I started out in a similar situation where it was necessary to get an .net app to act differently. The feeling of accomplishment was completely different than regular development. Now reverse engineering is a hobby I am very passionate about.
It's also incredibly insightful as a developer to see how crappy code can exist in very expensive software.
Tridge noted that this sort of output made the "reverse engineering" process rather easier. What, he wondered, was the help command there for? Did the BitKeeper client occasionally get confused and have to ask for guidance?
Great story. I think it's less about cheating and more about poking your way around public software. I appreciate the spirit of adventure in searching through the game.
Everything went fine until I put in an invalid treasure value which apparently caused some random memory locations to be modified, corrupting the game. Unfortunately, game state was written back to the same floppy disk that holds the game itself, rendering the game unplayable.
Fortunately, I could borrow a second floppy drive, borrow an uncorrupted copy of the game, and repair the game with a disk-to-disk copy. Unfortunately, I plugged in the disk drive connector crooked, sending -12 volts into a chip on the controller board that didn't want -12 volts. The result was a "pop" and a disk controller that no longer worked. Needless to say, my father wasn't happy.
Finding the problem was easy - it was the chip with a square hole blown out of it where the silicon had vaporized. Unfortunately getting a replacement chip wasn't easy when you live in the middle of nowhere. So I built a replacement circuit on a solderless breadboard and wired it into the controller board, and everything worked fine until I could get the proper replacement chip.
TL;DR: cheat at games and you will be punished