Not logged in, Join Here! or Log In Below:  
 
News Articles Search    
 

 Home / Game Design & Programming / Online high score system, Open Source Account Manager
 
Archive Notice: This thread is old and no longer active. It is here for reference purposes. This thread was created on an older version of the flipcode forums, before the site closed in 2005. Please keep that in mind as you view this thread, as many of the topics and opinions may be outdated.
 
rneckelmann

March 30, 2005, 02:16 AM

Hello people :)

Currently I'm writing a game much similar to the fabled Elastomania, one of my all time favorites. One might call it a clone, but there's several basic differences -- these are not really relevant here, so I'll don't bore you with details :P
The coding has come a long way, and I've already got a bike driving around in a XML-defined, Lua-scripted level, behaving much like you'd expect from a physical point of view (Currently much more realistic than the slow-motion (or underwater? :P)/elastic elastomania -- it requires some tweaking to get it more unrealistic, but that's just details).

Nice.

The problem:

I want to have some kind of online high score (= best times) system, as it seems rather important to let the players compete against each other in this kind of game --> a significant reason why Elastomania is still being played big-time, is the fact that the community is so great, and people still compete to get the best times.
Indeed I need some way of transfering results to my server in a secure way - I can't rely on "security through obscurity" (= not real security, I know), because this is going to be Open Source, and everybody will be able to read and modify the source - for instance to make it impossible to die, lower gravity, etc. Additionally, because of protocol openness, it would also be easy to craft fake results and send them to the high score server.

I want to prevent this in a neat way... Is it possible at all?

My current idea is pretty much as follows (haven't reached this point yet in coding, so it's largely theoretical):

During game a detailed replay is stored. This is basically a log of:
- The duration of each time step (should be fixed, but it depends on how I implement that part)
- All bike control (user input)

This should be enough to reproduce the exact replay on any machine. Right?

At end of game, this replay is simply sent to the server, which then runs it to determine the time (or if the player dies). The generated time is then defined to be real, and merged into the high-score system. Voila.

Obvious problems:
- A malicious player can forge his own replays (for example by using a modified version of the game that allows you to "step back in time")
- Server-side stress. At the moment I really can't say how long it takes to
simulate a replay in the background, as I haven't done the replay system yet, so I'm not sure it's a real problem.
- More?

I'd really appreciate some comments here :)
Is there a better way to do this? Please ask questions if I've forgotten something...

--Rasmus

 
Wernaeh

March 31, 2005, 10:27 PM

Hi there =)

I guess that the replay suggestion you already are aware of is the best you can get.

This is simply because the client can obviously pass - due to hacking, disassembling or the open source provided - arbitrary data to your server - and consequently, also arbitrary data that resembles any correct high score input you'd accept - be that replays, or be that just encoded score values.

You only have got a few choices here.

The first choice would be to just make it really, really difficult to create "correct" data. So, in other terms, a replay method is more difficult to create correct data for (i.e. by implementing a backstep), than a simple score sending one (just modify a iScore somewhere to 1000000, and you are set).

The second choice would be to have the game logic running on the server, and just accept input sending messages. This makes it more difficult to implement backstepping, yet, it is still theoretically possible to write a bot which captures the screen and produces the desired input sequence (though someone capable to do this has probably also earned a high score entry ;) )

Third choice would be to add some auto or manual removing of unbelievable high scores, to avoid the easier sort of cheating (see above, modifying score).

Yet note that in nearly no case can you ever be sure that a player is cheating or just being very good or lucky at the game.

I'd say first stick to the replays, and hope that they are safe enough. If you get dozens of people playing much much better than you, think about alternatives.

There was a similiar thread on flipcode some time ago (about FPS clients, but the same rules apply here too), so look it up.

Cheers,
- Wernaeh

 
rneckelmann

April 01, 2005, 02:24 AM

Wernaeh wrote: --snip-- You only have got a few choices here. The first choice would be to just make it really, really difficult to create "correct" data. So, in other terms, a replay method is more difficult to create correct data for (i.e. by implementing a backstep), than a simple score sending one (just modify a iScore somewhere to 1000000, and you are set).


Okay, that was what I was going for... but I somehow hoped that there was a way to make it even more difficult/obscure for people to cheat the system, but I guess I'm just out of luck :P

The second choice would be to have the game logic running on the server, and just accept input sending messages. This makes it more difficult to implement backstepping, yet, it is still theoretically possible to write a bot which captures the screen and produces the desired input sequence (though someone capable to do this has probably also earned a high score entry ;) )


This is pretty much out of question because of limited hardware resources... the server-side playback of the replays in the background is only possible because it can be done "out-of-realtime" -- i.e. it can be done when resource consumption is low, or something like that. And my room-mate probably wants a couple of kbits of bandwidth too ;)

Third choice would be to add some auto or manual removing of unbelievable high scores, to avoid the easier sort of cheating (see above, modifying score).


Probably a good idea... I'll make the replay files downloadable directly from the high score list -- and then people can report the suspicious looking ones. This, of course, implies that people are going to play my game -- but, hey, I live in a dream world ;)

But it's not going to be that effective if the replays are done right...

There was a similiar thread on flipcode some time ago (about FPS clients, but the same rules apply here too), so look it up.


Hmm, can you give a hint on which forum it was? Can't find it.

Thank-you for the comments! :)

-- Rasmus

 
Wernaeh

April 01, 2005, 08:55 AM

http://www.flipcode.com/cgi-bin/fcmsg.cgi?thread_show=20868

I guess this is the thread I remembered ;)
Have a good read,
Cheers,
- Wernaeh

 
This thread contains 4 messages.
 
 
Hosting by Solid Eight Studios, maker of PhotoTangler Collage Maker.