Comments on: What gives with these velocicarmageddon high scores?

Question: What gives with these velocicarmageddon high scores?

sfz — Mon, 26 May 2008 20:16:49 -0800

OK - this is stupid, but how on earth did these people get such high scores on Off-Road Velociraptor Safari? I got 1,000,000 points once when the game crashed mid-jump, but I can't fathom how these guys got scores in the billions!

By: amyms

amyms — Mon, 26 May 2008 20:27:34 -0800

Cheat codes?

By: Pyry

Pyry — Mon, 26 May 2008 20:28:58 -0800

Cheating, probably. There is no way to prevent it if you let people run the actual simulations on their own computers, as this game does.

The best a developer could do would be to require that high scores are submitted along with the keystrokes required to achieve that score; the score could then be verified by running the keystrokes through their own copy of the game. However, this would not prevent cheating by things such as savestates, slow motion, computer control, and the like.

By: sfz

sfz — Mon, 26 May 2008 20:29:38 -0800

ok - I haven't been able to find any cheats. Can anyone point me in the right direction?

By: kdar

kdar — Mon, 26 May 2008 20:34:43 -0800

Worth noting that the leader on the scoreboard's score is 2,147,483,647 = 2^31 = 2 147 483 648 - 1. This is exactly the upper bound for a signed 32-bit integer. I'm guessing it's the highest possible score in the game.

Almost definitely hax. Most likely they figured out the submit mechanism.

By: Pyry

Pyry — Mon, 26 May 2008 20:46:53 -0800

Here are two possibilities for cheating (I'm not about to install some random plugin for a single game):

1) This works if it is using http requests to submit high scores

2) If it's doing something more complicated (direct UDP?), you'll have to use a packet sniffer, or you might try changing your score in the game directly with a memory scanner like the cheat engine.

By: tumult

tumult — Mon, 26 May 2008 21:13:12 -0800

it takes about 10 seconds (literally) to set your score to whatever you like in games like these, if you have any game hacking experience. online leaderboards for almost all games run on the client side are worthless unless it's on a locked-down, uncracked platform (xbox 360 and PS3 right now) and uses good encryption for communication back to the server.

By: magikker

magikker — Mon, 26 May 2008 21:33:49 -0800

there is or at least was a little program called poke... It'd let you punch in a value and it would search for the memory location for it. So if the score is 30 you'd punch in 30 and it'd tell you all the memory addresses that contain 30. If you get more than one at 30 you'd get some more points in the game and then punch that it and further narrow it down.

Once you know where it is the program would let you set it to what ever you want or freeze it at a value. I remember it working for tons of different programs.

By: heresiarch

heresiarch — Tue, 27 May 2008 06:39:56 -0800

The only reason this is easy is because the developers were lazy about how they send the data. If they salted the high score reports (ala this old askmefi thread on web security) this would be much harder to do.

Tools that actually manipulate local game state will still work, though. I always assumed these kinds of attacks were always on the high score submission engine on the server, but the memory/time manipulation tools sound very sneaky.

By: matthewwegner

matthewwegner — Tue, 27 May 2008 09:21:20 -0800

So I did the web integration on Raptor Safari (along with the physics setup/tuning and some other stuff). I've been lazy lately on clearing the leaderboards of bogus scores, but only because we'll be moving all of our games to a central website soon. When this happens we'll increment the version ID on the scores, which will essentially clear everything except the "all-time, all-version" list.

Backend HTTP POSTs are salted, and somewhat obfuscated, so I doubt people are bothering to hack it there. The scores are almost certainly in-memory changes while the game is running; then the client just sends the score along, proper hash and all. When we move the game over to the new site I'll look at blocking a few of these. It's definitely an arms race, though, and not a very productive use of time to match mischievous players move for move, but any low hanging fruit will be taken care of.

The unified site will launch just as soon as Jetpack Brontosaurus is complete...

By: delmoi

delmoi — Wed, 28 May 2008 05:57:52 -0800

One thing you could do if you wanted to prevent make it much more difficult would be to use a two-way function to store the score in memory. You could have another score 'in memory' to be displayed on the screen, but use AES (or something) to store the original score. You could also keep a bunch of 'copies' of the score in random places in memory to make debugging more difficult.

But, in theory there is no real way to prevent fake scores from the truly dedicated.

By: sleslie

sleslie — Wed, 28 May 2008 19:59:55 -0800

You could ensure that all randomized game elements were generated from a seed sent by the server, and then huffman encode the user's inputs (i.e. at game clock cycle one, the user pressed the space bar, at cycles two through 50, the user pressed no keys), send that over when a level is done, and then simulate the game on the server side (with a faster game cycle) to obtain the score. That way, the only way to send a valid score over to the server is to play the game.

Now this doesn't account for people slowing down the game itself, although you could ensure that all seeds and user inputs are sent and received in a reasonable amount of time.

But now you've got the situation where people could save what is sent over by the game to the central server and allow others to download the run-throughs of the game.... this one I'm having trouble with. You could store hashes of the game play encodings being sent, and disallow any that hit the same hash position -- assuming that the game play is complicated enough. Also note, that people can download good gameplay run-throughs anyways even if the score sending mechanism was 100% secure.

There's nothing short of having people watching you play and then report the score to the server by themselves that would 100% solve this problem.

By: matthewwegner

matthewwegner — Thu, 29 May 2008 13:31:43 -0800

sleslie:

True, and I think this is a great solution for anything like a competitive bridge builder-style game. Unfortunately, the physics system in Raptor Safari--PhysX--isn't deterministic. It would be difficult for us to simulate a game on the server. Plus, we've had 535,672 games played to date, which is creeping up on nontrivial to process.

We do actually have a record of every scoring event in the game: the type of score, its XYZ position, and when it happened in the game's timeframe. I haven't done anything with it yet, but it's 15.4 million records of juice data waiting to mined. Would be fun to heat map...

I'll try a few things in the next update to discourage simple cheating, but in the end it's probably just as much time to code things as it would be to manually remove offending scores.