TransWikia.com

Save-security with MD5 hash

Game Development Asked by Abdulla on December 13, 2021

I’m working on a flash game that saves your progress locally. These saves can easily be hacked. My solution is to add an md5 hash of all the variables saved into the save file itself. When loading the save, the game would check if the hash is valid.

Is this a good solution? Are there better solutions?

3 Answers

If this is not an online tracked competitive type game:

Let em hack away man. You can spend way too much energy on things like this when people who will play the game, will just play the game. Those who want to hack it will never really want to play it, they just want to hack it.

If it is an online competitive type game:

All you have to do is store the hashes on a server some where with their login information. If the hash from their save file is not valid, then their game is not valid.. Start over, or revert, or whatever :)

This is fairly basic but there again, we are talking about games, not bank accounts and such.. And always remember.. hobbyist or professional gamer developer, there are Hundreds of people out there who are going to try and hack your games. Put in enough effort to try and preserve the enjoyment of the game for those who are going to play by the game's rules, and thats about it.

Answered by James on December 13, 2021

The way you have it described, somebody hacking a save file would just need to construct an MD5 hash of the save file values in order to bypass this measure. You need to add one thing in order for this to even really be worthwhile: a secret block of arbitrary data that's added to what you're hashing (both when creating the save and when validating it on restore). The mechanism won't be uncrackable or anything at that point, but it'll be resistant to medium-casual tampering. If you can avoid having the data block be easily extractable from your runtime files using a hex editor, that'll add another notch.

If you want people to actually not be able to hack your saves, you cannot perform local saves at all. You cannot trust the client because the client is in the hands of the enemy.

Answered by chaos on December 13, 2021

This is not a good solution, since all the values hashed are in the save file.

If the attacker twiddles something, they just have to recompute the hash and store that in the save file too...

Saving things locally without any online state tracking is fundamentally non-securable.

You need an element that is on the server such as HMACing with a key that only the server stores.

This will not guard against an active attack where the attacker impersonates or otherwise piggybacks a live session however.

I know people who delight in hacking Flash games btw.

Answered by Will on December 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP