Cheat Protection For Open Source Games?

[hsncorrosion]

I have played Assault Cube recently (an open source game/engine)

They are having a big problem with cheats who use memory hacks and client side modifications, and now some are even taking admin accounts via server side bugs, Is there some way of protection to an open source game like this?

I had and idea but they did not go for it.

"I was thinking they can use a master ban list on the masterserver and require each game to have a serial number or key code that the master server looks for when they connect. If they do not have a code ban them. If a server bans them 3 times ban them on the master server, and if two people are playing with the same key ban them. I think this would help stop cheaters, this is similar to what is used in unreal tournament 2004)

[dhp1080]

Here lies the problem in open source everything. It makes everything much easier to exploit. They'd need to write their own PunkBuster client that checks to make sure all files are correct, then allows them to connect.

Your idea for client side keys wouldn't work. The malicious user could simply change his key, and ta-da!

Checking the hash of every file could work though. If it isn't the same as the server's hash values, don't allow the connection. It's a pretty simple concept that can turn wildly unsimple.

[hsncorrosion]

But if the keys were generated when they first use the game and only get one key wouldn't that work, then they cant just make up one

[Sparda]

They could just modify the client to supple the correct key.

The only way to prevent cheating is to make every thing server side. Unfortunately, for the most part, this is impractical.

[hsncorrosion]

But how can they modify it.

Im saying the masterserver gets a list of unique id keys and unless the players have a matching id they cant join a game

[Sparda]

The player can change the ID there client sends.

[hsncorrosion]

But the server will match it with a list of current keys and if it does not match it bans them

[SomeoneE1se]

But the server will match it with a list of current keys and if it does not match it bans them

yes that idea should work, but no matter what you'll be looking at modifying the source.  Not a task I think you're willing to take up.

[Sparda]

But the server will match it with a list of current keys and if it does not match it bans them

The player can change the ID there client sends.

[SomeoneE1se]

But the server will match it with a list of current keys and if it does not match it bans them

The player can change the ID there client sends.

Sparda, how is the user going to get a list of valid keys?  If the client sends a non-valid key it will be disconnected form the server.

[Sparda]

because it will be in the source code?

[hsncorrosion]

No, keys stored on the masterserver side, not within the source.

Also I would not be doing this, but convincing the ones who made the game to implement it.

not to mention on my first post any two people with the same key are banned (just saying before you mention that)

[Sparda]

No, keys stored on the masterserver side, not within the source.

Also I would not be doing this, but convincing the ones who made the game to implement it.

not to mention on my first post any two people with the same key are banned (just saying before you mention that)

For a client to validate it's self it has to download a key that any one can download and is publicly available then send it to the server it is attempting to connect to?

[hsncorrosion]

When the game is first launched it requests from the master server and it generates a key code which is then stored in either a registry key or in an encrypted file. Then if they goto a server and are banned 3 times the server sends their id to the master server which then blocks there id on every server.

[Sparda]

You could write a rouge server that blasts every client out of the game. (btw. EA, because they are fucktards, had (and still do as far as I'm aware) a problem with some thing similar to this,again, because they are fucktards.)

Also, the client could just request a new key, but if a rouge server blasted all of them off, that's not gonna work.

[dhp1080]

Modifying the game to request a new key on start no matter what would be very easy to do too. Also modifying these said "encrypted" files would be easy to do to, because the encryption method would be in the source.

This is why real video games don't use jank client-side keys. They use advanced file-scanning techniques involved with programs. Look at PunkBuster as I said before.