GameCenter High Scores hacked

Discussion in 'Public Game Developers Forum' started by Therealtrebitsch, Jul 2, 2011.

  1. Therealtrebitsch

    Therealtrebitsch Well-Known Member

    Mar 2, 2010
    547
    0
    0
    My game's high score list just got hacked.
    One player has 1 billion points on my leaderboard.

    It is possible as the video shows.
    This retard says not to releae it, but somebody already did.

    http://www.youtube.com/watch?v=CBvfa4JX3Tw

    Anybody had the same problem? What can I do? Whom do I contact by Apple to ban those hackers and reset my leaderboard?
     
  2. JFPro Games

    JFPro Games Well-Known Member

    Feb 27, 2011
    64
    0
    0
    USA
    I'm pretty sure Apple came up with a way for you to set a range for your leaderboards. You can specify and minimum and maximum value, and any submissions that fall outside of that range become null and won't be displayed.

    From what I remember reading, it's specified through iTC.
     
  3. Therealtrebitsch

    Therealtrebitsch Well-Known Member

    Mar 2, 2010
    547
    0
    0
    Cool, thanks!

    I will search for it.
     
  4. yemi

    yemi Well-Known Member

    Feb 3, 2011
    454
    0
    0
    Yes I remember that happened to doodlejump. People on top had scores of 5 million and up. It happens alot , so dont think your the only one.
     
  5. mr.Ugly

    mr.Ugly Well-Known Member

    Dec 1, 2009
    1,673
    0
    36
    Berlin, Germany
    game center leaderboard hacks are as common as drinking water..

    apple should get their act together and allow the developer to delete specific entries on a leaderboard.. other social platforms alow for this and so you can at least clean up the boards once in a while..

    its kinda annoying that pretty much any highscore hunting game is broken that way if it uses the all might ed up GC..

    the range doesn't help either.. especially not if you are an open ended score game where you could reach millions of points..

    what would be worse than a valid player make the best game of his life breaking the ultimate score and then only to be punched in the face because there is a score limit enabled..

    well.. in this case the "ball" is with apple.. and they should do something about it..

    if they don't want devs to get direct access to single entries then let them at least report those entries.. so apple can check the apple id behind it and if it has also wonky scores in other games so they can just delete the hole apple id and show the cheater the middle finger..
     
  6. JFPro Games

    JFPro Games Well-Known Member

    Feb 27, 2011
    64
    0
    0
    USA
    I totally, 100% agree. They really need to get their act together and give the developer control over their own games.

    I say we march down to Cupertino and give 'em a piece of our mind :D
     
  7. peter303

    peter303 Active Member

    Feb 20, 2010
    31
    0
    0
    How are cheaters submitting fake scores?

    Are they sending URLs (or whatever) straight to the Game Center servers or are they hacking offline scores that have been saved to the iPhone for later submitting?

    It should be easy to stop the second option by encrypting how offline scores are stored. If they are doing the first option then I don't know.
     
  8. kohjingyu

    kohjingyu Well-Known Member

    Mar 20, 2009
    1,770
    0
    0
    Student/Developer
    Singapore
    Some games save scores in the form of data files in the iPhone's document directories. It isn't that hard to navigate there on a jailbroken phone and edit it. That's what I think anyway.
     
  9. Real Racing Fan

    Real Racing Fan Well-Known Member

    Sep 18, 2009
    611
    21
    0
    I wish
    THE MATRIX
    You guys are all lucky that HackCenter wasn't released...
     
  10. kohjingyu

    kohjingyu Well-Known Member

    Mar 20, 2009
    1,770
    0
    0
    Student/Developer
    Singapore
    Elaborate please! :)
     
  11. mr.Ugly

    mr.Ugly Well-Known Member

    Dec 1, 2009
    1,673
    0
    36
    Berlin, Germany
    Doest make a differnce since cheating is already possible
     
  12. Memir

    Memir Member

    Jan 26, 2012
    17
    0
    0
    Software Dev.
    London, UK
    I'd imagine the first option. From looks of things with "HackCenter", the hack intercepts the point when the [GKScore reportScoreWithCompletionHandler] is called, changing the value parameter before continuing with the call. It's impossible to get around this, no matter how much encryption you put in. This is the weakest point to attack any game.

    The best solution is by verifying the score by re-simulation (either on a server, or on other user's iOS devices), something that as I understand is not possible in GameCenter (and possibly any other Server).

    This means, in a game such as Fruit Ninja. When someone submits their score. Not only do they submit the score, but they submit the Random seed value that the game started with, along with the time-coordinates of every touch the user makes. Once compressed, this is probably about 1KB of additional data. Then you have two choices:

    1. The server, equipped with a copy of the game, can play out the session, with an exact simulation, and see what the real score would be after performing all the touches. This could be done in a fraction of the time (perhaps 1000 times faster), since it wouldn't need to worry about graphical rendering, and just focus on the simple physics. But this requires some sort of specialist plan for the server side (perhaps GameCenter would have a way of running a sandboxed tester app. which users upload.)

    2. The other users, functioning like a Seti@Home project. Would receive random score-submissions, and perform the simulation in the background, either when their game is running, when the game is running but idle, or all the time while the iOS device is active.

    I'm somewhat doubtful as to whether Apple will bother with such methods, as it's a fair bit of extra work. They may just leave it down to the developer. Provided the developer has the authority to edit the score table. Then the developer can set up a separate server, which receives the submission data, performs the simulation, then if the score is different, edit the score table putting in the correct score value. It could do this just on the top 10 unverified scores every day (and flag those as verified), who cares about the bottom cheaters?

    With Facebook social games games like those made my Playfish and Zinga. The logical simulation is run on their servers, the client just issues commands, and just gives a visual representation of what's happening, so it's impossible to cheat.

    With PC multiplayer games like FPS (Doom), and RTS games (Starcraft), you have a shared session. With a Checksum performed periodically on the main game elements (player positions, lives, weapons etc.), the moment one session's checksum differs from the others, the game is either voided, or the one that has the different checksum is kicked out. So you can only hack those games if everyone playing is cheating together, which usually defeats the objective (hence why the only cheats for multiplayer RTS games are map-hacks, i.e. passive hacking).
     

Share This Page