Question about distribution.

Questions about the LÖVE API, installing LÖVE and other support related questions go here.
Forum rules
Before you make a thread asking for help, read this.
Dresden
Prole
Posts: 9
Joined: Sun Sep 26, 2010 9:36 pm

Re: Question about distribution.

Post by Dresden »

So then just set it up so that your client accepts a string sent by the server that will return the size of the client's code in bytes to the server and if it differs from standard or if there is an error anywhere along the pipeline close the connection. Make sense?
User avatar
The Burrito
Party member
Posts: 153
Joined: Mon Sep 21, 2009 12:14 am
Contact:

Re: Question about distribution.

Post by The Burrito »

It becomes kind of a waste of time to secure games past a certain point. I remember some time ago a Valve employee explained how a large portion of their resources go into anti-cheat stuff. I would assume if they have a hard time with it we wouldn't stand much of a chance.

Even with remote code it would be fairly easy to edit the main.lua to capture the string, then make any changes you wanted and make it pretend to launch the remote code. Of coarse you could update it regularly to make that hard, but it becomes a security arms race where you're hoping the other party gives up. That being said, a really basic security measure would be worth the effort and stop 99% of casual cheaters.
User avatar
bartbes
Sex machine
Posts: 4946
Joined: Fri Aug 29, 2008 10:35 am
Location: The Netherlands
Contact:

Re: Question about distribution.

Post by bartbes »

Don't forget executing remote code is nice and safe by itself.. or wasn't it.. hmm..
User avatar
Robin
The Omniscient
Posts: 6506
Joined: Fri Feb 20, 2009 4:29 pm
Location: The Netherlands
Contact:

Re: Question about distribution.

Post by Robin »

And if you want to check the size of main.lua (or even take its hash), don't forget that the client is in control of what it sends back.
Help us help you: attach a .love.
User avatar
Jasoco
Inner party member
Posts: 3727
Joined: Mon Jun 22, 2009 9:35 am
Location: Pennsylvania, USA
Contact:

Re: Question about distribution.

Post by Jasoco »

Cabel Sasser once said the best way to fight piracy is to not even bother because people are going to find a way around it no matter how much work you put into a prevention system.
http://www.cabel.name/2008/04/coda-confidential.html

Still, I'd want to make it difficult, even if not impossible.
Dresden
Prole
Posts: 9
Joined: Sun Sep 26, 2010 9:36 pm

Re: Question about distribution.

Post by Dresden »

bartbes wrote:Don't forget executing remote code is nice and safe by itself.. or wasn't it.. hmm..
Well if the server doesn't accept remote code then a potential hacker would only be able to mess up his own client. Unless you have someone intercepting all your data and sending it out to clients w/ some kind of crashy-bug because I don't believe it's possible to create any kind of permanently damaging virus w/ lua is it?
User avatar
bartbes
Sex machine
Posts: 4946
Joined: Fri Aug 29, 2008 10:35 am
Location: The Netherlands
Contact:

Re: Question about distribution.

Post by bartbes »

Well, permanent, maybe even that, but it can do a lot of damage.
User avatar
vrld
Party member
Posts: 917
Joined: Sun Apr 04, 2010 9:14 pm
Location: Germany
Contact:

Re: Question about distribution.

Post by vrld »

Dresden wrote:Well if the server doesn't accept remote code then a potential hacker would only be able to mess up his own client.
Someone, let's call him Mallory, could fake a server, sending the same code as the original server but with an extra little something in it.
Dresden wrote:I don't believe it's possible to create any kind of permanently damaging virus w/ lua is it?
Why is that? Even if that was the case, I am not entirely sure that there are absolutely no buffer overflows in Lua or LÖVE or any other component that Mallory could use to execute arbitrary code on the client.
You could make this harder by encrypting the whole thing (RSA), but that results in a HUGE overhead that the client will certainly notice. And you've only made it harder to attack, not impossible...
I have come here to chew bubblegum and kick ass... and I'm all out of bubblegum.

hump | HC | SUIT | moonshine
User avatar
leiradel
Party member
Posts: 184
Joined: Thu Mar 11, 2010 3:40 am
Location: Lisbon, Portugal

Re: Question about distribution.

Post by leiradel »

The problem with hashes and encryption, either symmetric or asymmetric, is that the client has to have the hash to compare or the decryption key to decrypt the content so a motivated hacker only has to look for the hash or key to be able to crack the system.

There are statistical tools that can point possible hashes or keys inside a file because they look random, and even if you save them inside a larger buffer of randomness at some point your code will have to setup a pointer into that buffer to the start of the hash/key so there's really no way to create a 100% secure client. Even sending a signed code can be flawed if the hacker has access to the validating code.

Suppose you create an assembly routine by hand that validates the code, one that is very hard to follow because it does strange things and jumps back and forth a lot. At some point though the code will have an "if (code is valid)" and that instruction alone can be changed to "if (true)", making all your hard work useless. Yes, I've done it once...

But I agree that you can take measures to stop the "casual" hacker, the one who will open the .love file and look at the Lua sources. I think it would be cool if the engine could be compiled with a public key to validate signed code or at least with a symmetric key to decrypt the contents of the .love file on-the-fly.

Cheers,

Andre
User avatar
kikito
Inner party member
Posts: 3153
Joined: Sat Oct 03, 2009 5:22 pm
Location: Madrid, Spain
Contact:

Re: Question about distribution.

Post by kikito »

I'm much more comfortable with the testicles license.

If you force me a lot, I will tell you that you might try attaching the .love file to the love executable; it will be an order of magnitude more difficult to "decrypt"; in other words, it will take more installing winzip and double-click-open the file. Sweet. We can rule moms and pops out.

Then we have the majority of the internet; the male teens. They might not have a lot of hacking skillz but ... they do know how to search for cracked games on a warez site!

That is the magic thing. All it takes is one really smart and really bored student. For these guys, the more sophisticated the encryption is, the more fun it gets. He'll figure out the encoding in 1 week and ... voilà! It is available for all the others. It has happened before, regularly even, with AAA games. Top-notch games with a lot of resources invested on DRM get cracked in 3 weeks.

So I don't really see the point.
When I write def I mean function.
Post Reply

Who is online

Users browsing this forum: No registered users and 7 guests