Page 3 of 4

Re: Is luasec a thing?

Posted: Mon Feb 13, 2023 4:23 pm
by Bigfoot71
GVovkiv wrote: Mon Feb 13, 2023 3:07 pm
Bigfoot71 wrote: Mon Feb 13, 2023 10:04 am You're right in a sense, personally I'm working mostly on Android and currently on a multiplayer game so I have the means to make (nearly) impossible the means you cite without the player ruining the game, on the other hand on a single player (or not) PC game is another matter indeed...
I guess you talk here about multiplayer game where you can connect to other players with your characters, right?
In this case, encoding also just lame and don't do anything useful. If i see that someone is using in my lobby overpowered character (don't matter if it was achieved naturally, via file edit, via cheat engine, etc) and I'm not okay with it, i would just kick them and never ever will play again. Encoding here do nothing.
In multiplayer, server should treat any data from clients as potentialy malicious, so it always should be sanitazed and checked.
And, for example, game should balance players around their items and level and compare it to host of game. For example, like Souls games do: if you cheat character with high gear, but low level, you would connect to player with same level as you and get downgraded gear that will perform on same level as host, which makes character cheating less effective. System still not perfect, as twinks is still thing, but, yeah.
The out of the box experience seems to me to be a good reason otherwise, excuse my curiosity ^^
Yes, and fact that json will be more then enough for 90% of games to save/load data, which would work nice as part of love with documentation and examples, istead of "so, how to i save data in love?" Posts
The only place i think it might not work nicely, is where game needs to store really big amount of data. For example, games such as Minecraft or terraria, because you have big world where you store blocks with properties, etc.
In this case, writing and loading might be slower and data itself will require much more space, in comparison with something that more suited for that. (Maybe csv or even plain text file with custom parsing?)
Thank you for your info, I will remember it for my project!

Otherwise yes and no, a game being a challenge I don't like the idea that we cheat without it being authorized (for a solo game), otherwise for online games the best would be a saves on the server so there is no interest in actually encoding the save (apart from encrypting the transfer) unless, as in my case, for lack of means in relation to the structure, we choose that it is the player who hosts his save.

And I don't like the idea of ​​not putting security simply because it would be breakable, in the case of an online game it would excessively increase suspicion for nothing precisely, it would be a bit like leaving your door open to attack the first passerby who passes in front. ( :joker: )

I think everything is good to slow down hackers and limit their number as long as it doesn't harm the game experience.

Otherwise, it's true that the integration of this functionality in Löve2d could facilitate the task of saving data, but isn't it Löve's role to let us do this kind of thing? Where is the limit between the tool that allows and the tool that does? I have no idea, it's too philosophical for me :megagrin:

In short, the subject is too vast and it is only my opinion, sorry to have started on this subject ^^

Re: Is luasec a thing?

Posted: Mon Feb 13, 2023 5:26 pm
by GVovkiv
Thank you for your info, I will remember it for my project!
otherwise for online games the best would be a saves on the server
Only for backups, not as only way to play, because it sound's horrible if save file could not be fetched (for some reason, such as server that turned off for various reasons) so player cannot play
And I don't like the idea of ​​not putting security simply because it would be breakable, in the case of an online game it would excessively increase suspicion for nothing precisely, it would be a bit like leaving your door open to attack the first passerby who passes in front. ( :joker: )
Yes and no. If someone decided to edit they game like that, why not? They buy this game (or downloaded, if it just free), why that can't do anything with it? It's like you buy your own house, but cannot paint walls because seller thinks that painting walls will break experience of living in house.
You just make their experience worse for no real reason. If they edited binaries or saves it their decision and responsibility if something will break or corrupted in process, not yours. If game has some sort of modding system (for example, steam workshop) that you support, then yes, putting safe system would be something that you want to do, because mod system might be way to break something on users system (delete something in ~/, for example).
In multiplayer, you put security on server side, because user data never should be trusted
I think everything is good to slow down hackers and limit their number as long as it doesn't harm the game experience.
Yes, but some methods just take from you more resources and limits possibilities for someone who interested in digging in game for no reason. Do you know any game that has encrypted save files and wasn't hacked? I don't.
I think solution in this kind of cheats should be on server side (for multiplayer) and none for single (with possible exception, you might implement checks in save file for some malicious things, such as possible infinity loops, serialization exploits, missing data such as seed, name, etc, but not some dark magic to "slower" hacker because it doesn't really slow them
If you really into defending players from multiplayer hackers, it's best to create more tools for admin/server to detect such cases and inform them or automatically kick them. For example, if you server detects that player somehow healed their hp in situation when they shouldn't (used hacks instead of drinking healing potion) then inform about this admin (and everyone) or kick immediately from game and maybe even ban.
I will return to Dark Souls 3 as example. Game on itself doesn't have really anti-cheat system except simple character checks (which on the end of day was apparently turned off, due to hackers having exploit that allow them inject in-to anyone inventory glitched items, which would trigger system and ban player), but there interesting community mod anti-cheat called "Blue Sentiel" which works as i explained earlier: it detects if connected to you player/s (and, it can detect you as well) using exploit or some cheat engine manipulation by checking if it possible to have some stats, hp, etc and flag them. You can configure it to kick automatically or just flag for you to decide if you want to kick them.
I think it shouldn't be very hard to implement such system. But not sitting there trying to prevent players doing something that they can do anyway by little harder
Otherwise, it's true that the integration of this functionality in Löve2d could facilitate the task of saving data, but isn't it Löve's role to let us do this kind of thing? Where is the limit between the tool that allows and the tool that does? I have no idea, it's too philosophical for me :megagrin:
Well, i'm not big expert in this kind of thing, but then why love has physics engine box2d if you could code one in lua (or via ffi, or editing love source or whatever)? Or networking libraries? It's nice to have documented functionality, that part of framework (especially it it not something big or really project specific) that you could use and have easier time on forums, since it's part of framework so more chances that people might know how to use it properly, instead of that one obscure json library that has 10 users that someone tries to use in game, but it doesn't work so they now try to get help here.
If default one doesn't suit you, it's not like you can't import said 3rd party library and use instead (like you not forced to use box2d, you can use custom solution instead, for example, implement one with bump.lua or Strike)
In short, the subject is too vast and it is only my opinion, sorry to have started on this subject ^^
Subject might be vase, but in this case it's not really. You just trying to fix something that don't really broken, and wasting time on it!
It's really sounds close to people who here (on this forums) asking how to secure their games from stealing by obfuscating their source code.

Re: Is luasec a thing?

Posted: Mon Feb 13, 2023 5:26 pm
by GVovkiv
GVovkiv wrote: Mon Feb 13, 2023 5:26 pm ....
I like big replies, yes

Re: Is luasec a thing?

Posted: Mon Feb 13, 2023 6:25 pm
by Bigfoot71
GVovkiv wrote: Mon Feb 13, 2023 5:26 pm I like big replies, yes
Me too and thank you for counterbalancing what I can think it's interesting ^^ However :monocle:
Only for backups, not as only way to play, because it sound's horrible if save file could not be fetched (for some reason, such as server that turned off for various reasons) so player cannot play
Multiplayer-only games I know of don't leave player progress local and if no server no game anyway, right? (maybe I misunderstood)
If someone decided to edit they game like that, why not? They buy this game (or downloaded, if it just free), why that can't do anything with it? It's like you buy your own house but cannot paint walls because seller thinks that painting walls will break experience of living in house.
I really like this comparison except that if you buy a house you have the right to leave it empty so that everyone can sleep there, whereas if you buy a game you cannot give it to everyone. It's once again "philosophy" so it's personal but I personally think that the work still belongs to the author, it's like buying a painting to burn it, you have the right but morally it's not very cool therefore the painter has the right to infuge his painting (yes it's imperfect like many metaphors)
You just make their experience worse for no real reason.
It's a general observation on which I could agree but in the case of preventing the editing of a backup I don't see why that would irreparably damage the experience... And it really depends on the case, I obviously not going to put a thousand security on a game that is not worth it...
instead of that one obscure json library that has 10 users that someone tries to use in game, but it doesn't work so they now try to get help here.
It has more than 1500 stars on GitHub but I still concede the argument ^^
In short, the subject is too vast and it is only my opinion, sorry to have started on this subject ^^
Subject might be vase, but in this case it's not really. You just trying to fix something that don't really broken, and wasting time on it!
It's really sounds close to people who here (on this forums) asking how to secure their games from stealing by obfuscating their source code.
Security is a vast subject, the proof is there. And I know very well that no security is infallible but we come back to what I was saying and when I say that the subject is vast it is that I could also continue indefinitely to say why I think that despite the counter-arguments that I could also say to myself, especially that each case and configuration will be different and I don't want the topic to be blurred (even if it's already done :death: ).

However, I agree with you on the main lines, it will help me to think about my project, thank you!

I specify all the same that when I mentioned the fact of obfuscating a backup it was mainly out of curiosity with regard to my current project or it would be desirable, it is not a generality and I like nitpicking too, this explains it ^^

Re: Is luasec a thing?

Posted: Mon Feb 13, 2023 7:24 pm
by GVovkiv
Multiplayer-only games I know of don't leave player progress local and if no server no game anyway, right? (maybe I misunderstood)
If player data lies only on game server, i think it's bad idea, especially for game preservation (and especially if game is closed sourced). I might want to play game locally, without access to game server. Maybe some lan or just on some sort of community servers, so being forced to always connected to game servers is meh.
I really like this comparison except that if you buy a house you have the right to leave it empty so that everyone can sleep there, whereas if you buy a game you cannot give it to everyone. It's once again "philosophy" so it's personal but I personally think that the work still belongs to the author, it's like buying a painting to burn it, you have the right but morally it's not very cool therefore the painter has the right to infuge his painting (yes it's imperfect like many metaphors)
Well, that's copy of something that i give money for, so should be able to do with it all i want to (well, except obvious stuff (that should be covered by license, i guess) like re solding game, claiming that this game made by me, etc). Why then why buy game at all, if even buying game doesn't allow me to play with it as i want to?
It's a general observation on which I could agree but in the case of preventing the editing of a backup I don't see why that would irreparably damage the experience...
It's will damage curious part of players! When i played enough of game, it become boring, so i can just edit something in game and see what would happens. Or give myself 9999 attack and kill final boss with 1 attack when hi says something like "I most powerful being, you cannot defeat me!". Or something like. If your game doesn't provide tool to do so (maybe because you don't won't spend time programming it) why then just left this to player? Putting this "securities" methods doesn't really secure anything, except, maybe, peace in your mind as developer
Security is a vast subject, the proof is there. And I know very well that no security is infallible but we come back to what I was saying and when I say that the subject is vast it is that I could also continue indefinitely to say why I think that despite the counter-arguments that I could also say to myself, especially that each case and configuration will be different and I don't want the topic to be blurred (even if it's already done :death: ).
It's just sounds kinda useless to protect save file on local machine in single player game. It's not even like this file contains secret recipe of krabby patty burgers, that supposed to be protected somehow
I specify all the same that when I mentioned the fact of obfuscating a backup it was mainly out of curiosity with regard to my current project or it would be desirable, it is not a generality and I like nitpicking too, this explains it ^^
Well, yeah, but it's just peace of my soul die, when developers of their games try to put things like this in games, making life for someone like me harder for no real reason :cry:
(On same level, as unresizeable window, long ui animations that you can't disable, game intros on every damn startup and doesn't providing option for changing gamepad hints from xbox to ps!!!!)

Re: Is luasec a thing?

Posted: Mon Feb 13, 2023 9:27 pm
by Bigfoot71
GVovkiv wrote: Mon Feb 13, 2023 7:24 pmIf player data lies only on game server, i think it's bad idea, especially for game preservation (and especially if game is closed sourced). I might want to play game locally, without access to game server. Maybe some lan or just on some sort of community servers, so being forced to always connected to game servers is meh.
It's true after I was talking about exclusively multiplayer games because I draw parallels to my case (hence my basic question) and in my specific case I couldn't afford to store all the players' saves for reasons economical anyway.
Well, that's copy of something that i give money for, so should be able to do with it all i want to (well, except obvious stuff (that should be covered by license, i guess) like re solding game, claiming that this game made by me, etc). Why then why buy game at all, if even buying game doesn't allow me to play with it as i want to?
I still agree with you on the fact that when you buy an object (virtual or not) that you can do what you want with it within the legal limits except in three cases where I could understand these limitations:

Either because it's a work that must be seen under a specific spectrum, for example cheated in a game like Myst, Stanley Parable or Journey I don't see the point in it, it's to lose all the reflection and the flavor of these works while cheating in GTA it will be fun more than 2 minutes and will increase the player's interest around the game.

Second scenario, if the time spent on the game is the author's source of income, it may seem silly, but cheating in a game like Angry Birds will only reduce the player's experience time (as well as the interest he finds there) and thus will reduce the income of the developers. (And I am totally objective).

Third scenario, which is my case, online games because it will spoil the experience of other players...

And finally, as we have been able to say, putting these restrictions does not prevent you from doing so, neither technically nor legally, and all of this makes me think that if I do not want the player to tamper with the experience that I propose to him, I have the right to put restrictions, as long as it's done intelligently and not just anyhow, we have to find a balance, so I agree that it's sad that someone who will want to be interested in the technical aspect to see the limits of the game, to speed run it or to understand how it is done, will be prevented from doing so to a certain extent but it is the game and we have to know how to juggle intelligently between all that. (after we were talking mainly about cheating, do not get lost)

After if it's a simple remake of Mario or a fighting game or whatever, I agree that it would not make sense to impose these kinds of limits, again I was asking these questions to see what I could get out of it in my specific case.

I think I answered the whole message in one go ^^ After I insist on the fact that this is only my opinion, that it is only worth what it is worth and that I do not encourage anyone to think like me, especially since I might change my mind one day, who knows. As we say at home, only idiots don't change their minds!

Re: Is luasec a thing?

Posted: Tue Mar 14, 2023 5:42 pm
by SelfDotX
slime wrote: Sat Feb 11, 2023 10:06 pm For love 11, there's zero hacking involved to get lua-https working for it. It's just a lua C module, nothing special.
Sorry if this is a dumb question, but could someone expand on the bolded part? Where do I find it, how do I use it, do I need to compile something etc...

Re: Is luasec a thing?

Posted: Tue Mar 14, 2023 10:07 pm
by Bigfoot71
SelfDotX wrote: Tue Mar 14, 2023 5:42 pm
slime wrote: Sat Feb 11, 2023 10:06 pm For love 11, there's zero hacking involved to get lua-https working for it. It's just a lua C module, nothing special.
Sorry if this is a dumb question, but could someone expand on the bolded part? Where do I find it, how do I use it, do I need to compile something etc...
What she meant is that you don't need to modify löve2d (11.x) itself to use luasec, just compile it and import it into a Lua script like any other module.

Here is how I compiled it on Linux Mint, I directly downloaded the repository in zip file: https://github.com/brunoos/luasec
I checked that I had the liblua5.1-0-dev package on my distribution.
And I started the compilation with this command:

Code: Select all

make linux INCDIR="-I/usr/include/lua5.1 -I$(pwd)/src"
If you are on Windows I saw that there was a .sln file in the repository, which should make your job easier.
I share my test with you even if I strongly advise you to compile it yourself. (which I would do directly ^^)

If you have any problem with the compilation don't hesitate, you can even PM me if you're doing it on Linux or MinGW (although it will be more suitable to use MSVC for Windows).

Re: Is luasec a thing?

Posted: Wed Mar 15, 2023 12:49 am
by SelfDotX
I really appreciate you taking the time to respond. I will admit up front that I have a very, very general understanding of compiling and the tools used. I can only think of one project - CDDA - in which I successfully compiled source code, and that was with a fair amount of hand holding, and a computer ago. While I don't want to waste to much of your time, or derail the thread - do you happen to know if installing MSYS2 would give me all the tools I need to compile the mentioned repository on Windows?

Re: Is luasec a thing?

Posted: Wed Mar 15, 2023 1:18 am
by Bigfoot71
SelfDotX wrote: Wed Mar 15, 2023 12:49 am I really appreciate you taking the time to respond. I will admit up front that I have a very, very general understanding of compiling and the tools used. I can only think of one project - CDDA - in which I successfully compiled source code, and that was with a fair amount of hand holding, and a computer ago. While I don't want to waste to much of your time, or derail the thread - do you happen to know if installing MSYS2 would give me all the tools I need to compile the mentioned repository on Windows?
Theoretically yes, with MSYS2, Lua to install with, MinGW and by modifying the Makefile a little it is possible but if you only have a very general knowledge of compilation it will then be much easier for you to do it do with MSVC (Visual Studio).

Since Visual Studio is a real gas machine to install (personal opinion) you can normally just install the MSVC compiler and do it from the command line with msbuild.exe.

However, good news (maybe)! I just checked and the module seems available on LuaRocks, you can try it ^^
https://luarocks.org/modules/brunoos/luasec