I’ve seen some of us counsel obfuscating your variables one thing like this:
public class ObfuscatedInt {
int _mask;
int _masked;
public ObfuscatedInt() {
_mask = GetRandomInteger();
_masked = ~_mask;
}
public int Worth {
get { return _masked ^ _mask; }
set { _masked = worth ^ _mask; }
}
}
Now any variable you retailer in considered one of these is not written to reminiscence in a recognizable method – its bits are randomly scrambled so a trivial seek for a particular bit sample, just like the life counter altering from 3 to 2, will not discover it.
The deal-breaker for any client-side safety is that this: the participant is below no obligation to run the code you offered.
A hacker might take the sport executable, decompile it, and discover this ObfuscatedInt
sort. Then they change _mask = GetRandomInteger();
with _mask = 0;
(or the same no-op) and recompile. Now they’ve a model of your recreation with all unmasked variables, and may return to reminiscence hacking simply as earlier than.
Or say you may have a chunk of code that watches specific variables and journeys an alarm if they alter values in an unsanctioned method. Once more, a hacker can discover the alarm code and simply delete it, so this watcher code does nothing.
The identical goes for code that tries to learn the operating executable, and journey an alarm if it detects that its personal code has been tampered with. No-op the “then” case, and it is fully defanged.
So that you would possibly try to resolve this from the server: have the server ask unpredictable questions concerning the shopper code, and if a shopper provides a mistaken reply, block it as a cheater. However even right here, a hacker can run a sound, unmodified shopper in a sandbox, ahead the server’s quizzes to it, intercept its solutions, and report them as its personal.
Each client-side anti-cheat on a desktop PC is simply layers and flavours of those ways, and also you’re simply hoping the hacker will run out of motivation earlier than you run out of layers of obfuscation. You can’t stop reminiscence hacks, solely delay them.
In the meantime, all these layers trigger actual efficiency impacts and an elevated danger of bugs for your whole gamers, even when most of them are trustworthy.
That is what of us imply after they say “validate essential information on the server” – this isn’t a short lived inconvenience that certainly might be solved in one other yr or two. That is the basic nature of distant customers operating code on gadgets they management. You haven’t any method in precept of verifying that the code they’re operating is the code you wrote, and never a forgery or hacked copy. So: the shopper is within the arms of the enemy. By no means belief the shopper.