Couldn't you save it with like... lets say you are trying to save 3 single numbers, can't you add like a random generated numbers between them and just read the ones you know are it? Like, You're value to save is 666. It saves to the bank as, ====66====6== , ofc the = would be real numbers. Also make sure they can't save the same thing to the bank. So the score always changes. Wouldn't that work? I haven't messed with banks, but... sounds good?
The ranking save lots of information that its not that important. The 22-digit id is already a random number. Also, together with the numbers there's the number of games played. The game keeps track of how many games the player has played. In this way, if his score is bigger than the number of rounds he played, BAN!
By the way, Debates has also 14 admins keeping track of hackers. The admins can reset scores from inside the game.
Whoever hack it, that wasn't an easy job and I bet they spent the whole day because they hacked all the positions in the ranking and changed all names with "manually made" names. I've already fixed all the mess and changed some code, but it took me work.
Anyway, for me that was a completly waste of time. What's the point of spending so much work hacking a map that it's not even popular?
there is just 1 major problem atm with encrypting stuff and banks:
The galaxy code is still readable.
So basicly if someone want to add him/herself with a massive score what (s)he can do is just copy the code used to generate the bank stuff, including the encrypting, and run it with the values (s)he wants.
Until that problem has been fixed it has not much use to spend a lot of time on encrypting the bank info. (do mind I say a lot of time. because almost nobody will bother with looking up the encryption code and using that to cheat. But then again sadly a few do :( encrypting still has use for those who just look at the bank and want to alter stuff directly there. )
there is just 1 major problem atm with encrypting stuff and banks:
The galaxy code is still readable.
So basicly if someone want to add him/herself with a massive score what (s)he can do is just copy the code used to generate the bank stuff, including the encrypting, and run it with the values (s)he wants.
Until that problem has been fixed it has not much use to spend a lot of time on encrypting the bank info. (do mind I say a lot of time. because almost nobody will bother with looking up the encryption code and using that to cheat. But then again sadly a few do :( encrypting still has use for those who just look at the bank and want to alter stuff directly there. )
I know that. To prevent that, I hid a lot where exactly the player scores. So that, the hacker cannot know which variable is the score. There's more than 100 global variables, all called IIIllI or IIlI or IIllI or IlIlI or IIIIl and so on.
Also, just increasing the score wont work because there's also the number of games played that the game keeps track.
But you are right. I am just hiding. IT CAN BE FOUND! This is a huge flaw on sc2 maps.
Wow, just wow. I intended - and finished 70% - to do a custom achievements system that works between all of my maps and that are visible through the game to all players, but now that I've read through this, everything seems just hopeless ...
Why on earth would someone attempt to decrypt thier bank file just to
change thier score on Debates?
That's why I didn't write a nasa crypt. My crypt is protected enough to give several hours of very hard work. I judged that a hacker that can decrypt something like that wouldn't want to waste that much time; and besides, I've already cleaned all the mess and changed crypt before someone could doubt the game was hacked.
To be fair, why do you care so much? It's only going to be a one in a million person who actually wants to try and change his achievements manually, let alone someone breaking through hours of code. If they're THAT into it, let them?
I know that. To prevent that, I hid a lot where exactly the player scores. So that, the hacker cannot know which variable is the score. There's more than 100 global variables, all called IIIllI or IIlI or IIllI or IlIlI or IIIIl and so on.
Actually this is barely an issue. If I was to read such a code (and I did a few times in Wc3; no I'm not a hacker) the first thing I always did was change the screwed-up names to something better via a search-and-replace tool.
Your map's advantage is that there aren't any obvious key events that happen where your score gets saved (e.g. killing a unit), but it's abstract enough to give people some nice headache.
Actually this is barely an issue. If I was to read such a code (and I did a few times in Wc3; no I'm not a hacker) the first thing I always did was change the screwed-up names to something better via a search-and-replace tool.
Your map's advantage is that there aren't any obvious key events that happen where your score gets saved (e.g. killing a unit), but it's abstract enough to give people some nice headache.
fishy..... lol...
By the way, I know about the search-and-replace. The question is, replace by what name? LOL
Even before replacing the variables names I had trouble myself to remember where the player was actually scoring. And besides, the map is 100% done by triggers. You can bet that the code is huge, specially the code to select the players to play (the biggest one. It looks simple, but there's actually linear algebra on it to make the best possible combination).
Dear armchair hackers. Here are three 2 digit numbers, encrypted using a 1 byte, extremely basic mechanism.
67166995
59396109
62259067
Real encryption is 256 bytes and includes multiple stages. This is single stage and 1 byte. I hope this puts things in perspective. It isn't easy to decrypt something unless the person who encrypted it is a tool.
Dear armchair hackers. Here are three 2 digit numbers, encrypted using a 1 byte, extremely basic mechanism.
67166995
59396109
62259067
Real encryption is 256 bytes and includes multiple stages. This is single stage and 1 byte. I hope this puts things in perspective. It isn't easy to decrypt something unless the person who encrypted it is a tool.
Or unless you open the map file and copy the decrypt code, something really easy to do.
Then even trying to encrypt it is a tremendous waste of time. You will NEVER beat out the dedicated white/black hat who decides they want to be at the top of your list, especially when it's handled client side. Of course, you COULD always set a standard and encrypt based off the rotation/position of a quantum particle. [/sarcasm]
You haven't specified a base for the original encrypted number. For all we know, you've given us encoded Hex numbers instead of the assumed base 10.
Furthermore, real encryption is not just 256 bytes, hell 256 bytes SHOULDN'T be used anymore. Plus, HIS encryption allows us to pass in controlled data (Games played/Wins) in to generate data THE SAME WAY every time. I'm not saying your little cipher isn't hard to break once you answer the above, but you're comparing apples to oranges, i.e. I can't feed you three numbers and see how you encrypt them.
Ugh this is annoying; I'm going to run into these problems with my RPG I can tell... where I really don't have enough bank size to deal with encryption heavily (I inserted random letters/digits that get checked, and do a checksum, but that on top of the actual meat that's getting saved has put me near the bank size limit for Bnet).
You haven't specified a base for the original encrypted number. For all we know, you've given us encoded Hex numbers instead of the assumed base 10.
Furthermore, real encryption is not just 256 bytes, hell 256 bytes SHOULDN'T be used anymore. Plus, HIS encryption allows us to pass in controlled data (Games played/Wins) in to generate data THE SAME WAY every time. I'm not saying your little cipher isn't hard to break once you answer the above, but you're comparing apples to oranges, i.e. I can't feed you three numbers and see how you encrypt them.
This is also untrue. Most encryption assigns real numbers to prime numbers so that having a score of 1 would translate to, for example, 11 before encryption.
And yes, you can't possibly know what 3 numbers I used, because they quite literally could be anything. I could have assigned a score of 1 to be 19 before encryption. A score of 2 to be 11. 3 to be 2. Do you see where I'm going with this?
My point is that it is very, very easy to encrypt something that one person alone will never crack without the aid of a brute force hacking program and a lot of dedicated cpu time.
My encryption didn't include cyclic tamper checks which would further complicate everything. It also took 30 seconds to make, if that.
Long story short; nobody encrypts using 1=a anymore.
- Compress every important Top Scores value into a single, huge String.
- Generate a global X-digits parity check number, using any encryption algorhytm you want, starting from a const int topReboot = 1 seed.
- Take into consideration every single value saved, shuffling that number after EACH extraction.
WGX Nagrand was Featured for a whole week, with thousands of games played, and nobody managed to "hack" it. Yes they tried. Thing is, even if someone is willing to spend hours (and I really mean hours, if you save a lot of data) of his/her time to look at the code and recreate the correct parity number, you just need to change your seed const value ( =2 now? ) and upload the map again to make every High Scores data obsolete and discarded upon loading. Which does NOT mean to reset player scores mind you, just that those highest scores will need one or two days to spread again.
You can even backup your own savefile and hardcode (load by default) the last known "legit" scores if you want to, which imho should be done weekly anyway (so that new groups of players won't see empty or incomplete scores but slightly old ones instead).
The thing is, map data is always available (The galaxy script, at least). Without that information, you would not be able to play any game. This makes all encryption obsolete to anyone who knows what they're doing. The good thing is that there aren't many people on sc2 who do. If you want the best of the best, use a key cipher. Encrypt the key using any method you want. This will confuse the noobs.
I suggest rijn (Rijndael) for speed, or Serpent for strength.
Couldn't you save it with like... lets say you are trying to save 3 single numbers, can't you add like a random generated numbers between them and just read the ones you know are it? Like, You're value to save is 666. It saves to the bank as, ====66====6== , ofc the = would be real numbers. Also make sure they can't save the same thing to the bank. So the score always changes. Wouldn't that work? I haven't messed with banks, but... sounds good?
You could, but that would be very easily noticeable in the script.
The ranking save lots of information that its not that important. The 22-digit id is already a random number. Also, together with the numbers there's the number of games played. The game keeps track of how many games the player has played. In this way, if his score is bigger than the number of rounds he played, BAN!
By the way, Debates has also 14 admins keeping track of hackers. The admins can reset scores from inside the game.
Whoever hack it, that wasn't an easy job and I bet they spent the whole day because they hacked all the positions in the ranking and changed all names with "manually made" names. I've already fixed all the mess and changed some code, but it took me work.
Anyway, for me that was a completly waste of time. What's the point of spending so much work hacking a map that it's not even popular?
@RodrigoAlves: Go
there is just 1 major problem atm with encrypting stuff and banks:
So basicly if someone want to add him/herself with a massive score what (s)he can do is just copy the code used to generate the bank stuff, including the encrypting, and run it with the values (s)he wants.
Until that problem has been fixed it has not much use to spend a lot of time on encrypting the bank info. (do mind I say a lot of time. because almost nobody will bother with looking up the encryption code and using that to cheat. But then again sadly a few do :( encrypting still has use for those who just look at the bank and want to alter stuff directly there. )
I know that. To prevent that, I hid a lot where exactly the player scores. So that, the hacker cannot know which variable is the score. There's more than 100 global variables, all called IIIllI or IIlI or IIllI or IlIlI or IIIIl and so on.
Also, just increasing the score wont work because there's also the number of games played that the game keeps track.
But you are right. I am just hiding. IT CAN BE FOUND! This is a huge flaw on sc2 maps.
Why on earth would someone attempt to decrypt thier bank file just to change thier score on Debates?
And doesnt "starcode" encrypt everything in a similiar manner. Im talking about the bank encryption libary thats hosted on mapster.
Rogerio says you can open locked maps in galaxy editor after downloading them from bnet..... is this true?
That's why I didn't write a nasa crypt. My crypt is protected enough to give several hours of very hard work. I judged that a hacker that can decrypt something like that wouldn't want to waste that much time; and besides, I've already cleaned all the mess and changed crypt before someone could doubt the game was hacked.
Yes
@RodrigoAlves: Go
To be fair, why do you care so much? It's only going to be a one in a million person who actually wants to try and change his achievements manually, let alone someone breaking through hours of code. If they're THAT into it, let them?
Actually this is barely an issue. If I was to read such a code (and I did a few times in Wc3; no I'm not a hacker) the first thing I always did was change the screwed-up names to something better via a search-and-replace tool.
Your map's advantage is that there aren't any obvious key events that happen where your score gets saved (e.g. killing a unit), but it's abstract enough to give people some nice headache.
fishy..... lol... By the way, I know about the search-and-replace. The question is, replace by what name? LOL
Even before replacing the variables names I had trouble myself to remember where the player was actually scoring. And besides, the map is 100% done by triggers. You can bet that the code is huge, specially the code to select the players to play (the biggest one. It looks simple, but there's actually linear algebra on it to make the best possible combination).
Dear armchair hackers. Here are three 2 digit numbers, encrypted using a 1 byte, extremely basic mechanism.
67166995
59396109
62259067
Real encryption is 256 bytes and includes multiple stages. This is single stage and 1 byte. I hope this puts things in perspective. It isn't easy to decrypt something unless the person who encrypted it is a tool.
Or unless you open the map file and copy the decrypt code, something really easy to do.
My post was directed towards people like this;
@Eiviyn: Go
You haven't specified a base for the original encrypted number. For all we know, you've given us encoded Hex numbers instead of the assumed base 10.
Furthermore, real encryption is not just 256 bytes, hell 256 bytes SHOULDN'T be used anymore. Plus, HIS encryption allows us to pass in controlled data (Games played/Wins) in to generate data THE SAME WAY every time. I'm not saying your little cipher isn't hard to break once you answer the above, but you're comparing apples to oranges, i.e. I can't feed you three numbers and see how you encrypt them.
Ugh this is annoying; I'm going to run into these problems with my RPG I can tell... where I really don't have enough bank size to deal with encryption heavily (I inserted random letters/digits that get checked, and do a checksum, but that on top of the actual meat that's getting saved has put me near the bank size limit for Bnet).
This is also untrue. Most encryption assigns real numbers to prime numbers so that having a score of 1 would translate to, for example, 11 before encryption.
And yes, you can't possibly know what 3 numbers I used, because they quite literally could be anything. I could have assigned a score of 1 to be 19 before encryption. A score of 2 to be 11. 3 to be 2. Do you see where I'm going with this?
@Eiviyn: Go
He's not using RSA.
My point is that it is very, very easy to encrypt something that one person alone will never crack without the aid of a brute force hacking program and a lot of dedicated cpu time.
My encryption didn't include cyclic tamper checks which would further complicate everything. It also took 30 seconds to make, if that.
Long story short; nobody encrypts using 1=a anymore.
Guys:
- Compress every important Top Scores value into a single, huge String.
- Generate a global X-digits parity check number, using any encryption algorhytm you want, starting from a const int topReboot = 1 seed.
- Take into consideration every single value saved, shuffling that number after EACH extraction.
WGX Nagrand was Featured for a whole week, with thousands of games played, and nobody managed to "hack" it. Yes they tried. Thing is, even if someone is willing to spend hours (and I really mean hours, if you save a lot of data) of his/her time to look at the code and recreate the correct parity number, you just need to change your seed const value ( =2 now? ) and upload the map again to make every High Scores data obsolete and discarded upon loading. Which does NOT mean to reset player scores mind you, just that those highest scores will need one or two days to spread again.
You can even backup your own savefile and hardcode (load by default) the last known "legit" scores if you want to, which imho should be done weekly anyway (so that new groups of players won't see empty or incomplete scores but slightly old ones instead).
The thing is, map data is always available (The galaxy script, at least). Without that information, you would not be able to play any game. This makes all encryption obsolete to anyone who knows what they're doing. The good thing is that there aren't many people on sc2 who do. If you want the best of the best, use a key cipher. Encrypt the key using any method you want. This will confuse the noobs.
I suggest rijn (Rijndael) for speed, or Serpent for strength.
You could, but that would be very easily noticeable in the script.
Blizzard should allow maps to save a bank checksum to their servers. Problem solved. Theny they need to increase bank size.