Anti-Cheat Toolkit: stop cheaters easily!

Hey all,
new 1.5.3.0 version is already available!

Most important change in this update - plugin is moved to the Plugins folder by default for all supported Unity versions (4.6+).
Also few user requests were implemented along with some additions.

Spoiler: update changelog

1.5.3.0
- plugin moved to Plugins folder, please remove previous ACTk version!
- added ObscuredString.Length property for better compatibility
- added ULong support to the ObscuredPrefs
- added Decimal support to the ObscuredPrefs
- added ObscuredUInt inspector output for Unity 5.0+
- added ObscuredULong inspector output for Unity 5.0+

 

I have purchased an asset few days ago and I have a question.
In our game, we save user's save data's by binarization.
This work is done through JSON.NET's BsonWriter.

We have applied ACTk in class that currently maintains the save and applied few parts such as shown.

Code (CSharp):

1. public class SaveData {
2. ...
3. public ObscuredInt Money { get; set; }
4. public ObscuredString Name { get; set; }
5. ...
6. }

In addition, binarization is being processed through the code below.

Code (CSharp):

1. using (var fs = File.Open (filePath, FileMode.Create)) {
2.        using (var writer = new BsonWriter (fs)) {
3.        var serializer = new JsonSerializer ();
4.        serializer.Serialize (writer, _save);
5.    }
6. }
7.  
8. using (var fs = File.OpenRead (filePath)) {
9.     using (var reader = new BsonReader (fs)) {
10.      var serializer = new JsonSerializer ();
11.      _save = serializer.Deserialize<SaveData> (reader);
12.    }
13. }

The process in binarization of previous save data and reading it is well applied. However, after changing to a Obscured type, some variables despite having a fixed value, is ultimately read as a {0}.

Data is read and written through binarization of JSON file, and we're curious on what other method must be used.

We have solved non-binarization JSON file through manual's converter. However, there are problems when it comes to creating the binary.

 

Hey, @lunstar !

Did you tried to implement ISerializable interface for the SaveData with manual conversions?
Here is an example: https://forum.unity3d.com/threads/anti-cheat-toolkit-stop-cheaters-easily.196578/page-6#post-1837510

You also may use JsonConverter(s) for the ObscuredType(s) you wish to (de)serialize as @mcmorry showed here:
https://forum.unity3d.com/threads/a...p-cheaters-easily.196578/page-12#post-2642699

Please let me know if these methods do not work for you.

 

Hello Dmitriy,

I used the method you've mentioned,

however, I've encountered the problems that I've wrote earlier

 

Understood, I'll take a look and will try to reproduce issue on my side or I'll provide working solution for your case.
Thanks!

 

Hey again, @lunstar !

Just tried the ISerializable and it seems to work fine.

Here is an example:

Code (CSharp):

1.  
2. using System;
3. using System.Runtime.Serialization;
4. using CodeStage.AntiCheat.ObscuredTypes;
5.  
6. [Serializable]
7. public class ClassToSerialize: ISerializable
8. {
9.     public ObscuredInt Money { get; set; }
10.     public ObscuredString Name { get; set; }
11.  
12.     public ClassToSerialize() { }
13.  
14.     private ClassToSerialize(SerializationInfo info, StreamingContext context)
15.     {
16.         Name = (string)info.GetValue("Name", typeof(string));
17.         Money = (int)info.GetValue("Money", typeof(int));
18.     }
19.  
20.     public void GetObjectData(SerializationInfo info, StreamingContext context)
21.     {
22.         info.AddValue("Name", Name);
23.         info.AddValue("Money", Money);
24.     }
25. }

Or, if you wish to store data in encrypted state, here is a way to do it:

Code (CSharp):

1. using System;
2. using System.Runtime.Serialization;
3. using CodeStage.AntiCheat.ObscuredTypes;
4.  
5. [Serializable]
6. public class ClassToSerialize: ISerializable
7. {
8.     public ObscuredInt Money { get; set; }
9.     public ObscuredString Name { get; set; }
10.  
11.     public ClassToSerialize() { }
12.  
13.     private ClassToSerialize(SerializationInfo info, StreamingContext context)
14.     {
15.         ObscuredInt loadedMoney = 0;
16.         ObscuredString loadedName = string.Empty;
17.  
18.         loadedName.SetEncrypted((string)info.GetValue("Name", typeof(string)));
19.         loadedMoney.SetEncrypted((int)info.GetValue("Money", typeof(int)));
20.  
21.         Money = loadedMoney;
22.         Name = loadedName;
23.     }
24.  
25.     public void GetObjectData(SerializationInfo info, StreamingContext context)
26.     {
27.         info.AddValue("Name", Name.GetEncrypted());
28.         info.AddValue("Money", Money.GetEncrypted());
29.     }
30. }

I've tested these examples with Bson (de)serialization code you provided.
Please let me know if this will work or not work for you.

 

Thank you @Dmitriy Yukhanov!
I've tested ISerializable things. But i've got problems.

My save class includes dictionary with struct, and many other variables.
This is my save class applied with ISerializable.

Code (CSharp):

1.  
2. [Serializable]
3. public class SaveDataModel : ISerializable {
4.  
5.     public Dictionary<UserBehaviourCheckType, bool> UserBehaviourChecker;
6.  
7.     // Statics
8.     public Dictionary<GameStatisticType, GameStatisticInfo> GameStatistics;
9.  
10.     // Ad
11.     public bool NoAds = false;
12.     public int AdCount = 0;
13.  
14.     // Option
15.     public int GraphicQuality = 0;
16.     public bool MuteBGM = false;
17.     public bool MuteSFX = false;
18.     public string Language = "";
19.  
20.     // User Information
21.     public string Username = "";
22.     public ObscuredString UUID { get; set; }
23.     public bool RegisteredUserName = false;
24.  
25.     // Money
26.     public ObscuredInt Like { get; set; }
27.     public ObscuredInt Star { get; set; }
28.  
29.  
30.    ....
31.  
32.  
33.     public Dictionary<int, RegionInfo> Regions;
34.     public Dictionary<int, PlatformInfo> Platforms;
35.  
36.     // Delivery
37.     public bool OpenMovingMart = false;
38.     public int DeliveryProgress = 0;
39.     public List<DeliveryRewardInfo> DeliveryRewards;
40.  
41.     public SaveDataModel() {}
42.     private SaveDataModel(SerializationInfoinfo,StreamingContextcontext){
43.        ....
44.     }
45.     public void GetObjectData(SerializationInfoinfo,StreamingContextcontext){
46.         ....
47.     }
48. }

I have no solution of getting values of containers (list, dictionary with structs) via ISerializable method.
Thank you!

 

Hey, @lunstar

Alright, back to the JsonConverter =D
Why does it not working for you?

I just tried it and it seems to work just fine.
Looks like you just forgot to add it to your (de)serializers.

Try to add it after you create JsonSerializer:

Code (CSharp):

1. var serializer = new JsonSerializer();
2. serializer.Converters.Add(new ObscuredValueConverter());

Also note, mcmorry's example has no ObscuredString implemented, just add it similar way existing types are added to be able to convert ObscuredStrigns.

 

Aha! It works!!
I didn't know the method add converters to JsonSerializer.
It seems to be working nicely.

Thank you very much!!

 

Hey all, new update 1.5.4.0 available!

In this update some user requests were implemented.

Spoiler: changelog

1.5.4.0
- added (x,y) constructor and same Encrypt API to the ObscuredVector2
- added (x,y,z) constructor and same Encrypt API to the ObscuredVector3
- added (x,y,z,w) constructor and same Encrypt API to the ObscuredQuaternion
- added new GetDecrypted API to all obscured memory types
- added ObscuredShort inspector output for Unity 5.0+
- fixed incorrect InjectionDetector execution with argument in callback

 

About to buy your asset. Looks exactly what I'm looking for. I was wondering if it's easy to make it work with iCloud saves for example?

 

Hey, @M0rph3v5 !

Unfortunately I never worked with iCloud saves and have no idea on how it works with Unity.
But ACTk's public APIs allows you to get encrypted data from obscured types, save it and load it back to obscured types for example.

 

Thanks for the reply, I'll have to research that too but perhaps you already did something with it. Np!

 

Any chance to see some code obfuscation tool in future release?

 

Hey, @abrasive !

Let me shamelessly copy-paste my recent reply from the reviews section:

Currently there is already great obfuscator on the store (Obfuscator).
Implementing it in ACTk would raise ACTk's price for sure and it's currently unwanted change, so currently my TODO list starts with other features I'd like to implement first.

 

Apparently I'm getting a false detection on ObscuredCheatingDetector, I'm using several public ObscuredInt in a prefab, If I select several prefabs (same script) and try to edit something (in my case a Shpree Collider radious) it will start showing the detection without doing anything.
I can solve it if I re-assign the obscured variables in every prefab that I selected and edited at the same time, I do not know if I'm the only one who has this problem.

 

@Ds777 thanks for reporting this, I'll take a look and will try to reproduce your issue.
BTW are you using latest version from the store?

 

Hello,

Just wanted to ask if there is a recommendation on the key lengths. As in the actual value of the key itself. I see that int and string is possible. For int which maps to int32 a value of 2,147,483,647 would be maximum, so anything in that range. For string it could be any length I'm guessing? Longer value add greater protection do they not, but will they effect the performance when encryption or deception operations are taking place.

Any thoughts you might have on this are appreciated. Thank You for a great plugin.

 

Another question. You recommend setting the new Crypto Key, presumably I would want to do this before I declare a variable of Obscured type. What about variables that are part of a class declaration, in this use case I would need to use the ApplyNewCryptoKey in the constructor or other method of the class, right? Just want to make sure this is expected pattern. In the example screen one of these variables would be "obscuredString", because it is declared as part of the class there is no chance to set the encryption key ahead of time. This is not a problem just want to make sure this is expected use.

Also would you recommend setting a different key for each of the variables in the game? Or is this overkill? For example number of collected coins could have one, current score could use a different key, or is this just making things overly-complicated and won't really provide any additional protection. I'm talking about variables that change constantly and not something like top score that changes seldom for which you recommend using RandomizeCryptoKey.

Lastly, in the ActTesterGui.cs (lines 64-70) you speak of a small trick to hide encryption key in serialized MonoBehaviour, but I think you're missing the actual [HideInInspector] filed. If that is not the case then I'm not sure what the actual trick is.

Thank You.

 

Hey, @JesterGameCraft !

There is no need in extra long keys here, adding more chars to the string keys will not greatly improve security, but it will need few extra cycles to process a value every time.

I'd suggest to stick with keys not exceeding 10 chars.

Yep. To apply new key to the existing instances of obscured types, you'll need to explicitly call an ApplyNewCryptoKey API on them.
All new instances after crypto key change will have it by default.

Definitively overkill, but you're free to use RandomizeCryptoKey for the values which change often to defend them from the unknown values search. Just make sure to call RandomizeCryptoKey in the non-constant manner, e.g. with random intervals, even when target value didn't changed.

Right, in the serialized file. It's pointless to use HideInInspector ther since cheater will not see your inspector. The main idea there - move key from the code which can be decompiled and viewed to the serialized object. It's much harder to find it in the serialized object in the resources of the compiled build.

 

Thank You for answering my questions. I had a couple more that I wanted to clarify.

I've looked over this video https://unity3d.com/learn/tutorials/topics/scripting/persistence-saving-and-loading-data at about 40min mark the serialization technique is used to save and load game data. So if I understand your comment correctly I should serialize my encryption key and that will keep separate from the class definition (class object) source. Then I can just read the key in at game start. Would storing the key at runtime in an obscured type be a good idea?

On a similar note - when storing my game data - would it be more secure to have a class with Obscured type variables that holds my game data (eg. highest score) and then serialize that class instead of using ObscuredPrefs?

 

Yes, but you don't need to serialize it directly, Unity serialization engine will make it for you when you'll place it at the ScriptableObject or MonoBehaviour.

It should work fine, so yes, you may declare ObscuredInt at the MonoBehaviour, set the proper value at the inspector and read it on game start to use as an encryption key.

Please let me know if it will not work for you for some reason.

 

I see, thank you.

Last thing I wanted to ask, would you recommend I use a class that has Obscured types that hold my game data (eg. high score) and then serialize that class on game save. On game load would deserialize the data. This would be instead of using ObscuredPrefs, or will using ObscuredPrefs will work just as well.

Thanks again for all the replies, much appreciated. Regards.

 

Ah, sorry, forgot to answer this part.
I'd suggest to stick with prefs if you're not going to save hundreds kb of data. It will allow to avoid headache with manual obscured types serialization via converters or ISerializable callbacks.

 

Thank You for great plugin and support.

 

@Dmitriy-Yukhanov does your plugin protect our games from Lucky Patcher-like apps?

 

@RafaelAlcantara no, currently ACTk has no such feature. It will have rooted devices detection (it's on the TODO) which will partially allow to deal with such tools, but rooted device not always mean cheating customer, so it will be up to you how to react on rooted devices.

Generally, Lucky Patcher-like tools are on the TODO list, and I'll make deeper investigation on their features and ways we can resist \ detect such cheating in future.

 

Hi,

Question about keeping score and in game currency secure. If I use the ObscureType to keep track of my in game currency and score do I also need to make the increment values of ObscuredType. For example, let's say user collects a gem in the game I have a currentGem variable of ObscuredInt to which I add 1. But should the constant "1" also be of ObscuredInt. I mean if hacker changes the "1" to "1000" that would be bad. Do you have any thoughts on this?

Thank You.

Regards.

 

Hey, no, I'd suggest to use Obscured type only when you declare long-term variable.
To find and modify value in memory, cheater should make few iterations to filter out desired value from dozens of other values in game. So it's more likely pointless to use Obscured types for the increment values in your case.

 

Dmitriy, we are experiencing some annoying bug on our side. Unity 5.5.0p4, changing values of ObscuredBool in the game and other types sometimes randomly trigger the ObscuredCheatingDetector. Any ideas why it happens?

 

Hey, @tyomklz

Is it possible those variables were placed on prefabs \ Scriptable Objects?

 

Yeah, it's an object that is a part of a prefab, it has a script and the script has a public obscured boolean. Also I was wrong, sorry, it doesn't even change its value at all, prefab has it as true from the start and the boolean never changes while the game is running. Obscured cheating detector triggers when the boolean is being read during runtime inside of if statement, that's it.

 

@tyomklz thanks for detailed reply.

There is a known bug with obscured variables on prefabs \ scriptable objects which can lead to the internal corruption when multiple prefabs \ SO with Obscured variables in inspector are selected, leading to the ObscuredCheatingDetector false positives.

The fix is ready, but you'll need to fix all the corrupted prefabs in your project.
I'm finishing editor script which does this and I'll release micro update with fix and this editor script as soon as possible.

 

Sounds great, Dmitriy. Thank you for the quick answer.

 

The players managed to hack my game with SB Game Hacker, any solution? Exchanges the variables are Obuscured type and I'm using the ObscuredPrefs.

 

Hey, @Nucci!
What exactly did they hacked?
Some root-level features of such tools can't be detected from managed code, but I need more details on what was hacked and how it was covered with ACTk to be able to help you, if possible.

 

Hey man!

They hacked the diamonds of the game. To test your anti-cheat, I challenged on my facebook page the players hacking, to my surprise, today an individual posted a photo and confirmed in game that this with everything that can be released with released diamonds. The code is implemented as follows:

http://pastebin.com/kAHKEQj3

When asked they said they hacked using the SB Game Hacker and another one with Hack App Data, except that this second I could not confirm. Could you help me?

 

Hey, @Nucci !

Did you tried to use RandomizeCryptoKey API to make it harder to find values with unknown value search?
Also, did you tried to use ObscuredCheatingDetector?
Finally, did you changed default crypto key?

Also, I'd like to make it clear - ACTk is not a thing to challenge, it can be hacked, as anything else on client side.
Its goal not to prevent cheating and hacking in 100% cases, but to dramatically reduce amount of cheating people and \ or to catch the cheating gamers, depending on the features you're using.
Or you may use it as a good starting point for your anti-cheat systems since ACTk has sources included and you're free to modify it as you like for your game.

 

For some reason my Unity 5.5.2p1 stores PlayerPrefs into another location now (look at the attached screenshot). As a result ACTk's ObscuredPrefs viewer UI doesn't work anymore as it doesn't show any stored data now.

 

Hey, @tyomklz !

Thanks for reporting this.
It's a known issue to be fixed with next update. Unity 5.5+ changed default path for the prefs keys on Windows.
Here is a fix in case you don't wish to wait for update:
Replace line 616 of the ActPrefsEditor.cs file
with this line:
RegistryKey registryLocation = Registry.CurrentUser.CreateSubKey("Software\\Unity\\UnityEditor\\" + PlayerSettings.companyName + "\\" + PlayerSettings.productName);

 

Hey dmitriy,

Just bought it! I was trying to use ObscuredFloat (using serialization) but the SetEncrypted requires an integer, same goes for GetEncrypted returns an int. I'm guessing this is a mistake copy paste?

Cheers

 

Hey, @M0rph3v5

It's fine, floats are encrypted to the integers (both float and int are 4-bytes types).

 

Hi,
I spent two days debugging my game just to find out that ObscuredFloat stored on prefabs are always returning 0 or eXX in Awake on Unity 5.4.5 using latest version of ACTK V_1.5.4.0 available on store.
Please can you suggest what is happening as in unity 5.3.7 ObscuredFloat were returning correct values,it's a major game breaking change for me ,any quick fix will be highly welcomed as it has halted my game testing.

 

Hey, @dev_2051

Did you updated ACTk as well, or you updated only Unity?

 

Yes i am using latest 1.5.4.0 version downloaded from asset store

 

I mean, from what ACTk version did you updated?
It's possible you're facing known issue with Obscured types on prefabs which is already solved in current dev version.
I'm sending you PM with link to the current dev version to let you check if it solves your issue.

 

Hi,
Just wondering when 1.5.5 will be available from the asset store.
I updated to 1.5.4.0 , and I am experiencing problems with the obscured cheating detector. Never had these problems before. My code has not changed, but the detector is firing on floats alot.
Previously the float epsilon was 0.0001.
Now I have to set it to 0.1 to stop false positives.
Other than that great product

 

Hey, @Kanos !
1.5.5.0 is passing a review right now, should be in store in few days I believe.

 

Awesome !

 

Hey Dmitriy,

I'm trying to edit a ObscuredString from a editor script using SerializedProperty. However I cannot use a .objectReferenceValue or .stringValue . Any idea how you are able to use editor scripts to save values this way?