Yeah, the rule is: never trust the client. Everquest, Diablo etc were all client-hacked pretty quickly, even though they were in C/C++. From what Ive read its pretty easy to memory scan stuff, without understanding anything in the code at all.
Unless one was going to inline encryption/decryption for every data access, this is kindof tough to stop, since the value of, say, runspeed, is bound to appear in clear at some point in one’s program.
That said, as CPU’s become faster, I guess one could inline encryption/decryption for data read/writes. I just thought of this in the middle of this post, so I havent had time to think this through properly, but for example:
INLINE int ReadIntData( int &memvalue )
return memvalue + 13; // ROT13, for illustration
INLINE void SetIntData( int &memvalue, int datavalue )
memvalue = datavalue - 13;
SetIntData( iHealth, 50 );
cout << "Your health is " << GetIntData( iHealth ) << endl;
Now it is true that the 50 is still in clear:
- during the set
- during the cout
… but its very hard to intercept these calls, and these values are not exposed statically in memory in the way that they would be if one simply set iHealth to 50.
Of course, theres probably still ways to expose this. Probably many values are static in memory anyway?, so the simple action of changing one’s health and watching which values change is probably going to give a lot of clues? :
- watch which bits of memory are changing on a per-frame basis, from just moving around a little. These are primarily graphical; discard them.
- change one’s health, watch which bytes just changed, and which didnt change before
In any case, back to reality, in any successful MMORPG, the rule is: anything on the client that can be hacked will be. That’s true for any client, in any language, closedsource or not. Thats also true for consoles, even though you cant actually easily access the OS, because you can run the game inside a VM.