Client can Change user variable?

[SkaiCloud]

Hello,
I have a game that access uservariable and roomvariable. My test team report that they can change uservariable by using cheat engine. I was almost sure that this wouldn't be possible. Am I doing something wrong.

Code: Select all

if(Sfs.MySelf.GetVariable("PlayerMoney").GetIntValue() >= Sfs.LastJoinedRoom.GetVariable(ItemID+"Price").GetIntValue())
{
 Debug.log("Item Buy Success");
  //update player money
 List<UserVariable> userVariables = new List<UserVariable>();
userVariables.Add(new SFSUserVariable("PlayerMoney", (int)Sfs.MySelf.GetVariable("PlayerMoney").GetIntValue() Sfs.LastJoinedRoom.GetVariable(ItemID+"Price").GetIntValue()));
Sfs.Send(new SetUserVariablesRequest(userVariables));
}
else
{
 Debug.log("Insufficient Funds");
}


[anniyan137]

Firstly, this question has to be moved to the.NET/C# Unity Client side forum.

And secondly, may I ask what exactly is the issue here? Could you elaborate on what exactly is going wrong? That way we may be able to help you better.

[Lapo]

( Moved in the proper section )

[SkaiCloud]

First sorry I thought this would be a server side issue.

This is my setup.
My room variable is manually assign to the room via admin panel.
zone configuration > MyZone > MyRoom > RoomVariable > add (multiple item variable inside here. Mostly Price of the items)

Client login to game > database send SfsObject data back to client to load proper data and convert it into UserVariable.

example:

Code: Select all

         List<UserVariable> userVariables = new List<UserVariable>();
         userVariables.Add(new SFSUserVariable("CharLevel",(int)ObjIn.GetInt("LVL")));
         userVariables.Add(new SFSUserVariable("CharChr",(int)ObjIn.GetInt("CHR")));
         userVariables.Add(new SFSUserVariable("CharStr",(int)ObjIn.GetInt("STR")));
         userVariables.Add(new SFSUserVariable("CharVig",(int)ObjIn.GetInt("VIG")));
         userVariables.Add(new SFSUserVariable("CharSilver",(int)ObjIn.GetInt("SILV")));
         Sfs.Send(new SetUserVariablesRequest(userVariables));


Player Go into Shop and try to buy an item and client code does this check:

Code: Select all

if(Sfs.MySelf.GetVariable("CharSilver").GetIntValue() >= Sfs.LastJoinedRoom.GetVariable(ItemID+"Price").GetIntValue())
{
 Debug.log("Item Buy Success");
  //update player money
 List<UserVariable> userVariables = new List<UserVariable>();
userVariables.Add(new SFSUserVariable("CharSilver", (int)Sfs.MySelf.GetVariable("CharSilver").GetIntValue() -Sfs.LastJoinedRoom.GetVariable(ItemID+"Price").GetIntValue()));
Sfs.Send(new SetUserVariablesRequest(userVariables));
}
else
{
 Debug.log("Insufficient Funds");
}


Then we would use CheatEngine to hack the game money by changing it's value and it successfully accomplish its task. I was under the impression that a uservariable is stored on the server though the client can see it they shouldn't be able to change it's value without sending a SetUserVariablesRequest.
Is there something I'm not understanding correctly here?

[Lapo]

No, the RoomVariables and UserVariables are transmitted to the client and your code takes place exclusively on the client, therefore there's no way to avoid this kind of cheating.

In order to protect your client from these attacks you need to move the shopping logic to the server side, this way cheating is not possible.
Also you need to protect RoomVariables that represent price by making them private.

Please make sure to read this:
http://docs2x.smartfoxserver.com/Develo ... -variables

[SkaiCloud]

Thanks for the reply Lapo but I was under the impression that once you convert the local variable to UserVariable it would be stored in the smartfoxserver and the only way to change it's value was via SetUserVariable request through the Api. According to the link if I set the UserVariable flag to private and do my shop calculation on the server end would that fix it? All my RoomVariable is already set to private and persistence.

[Lapo]

What you are saying is correct. You can only set variables (Room or User) via SetUserVariable / SetRoomVariable requests.

But you have posted this:

My test team report that they can change uservariable by using cheat engine.

Of course if you hack the local memory with some tool you can cheat in the system. That's why the client is not to be trusted when you need security and that's why you need to keep your sensitive information on the server side and guard it via validation code.

If you want to learn more about security take a look at our Security White Paper here:
http://docs2x.smartfoxserver.com/Overview/white-papers

[anniyan137]

Whoah! Had never considered this scenario for my project!

Need to work on this right away.

[Lapo]

Yep Take a look at the whitepaper there's lots of material on how to secure your application on both sides.