King of Town

I’m thinking about having an online leaderboard for DreamZZT. The only issue is that it’s too easy to cheat, both from within DreamZZT and from outside it as well. I’m thinking about adding a special value in the unused parts of the world header to indicate whether you’ve cheated or not. This value would be cleared by DreamZZT’s editor and debug console, and external editors should also ignore it.

The drawback to that is since both DreamZZT and KevEdit are both open-source, there’s nothing preventing someone from adding support for this flag to KevEdit (or ZZTAE or another ZZT editor) and creating modified game files that still pass the cheating test.

Getting the high score would be as easy as changing your score in KevEdit, saving the file, and then dying in DreamZZT. Or distributing a modified game file with a new object that simply runs:

#give score 10000000
#endgame

I’d consider running the leaderboard on the honour system, but the Z2 crowd aren’t the most mature group of people. Even if I tie the scores to the forums.c99.org accounts like DCSquares, it’s still a lot of administration work to have to determine whether a score is legitimate or not, and to go through and ban users caught cheating.

Thoughts?

This Post Has 12 Comments

  1. The only problem with that is you would be unable to save your game to continue later. ZZT saves its games in the same format as the games themselves, so once you save you no longer know what the MD5 of the original game was. Even if I stored the original MD5 in the header and preserved it during saving, you could very easily open the saved game up in an editor that knows about this data, modify whatever you want, and save it again.

    1. Maybe you could change the save format to store deltas between the original level and its current state. Then you could verify the original level. Not much to do about the delta save still though.. you could still award yourself points.

      Blizzard’s been trying to solve this sort of thing for years even with proprietary binaries and spyware to look for cheats. I’m not sure how much luck you’ll have when yours are all open source 😉

      1. Yeah, open-source is tough. DCSquares’s leaderboard had very few cases of cheating, even though it’s very easy to do (the SOAP service doesn’t do any authentication besides username/password, you can write a C# or VB.NET app in minutes that can submit anything you want, if you know the URL to the WSDL). Most people just try guessing different score code combinations, which is a nice diversion from the real weakness 🙂

    2. Ah I didn’t realise it put the saves in the games as well, but yeah that would be a problem…

  2. Perhaps I could store the saves on the server so they couldn’t be tampered with. I could store the games on the server too!

    I think that could work. ZZT files are tiny, I could offer an online save storage feature for people that want to participate in the leaderboard, and bring back the ZZT game download browser I had in the older version to download “authenticated” zzt games.

    What do you think?

    1. That sounds like a very cool idea. I always did like the original browser you had in the old DreamZZT (even tried it on the Dreamcast and surprisingly enough, it just about worked) I think it would solve many of the problems, and the advantage of the small sizes is definitely a great boon, so bandwidth problems shouldn’t get too much in the way. It sounds like quite a good compromise really!

    2. That said, would people be able to see how you’re saving to the server and copy that with their own saves, or will you have some kind of authentication going on to prevent this? Is there any possible way to circumvent malicious use in this way?

      1. I’ll probably just use an HTTP PUT to send them from within the client. I don’t think people would go far enough to write up an HTML form to upload saves, especially since they’re tied to your account. I suppose I could combine it with the special flag in the world header that will be put on right before uploading but never written out on local saves, just as an extra measure. I think trying to encrypt the file before uploading it is a bit overkill considering the size of the audience 🙂

        1. Yeah I guess sometimes there’s just a limit to how far you need to go, but perhaps the extra flag might be just enough to discourage people cheating. Sounds like a good plan then.

  3. A foolproof way is to send the following at the end of the game:

    * digest of the world file
    * every input the player makes, timestamped
    * every stat change, timestamped
    * the initial seed for the PRNG (which must be reset at the start of each world)

    The game engine is totally deterministic, so a replay of the recorded values on a the score server should yield exactly the same results. Any deviations or illegal moves by an object rejects score.

    Quite processor intensive and complicated, but a successful cheater would have to be so hardcore he deserves to win 🙂

    1. Yikes, I think DreamHost would have a fit if I simulated every move in the ZZT game every time someone submits a score, not to mention I’d have to rewrite DreamZZT in PHP 🙂

      I think I’m going to store the save files for leaderboard games on the server, which should prevent casual cheating. Someone can still hide a “world.score += 100000” in the code somewhere, but trying to get DreamZZT to compile is a hard enough task anyway.

      Though, I suppose only one person has to compile it, and then post “OMG DOWNLOAD THIS 1337 BIN4RY FOR MASSIVE POINTS!” or something. But I suppose I can deal with that on the user account level.

  4. Re: Checksum

    As mentioned previously, saving the game creates a new world file, so the original checksum would be useless. Once you save, the checksum could be anything. I’m going to store the game saves server-side so they can’t be tampered with.

Comments are closed.

Close Menu