How to make a GLOBAL LEADERBOARD system for your game
Vložit
- čas přidán 23. 11. 2022
- Check out Hostinger's AMAZING BLACK FRIDAY SALE (ends Dec 5, and don't forget to use coupon code CHERNO for a bigger discount!) ► hostinger.com/cherno
Patreon ► / thecherno
Instagram ► / thecherno
Twitter ► / thecherno
Discord ► / discord
This video is sponsored by Hostinger.
Hope you guys enjoyed this slightly different style of video! ALSO Hostinger's amazing Black Friday sale ends December 5, so make sure you check it out before then if you need web hosting! Use coupon code CHERNO to get a bigger discount: hostinger.com/cherno
Great to have some videos like this with more humor and a bit less technical depth. I hope you also liked to make it. I would not make all videos like this, but from time to time a lighter video like this would be really fun.
Idea to add to that cheat scenario have the game logic server side. cloud gaming, though i guess that probably wouldn't be cheap on the server selection then if its overly popular.
what made space invaders exciting was the 'heart beat' sound that sped up as the creatures moved faster and faster. plus the smooth left-right only action of the ship made playing the game really straight forward. you just moved left or right and fired. so simple but so effective
in simple games like this, all logic can be fully deterministic. Game can send to server not total score, but list of actions (move left, move right, shot, etc..). And then simulate all this actions on server side in simplified game version (without rendering, sounds, etc.., just logic steps). But anyway this is not ease for complex games, and overkill for simple games. This only way to make scoreboard 100% real and accurate.
That's not only for simple games tho, fighting games for example also just send the inputs instead of their results (though in that case there is no server simulating the game, it's peer to peer). In the case of a single player game with a highscore leaderboard though, you could still cheat by using tools such as macros, playing in slo mo and recording the inputs or just manually fabricating the inputs, and then sending them to the server, basically all the things that TASes do.
i like this idea, however if the games get really long and you generate 60 actions per second you'll have to send enormous packets to the server. (maybe you can do something smart with data compression? packets would still be pretty big though)
and you'll have to simulate the game server side aswell which might be tricky to get running.
@@372leonard It's player input actions and not FPS, so it'd never be 60 per second. This is already done in quite a few games, see trackmania for example. These are full replay/demo files you can watch yourself and can be verified independently.
I think what you might be thinking of is recording tick event data like what CSGO does for its demo files, but that's a different approach altogether. Not something I'm particularly familiar with.
Edit: I think my previous message got deleted because I linked to the trackmania replay file website.
Great idea, and with some good compression seems completely feasible, (eg. Huffman coding and maybe fourier transform similar to lossless image/audio compression) but a cheater could still create a bot to play perfectly and get very high scores. This or modify the game to play itself using all the data it has in ram like exactly where each piece is and so on.
These are the kinds of cheats most games have a hard time with detecting.
@@fxfighter you're right, would have to include timestamps or frameindex on the actions. but it suddenly does sound a lot more manageable, still big though. maybe if you remove the files/data from the database after a few months it will work this way.
This is just a genius video, talking about a complicated topic in a really simple, yet kinda detailed way.
Wish Universities would break their stuff down like this before going into detail.
The scriptwriter deserves a bit of a raise here!!
I love these series, keep doing the good work!
That dream reference😂
What if you have an exception that shows cheated scores only to known cheaters. That would fool them into thinking the cheat is working even though globally that score isn't visible by legitimate players. Another thing you could do is separate the leaderboards into cheated and non-cheated. I think Steam does that where in some games, if you're VAC banned, you can still play multiplayer but the games will generally matchmake you with other VAC banned players and prevent you from playing with legitimate users.
Great video, much more interesting than the first couple minutes suggested! Caught a glimpse of your take on Space Invaders, looks amazing. Wish I could either design or implement such beautiful graphics.
Congrats on 500k subscribers!
I like this new style of video Cherno. It's really refreshing to see some dev stuff like this as well as your regular game engine series. This is a real nice welcome and hope it turns into a new series in rotation cherno.
I think it would be cool to have high scores local to your country/city/whatever. Because for most people looking at world leaderboard they would be like just "meh, I wouldn't compete with world champions anyway, so why bother"
I like this style of video its more like how Fireship does it, and its great. Saves time and gets to the point.
you get my like for the shot at ea😂
With a fully authoritative server model, it's really easy to rule out anything that's not within the game's boundaries.
The only issue left is how to deal with people faking/automating valid game actions. That part heavily depends on the game's gameplay and is why cheaters/"hackers" are almost a non-issue in MOBA like League of Legends but are rampant in FPS games for example.
You can try to validate if actions are humanly possible by validating the actions speed/accuracy/jitter, but if the bot stay within reasonable boundaries then it's not very effective.
You can try to monitor/control what's on the player's system, but that's ultimately a fool's errand. Some people often say it's a "cat-and-mice" problem where devs find way to detect X stuff then cheaters switch to Y stuff not detected and so on. But ultimately, the player's computer is an untrusted platform on which you do not have physical control, so there's a wide range of stuff you simply cannot control or monitor. For example, if a cheater's bot is driven by an external system that's just a generic HID device reporting being a keyboard/mouse with some Razer mice hardware ID (which you have absolutely no software way to verify if the external HID device is "actually" a razer mice or just "saying" it is), then there's no actual way to detect or block that from any kind of anti-cheat.
Lol if you create a "replay" system where you send all actions to the server. Your essentially just challenging cheaters to make the best tool assisted speedrun
Hey Cherno, thanks for the video. Could we discuss vcpkg (the dep manager from windows) in the C++ chanel please?
Great video as always
In addition to the controls you mentioned, I would personally have the game client request a nonce from the server, and add it to the payload of the POST request. The server then would hash the parameters and confirm integrity, like a CRC. Or, during the game installation process, generate a RSA keypair, and register the public key on the server. Then sign your POST requests client side with the private key, and confirm integrity server side with the known public key.
Literally all of this would be suspectable to the most simple attack of just editing the score in memory and having the game submit it for them.
a nonce?!
@@TheAlison1456 a randomly generated number. used one time in a message, usually to prevent replay attacks.
In alot of countries the term "nonce" doesn't really have that *other* meaning your thinking of.
Hello The Cherno, I want to build a system that receives sensory video, processes them frame by frame, stores those frames in selected areas, while sending the sensory video to the screen.
I just started learning C++, and don't know what areas are most important for this kind of project.
TBH, this needed to be liveoverflow collab or something.
Collecting IP is not a good idea at all. IP are often dynamic and change ever day/week. Also because there is not enough IPv4, some ISP share one IP between multiple clients.
In the real world you would want to use an SSO to authenticate and go the extra step to load balance your server traffic before it hits your databases. for the case of explaining the concept this gets the point across. There's no way you your leaderboard doesn't get hacked so you might as well build it as well as you can and see what happens.
I had ida open while he was talking about that "1 guy" 😅
The post data should include the RNG seeds and a doom demo file so anyone can "replay" the game. Trackmania has used this to great effect when catching cheats.
1- download top player replay
2- submit to the server as your own
3- profit
@@LiEnby Should be easy enough to guard against, it would be like fixing an item dup glitch.
Love the joke about EA / Microtransactions. 🤣
Can you please make a technical series for creating a steam game?
Space invaders didn’t have a leader board. Just a high score.
It's a very informative video. Like. Thanks for this information.
now I want to see CodeBullet attempt at cheating in Cherno's games
You could have used the three way handshake to catch cheating.
Example: I want to submit my score. I click submit. The server lands me an ephemeral key. It encrypts and sends the results. Once the packet arrives the key decays. To verify the integrity the server re-computes the checksum(hash)
hey man can you please do a video on C++ Funtors and its use case, thanks in advance.
"making cheating as hard as possible"
GTA Online devs: i sleep
The cherno: or, OR, we can get Tim to do it
And yet this video is barely scratching the surface. Protecting your software from exploitation is an incredibly hard task that some may even deem impossible. It's ultimately a cat and mouse game and the security of your software/app structure is dependent on how much time you are willing to spend researching ways to make it harder for curious individuals to break your game apart. Some things that devs, tackling the problems and topics discussed in this video, can do are: encryption of strings ( plenty of sources available out there ), simple obfuscation and control flow manipulation ( this one is a bit harder to pull off but there are a few papers that can definitely nudge you in the right direction ), debugger detection, common reverse engineering tools detection.
Lastly I'd like to say a few words from the point of view of a person that deals with breaking software on a daily basis: It's not so much about trying to be malicious or being a bad actor for the sake of it, it's more about exploring what's possible within the constraints set by anti-cheat / anti-tamper measures. I as well as so many other people find great enjoyment in exploring the intricate systems that make everything work, and of course eventually trying to modify them in a way that achieves a particular goal set by the "bad actor".
You missed out on the guy who would use the api and post his own score..
You should use encryption like RSA, i think, to get over it.
Another thing is to make the score itself like a key, like the score shouldn't be a prime, or it should be divided by 6 but not 5, etc..
You could ban anyone using cheat engine, or at least warn them.
There are more ways if you think about it. Hope this helps.
how would you detect that someone used cheat engine?
@Unknow0059 i really don't know the process, but I know a game named Growtopia that warns you and kick you out of the game if CheatEngine is detected in use, also I heard that one game bans you if CheatEngine is detected.
For the first game, there were patches of CheatEngine changed by some nerds so that the game Growtopia doesn't detect it. I'm just saying to let you know that it is still possible but much more difficult.
10:28 ahem ahem 😂
How about capturing all inputs and then "simulating" the game on the server, and calculating the score from that? You can still do computer assisted runs or whatever, but at that point, I'd say they deserve the highscore.
As long as the game has focus that's actually not a bad idea, but you always have to worry about keyloggers.
@@anon_y_mousse it obviously wouldn't globally log all keystrokes while the game is open. Just the ones that actually result in something happening in the game. It'd be basically a TAS
@@LiEnby Depends on the security of your system. It's not like a program can't do it, it's just a matter of whether your settings are right to prevent it.
@@anon_y_mousse it probably makes more sense to send like actual events like maybe the player position. When they shoot etc. Rather than just capturing inputs lol
@@LiEnby Por que no dos.
4:30 We were joking about Hostinger throwing free servers at Yan with Peter. Turns out it's absolutely true. Also I think Peter needs one, just saying.
In theory, couldn't someone use machine learning to recognize what a high score game looks like. Then compare that to the new high score and determine if its sketchy or not and send for manual evaluation?
You would need data. A lot of data. And what ML/AI are you going to use? Is it any good? False positives for someone really talented? What is its cost?
@@luz_reyes_676 I have no idea lol thats why I'm asking
Players who are just really good and outliers in your ML data would get missed probably
@@LiEnby I have no stakes in ML lol I was just offering food for thought to OP
@@luz_reyes_676implying game devs understand statistics well enough to pull this off
Idea for reverse engineering protection (it came to me when i was reverse engineering): just don't call function addNewScore() immediately. Put it in some queue that will wait for 1-3 seconds and only then call the function.
what woudl it change?
you can still trace down from the send method to where the packet is not encrypted and then hook it. It doesnt matter where or when it gets called.
A good way is to have smth like a security code made way earlier in the game. it sends both data and the security code is made to verify every single number.
Splitting up the packets may also result in much more work. There are tons of way more ways i could think of. But queueing functions is none of them
@@Zvend How do you trace a method when you don't know when it's executed? You might just put ptr to function in some kind of vector that calls functions in it every so often
@@avtem um breakpoint?
@@LiEnby Where would you set it?
@@avtem addNewScore.
Game tip #1: Humans like rising numbers
*Except for golf, for some reason*
whhaahaha loved every second
firing 5 bullets and a score of 100++ IS possible, never watched star wars ?
one random shot, 10 troopers down
Nice👍.
2:30-2:40 this actually doesn't work anymore due to the catastrophic (?) way in which society relates with itself nowadays
I bet that most people who see leaderboards get instantly discouraged by the global leader who does nothing but play the game, and who they don't even know because it's not a small local arcade.
Sad...
$2b in quarters weighs 100 million pounds
2:00 😂😂😂😂😂😂😂😂😂😂😂😂
I don't like the idea that the creators of the game are the only ones able to host the server portion, it would be better if the solution was a p2p network... so even if the initial devs abandon the project the community is less likely to follow.
Agreed there, and it would make it so any server operator could determine the best method for them to prevent cheating or just outright disable the leaderboards.
Then you have the classic p2p problem of how to find peers
@@LiEnby I'm working on that now, I think the solution is to connect to an existing network and participate in resource sharing with it.
Lol, the webdev comment hit home. I don't like it as well. I rather do anything else.
I think this is a good argument for not having global leaderboards or tracking high scores at all.
I expected something about ranking algorithms... I'm disappointed.
It kinda sounds like ur challenging people to find a way to cheat here.
Get to the topic. WTF
Ah yes, I'm the cheater here xD
Ease up on the f-stop. Less is more.
"We can't really stop cheating"
--> WRONG!!
THINK about the game code, and, data you're sending to the Leaderboard server. You need to continually validate the score in-game AND at upload time...obviously...but you need to use some of that non-internet critical thinking that was an absolute must in the past. You need unique, dynamic(!!) validation (including positional) included in that uploaded data, and, ffs, everything strongly encrypted - WireShark, CheatEngine etc shouldn't even feature in any discussion. I am stunned cheating is STILL an issue.
Well at the end of the day your computer that you control. Sends the thing to the server. Most of his suggestions were server side logic which is good
@@LiEnby Those writing the game are also writing the server code ;)