Cheating and hacking is a rather large issue in multiplayer games, particularly in the FPS genre. Common hacks that can ruin gameplay for other players include flyhacks, speedhacks, aimbots, and wallhacks.
In order to discourage hacking, War of the Voxels takes a "multiple lines of defense" method of preventing cheating. There are three lines of defense:
- Frequent weekly code obfuscation
- A strong authoritative server
- Heuristic analysis of a player's actions
Frequent weekly code obfuscation
War of the Voxels is especially vulnerable to hacks, as it is written in C#, a language which can easily be decompiled. Most C# applications can easily be decompiled and recompiled with changes. However, War of the Voxels is obfuscated; when decompiled, instead of seeing the original variable and method names and control flow, a decompiler would see:
This obfuscation of the code primarily accomplishes three tasks:
- Discourages would-be hackers from modifying the source code.
- Delays the development of most hacks. Modifying the code without deobfuscating it in some way could prove to be difficult.
- Makes developing hacks more difficult, as progress would need to be reset after a new obfuscation.
Of course, this line of defense only works as long as someone is maintaining the weekly updates, and therefore is not a good option for final versions.
A strong authoritative server
To combat any cheats and hacks that make it past the obfuscation layer, we've tightly integrated security into the networking code. Our networking has been designed specifically with three goals in mind:
- To create a fair and fun playing environment.
- To not detract from the gameplay experience to prevent cheating.
- To be fast and reliable.
What does this mean? Put simply, we want to disable most hacks without sacrificing the gameplay experience. One major category of hacks that this line of defense prevents is movement hacks. All movement code is authoritative. When a player presses the "move forward" key, the client sends a request to the server to move forward. To mitigate the effects of lag, the client simulates both other players and the current players locally. When the server receives the input messages, it processes them and determines the master authoritative position. This is then sent out to all the clients, which correct their predicted positions to the server's authoritative position.
So what does this mean?
Well, since input is handled on the server and is merely simulated on the client, a client who attempts to "flyhack" or "speedhack" by modifying their position is only fooling themselves.
Heuristic analysis of a player's actions
Finally, we apply some heuristic analysis on player actions to determine if an action was legitimate. For example, a server may collect information on a player's kills over a match. If the server recognizes that, for example, Player A has been killing with headshots for a large portion of their kills, the server may temporarily disable one-shot kills and see if the player's performance worsens. The server may also check how fast a player turned to shoot someone. If the victim was out of a player's field of view, and the player turned around 180° in less than 100 milliseconds, the server might flag the action and make the player's shots shoot inaccurately or deal less damage.
Putting it all together
The result of these three lines of defense is an extremely flexible and secure online gaming experience. With hacks either completely defeated or disabled to the point that a human could defeat them, hacks can quickly become obsolete and "useless".