Ideas how to obfuscate encryption key in game code

0 favourites
  • 7 posts
From the Asset Store
5 levels with simple coding Source-code (.c3p) + HTML5 Exported
  • I understand that when encryption key is stored in the game, it's not really possible to protect it from hackers. I'd like at least to obfuscate it, make the task of finding it a bit more difficult.

    I can obviously break the key into multiple parts, store them in separate variables, do some string manipulations - replace characters etc. But I assume this won't make much difference. Are there better methods?

    Tagged:

  • You can store not the key itself, but the hash of the key. Then the attacker will have to brute force the key.

  • You can store not the key itself, but the hash of the key. Then the attacker will have to brute force the key.

    I need to encrypt/decrypt game saves. How do I do this without the encryption key?

  • Storing the encryption key on the client is fundamentally insecure - it will always be possible for someone to find it, no matter how it's obfuscated. If an attacker can't find the key in plaintext in the game files, then the next step would be to intercept it at the point it is used with developer tools, which means it will have already been de-obfuscated and appear in plaintext again in the developer tool.

    Therefore if you are happy with a fundamentally insecure system which is only designed to make casual tampering a bit harder, I'd say you may as well just use a simple obfuscation scheme - some kind of string manipulation would do. The only significant thing you can do is avoid the key appearing in plaintext in the game files, and beyond that the particular kind of obfuscation you use doesn't really matter, as it won't affect how hard it is to bypass.

  • All bets are off if they just find where you encrypt it in your code, and either understand it or just copy it. But I guess you could make it harder to find even the code.

    At a deeper level you could generate the encryption code on the fly too, encrypt that and append that to the save.

    You could make the key random and store parts of it in the encrypted result.

    You could come up with some other esoteric scheme to do the encryption.

    The more effort you take to do things to obscure it the longer it would take someone to figure it out.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • The more effort you take to do things to obscure it the longer it would take someone to figure it out.

    Yeah, but still any half-experienced hacker would probably spend considerably less time breaking the encryption system than I spend developing it.

    So.. it's not worth it.

  • Yeah there's no way around it. For me it's important to think about if it matters for your game. If it's a simple singleplayer experience, who cares if someone cheats. But if the game has stuff like monetization etc. you probably wanna have a server for it, but even then you could just shrug off the (small-ish) percentage of people who cheat instead of watching your rewarded video ads. Some simple obfuscation will snuff out most script kiddies anyway, if your game is popular you're probably not gonna starve because of a handful of cheaters. It just gets really iffy if you have multiplayer/competetive aspects to your game, you gotta be on top of that.

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)