Hacking RPC calls

The whole answer can be found below.

Please note: The Photon forum is closed permanently. After many dedicated years of service we have made the decision to retire our forum and switch to read-only: we've saved the best to last! And we offer you support through these channels:

Try Our
Documentation

Please check if you can find an answer in our extensive documentation on PUN.

READ MORE

Join Us
on Discord

Meet and talk to our staff and the entire Photon-Community via Discord.

JOIN EXPERTS

Read More on
Stack Overflow

Find more information on Stack Overflow (for Circle members only).

GET HELP

Write Us
an E-Mail

Feel free to send your question directly to our developers.

WRITE MAIL

Hacking RPC calls

Calvin
2018-01-16 11:31:06

I've recently been using Photon, and I was wondering if there is a way to prevent client from hacking RPC calls. I have basically implemented what seems to be a dedicated server where my game server executes a headless server to host a multiplayer game. But, i realized that if players manage to modify RPC calls, they can hide / send wrong information to other clients.

For an example of sending wrong info, hacked clients can add an RPC call which goes something like:
photonView.RPC("UpdateHealth", PhotonTargets.All, 0);
This could very well ruin the experience for other players if i were do to stuff like disabling specific scripts when the player health reaches 0.

As for hiding information,
photonView.RPC("BeginCasting", PhotonTargets.MasterClient);
In this case, when the client doesnt call this function on other clients, they would not know that that player is about to perform an attack.

So is there a solution to this? Or am I understanding RPC calls wrongly?

Comments

JohnTube
2018-01-16 12:23:46

Hi @Calvin,

I have basically implemented what seems to be a dedicated server where my game server executes a headless server to host a multiplayer game
Are you sure? master client does not host the game and is only used in "pseudo / light / semi / fake authoritative logic".

what I suggest:

  • use RpcSecure to encrypt RPCs.
  • use obfuscation and other techniques to make it harder to cheat or hack your game. good tutorial.
  • ban cheaters by making use of custom authentication to disallow reported or flagged users (e.g. by the community) from connecting to your game.

the other alternative is server side code.

Calvin
2018-01-16 12:58:29

Hey @JohnTube ,

@JohnTube wrote:

Are you sure? master client does not host the game and is only used in "pseudo / light / semi / fake authoritative logic".

Well yeah what I meant was having a client (not controlled by players) which does the "authoritative logic" such as game object interactions and such.

@JohnTube wrote:

the other alternative is server side code..

Im still quite a beginner at doing real time multiplayer games so I don't really know how to do this. Would this be something like

Example:

  1. A Client sends RPC_DoSomething() to the MasterClient
  2. MasterClient's version of RPC_DoSomething() does some authoritative logic and sends back an RPC_DoSomething() to related clients
  3. Clients check if RPC_DoSomething() is from the MasterClient and perform whatever is required on the Client version
  4. So basically my clients only accept RPCs from the MasterClient

Sorry if i am misunderstanding a lot of things haha. I'll probably have to stick with the obfuscation and whatnot. Thanks a lot for the suggestion and link for it :smile:

Back to top

Cookies,
anyone?

We use cookies and related technologies to enhance your experience, show you personalised content and analyze performance and traffic on our website. By clicking on the „Accept All“ button you consent to the use of non-functional cookies and the subsequent processing of personal data to optimize our website and services as described in more detail in our Privacy and Cookie Policy.

By clicking on the „Customize or Deny all“ button you can decide otherwise. Clicking on the „Customize“ button will take you to a page where you can configure the usage of non-functional cookies (and related technologies) or deny all of them. You can access these settings at any time and also subsequently deselect cookies at any time in the footer area of our website.

ACCEPT ALL

Cookie Overview

We use the following categories of cookies and related technologies to enhance your experience, show you personalized content, and analyze performance and traffic on our website. We respect your right to privacy and accordingly you can chose to not allow some types of cookies (and related technologies). Click on the different category sliders and change our default settings to manage your cookie settings.

For more information on the specific cookies/related technologies we use and on how we use these, please see section 15 E. of our Privacy and Cookie Policy.

ABSOLUTELY NECESSARY

Authentication cookies we use are required to run our services … Cookies are required: Privacy and Cookie Policy

FUNCTIONAL AND MARKETING COOKIES

These cookies collect anonymous data and allow us to optimize our website and user experience. These cookies are listed here: Privacy and Cookie Policy

ANALYTICS / TAG MANAGER

Help us to understand how visitors interact with our services, enables us to analyze and improve our services (also through third party analytics).