Reproduce defold hashing on server

DipFlip · April 15, 2021, 3:55pm

I’m trying to send a user’s score to an online highscore list (playfab) and want some minimal anti-cheat system in place. Perhaps this is a bad method but I planned to hash the score like the following and let the server do the same hashing to confirm the score.

 score = "1000"
 score = score .. "some salt"
 hashed = hash(score)
 hex = hash_to_hex(hashed)
 -- send score and hex to the server

What kind of hashing (if “kind” is the correct term) is done in defold? I would like to perform the same hashing in javascript on the server side to see if it produces the same hex.

Thank you!

britzl · April 15, 2021, 4:03pm

The code for the hash() function is this one: https://github.com/defold/defold/blob/dev/engine/dlib/src/dlib/hash.cpp#L327-L330

A comment mentions “Based on MurmurHash2A but endian neutral”.

SpencerWF · April 15, 2021, 5:25pm

I have been thinking about doing a similar thing, I just haven’t been sure if it’s a good solution?

DipFlip · April 15, 2021, 6:28pm

Thanks. It looked a bit daunting to me so I’ve opted for a different hashing that I can more easily reproduce on the server side.

For the Defold side I found this lua-script to do SHA256 hashing: https://github.com/Egor-Skriptunoff/pure_lua_SHA

On the server side (playfab cloudscript) I found that hex_sha256(“your string”) from this code works to reproduce the same hash.

A problem with this solution is that I have to send both the score and the hashed score to the server for verification. A better way would perhaps be to encrypt the score in a decryptable way with something like this.

britzl · April 15, 2021, 8:12pm

An even better solution in my opinion, which I suggested in the native extensions channel on Discord a while back, was that someone creates an extension-crypto and exposes the dmCrypt functions to Lua:

I can set up the extension framework on GitHub and add an example binding to HashSha256 and invite someone as collaborator to help with the rest of the functions.

Dragosha · April 16, 2021, 5:42am

Don’t forget to hide score and other matter gameplay values in game code with additional “salt” or other algorithm. This will slightly complicate the work of cheaters to directly modify variables in the device memory before the game transfers scores to leaderboards.

SpencerWF · April 16, 2021, 6:56am

Sorry @Dragosha, can you explain what you mean by “salt”?

Dragosha · April 16, 2021, 10:58am

I mean the device memory shouldn’t contain values that player-cheater see at his screen and can modify through special cheat-programm.
So, we just add some random value (salt) to the score variable and getting access to this variable over setter and getter methods.

M = {
salt = 0,
score = 0,
function init()
  M.salt = math.random(0, 1000000)
  M.score = M.salt
end,

function add_to_score(value)
  M.score = M.score + value
end,

function get_score()
  return M.score - M.salt
end
}

SpencerWF · April 17, 2021, 1:45pm

Hello Britzl,

If you don’t mind someone being pretty slow with the dmCrypt stuff, I’d be willing to take a swing at it.

@Dragosha, thank you for that explanation, that’s a great point.

Cheers,
Spen

britzl · April 23, 2021, 10:17am

I have set up the core extension here:

The extension currently wraps the following functions from dmCrypt:

crypt.encode_base64(source)
crypt.decode_base64(source)
crypt.hash_sha256(source)

Fork and provide pull requests for the rest!