Preventing High Score Cheating By Validating Game Replays On Server
Detecting Fraudulent High Scores
Game developers can detect fraudulent high scores submitted by players by comparing the client and server game states. Methods for doing this include:
Using random number generation
The server can generate randomized content like item drops or enemy spawn locations during gameplay. If the client submits a high score achieved under different conditions, cheating can be detected.
Tracking game object positions
The client and server can independently track the positions of movable game objects like the player character, enemies, or projectiles. If positions differ between client and server, the player may be cheating.
Recording player inputs
By recording all player inputs on both client and server, the resulting game simulation can be compared to detect discrepancies. Additional input sequences not originating from player actions can indicate cheating.
Detecting mismatches between client and server state
Periodic “heartbeats” can be used to compare core game state data like character health, inventory, or score between client and server versions. Mismatched states reveal cheating attempts.
Validating Game Replays on the Server
To further confirm high scores are legitimate, servers can require players to submit a recording of inputs from gameplay, which is then validated by replaying it server-side.
Recording player inputs on the client
During gameplay important player inputs like movement, actions, and menus are recorded locally on the player’s device along with timestamps. This forms the replay data.
Replaying inputs on the server
The server replays the sequence of inputs in a simulation of the game, reconstructing the events that took place from the player’s perspective.
Verifying resulting game states match
The server compares its simulation using the player replay data to the final score/state submitted by player. Matching results help confirm legitimacy.
Checking for feasible input sequences
Additional validation can analyze the feasibility of input patterns during replay. Physically impossible sequences of actions can suggest manipulated data.
Building a Replay Validation System
Implementing robust replay validation involves recording meaningful game data into tamper-proof replay files which are verified server-side.
Logging essential game events and states
Developers instrument critical game code to record player inputs, RNG seeds, object positions, and significant state changes like gaining items or score events.
Choosing what data to record
Storing all game data is infeasible so developers should determine what minimum subset is needed to faithfully recreate a game session. Optimization balances accuracy and overhead.
Transmitting replay data to server
Replays can be sent by clients with high score submissions over secure channels along with cryptographic signatures making manipulation detectable.
Recreating the game simulation
A server module consumes replays using the same engine core powering gameplay to reconstruct sessions deterministically for verification.
Writing validation checks
Custom code compares replay simulation results versus client-submitted scores/states, and analyze replay data itself for validity based on game rules and expected player behavior.
Example pseudocode
store inputs during gameplay: for each input: save input type, timestamp end submit score: bundle replay and claimed score/state sign bundle cryptographically send to server server replays session: initialize game simulation process replay input by timestamp: simulate input update environment end server validation: compare final state after replay to submitted state if mismatch: potential cheat detected analyze input patterns in replay if physics/skill checks fail: potential cheat detected verify cryptographic signature from client not tampered if failed: replay manipulated
Responding to Cheating Attempts
Detecting bad replays or mismatched state triggers server-side responses to discourage cheating by players.
Flagging suspicious scores
Scores from failed validations are marked questionable but still visible on rankings giving benefit of doubt.
Requesting replay from client
Requesting raw replay data aids investigation of anomalies and debugging false positives before applying penalties.
Running server-side validation
Dedicated anti-cheat modules validate replays with forensic state/input analysis and cryptographic checks.
Providing warnings or penalties
Initially cheaters may get warnings, but repeat offenders can receive score resets, leaderboard bans, gameplay suspensions or permanent account bans.
Example server API
submit_score(user_id, score, state_hash, signed_replay) if invalid_signature: return REPLAY_MANIPULATED replay = validate_signature(signed_replay) result = replay_and_check(replay, state_hash) if result == INVALID warn_user(user_id) return SCORE_FLAGGED else if attempts[user_id] > 2 ban_user(user_id) return USER_BANNED else accept_score(user_id, score)
Protecting Against Manipulated Replays
Additional precautions make it harder for players to manipulate their gameplay recordings to pass validation checks.
Cryptographically signing replay data
Digitally signing replays with a private key allows the server to detect any alteration of data if signature validation fails.
Adding randomness to game simulations
Randomizing aspects like maps, item drops or enemy placement require cheaters to find workarounds for multiple possible replay paths.
Rate-limiting score submissions
Restricting how frequently a player can submit new scores slows iterative manipulation attempts.