search

suriyun-production / mmorpg-kit-docs

This is document for MMORPG KIT project (https://www.assetstore.unity3d.com/#!/content/110188?aid=1100lGeN)
https://suriyun-production.github.io/mmorpg-kit-docs
48 stars 11 forks source link

Way to protect from Lucky Patcher? #1807

Closed temel61 closed 1 year ago

temel61 commented 1 year ago

How can I protect my mobile mmorpg game (Android) from cheat like lucky pacther ?

Some players use lucky patcher to obtain diamonds from google play.I want to prevent this.

insthync commented 1 year ago

How?, All currency thing must not be able to be changed by client.

temel61 commented 1 year ago

lucky patcher hack your game (or clone and change package name I guess), They can obtain cash (diamond in my game) without any payments process.This is not about this kit.General problem.Maybe there are a few way to prevent it.I want to ban if they try to use diamond(cash) hack in kit.

insthync commented 1 year ago

So you just ask it for other projects which is not using the mmorpg kit?

temel61 commented 1 year ago

no I am asking for this project.Are there any way to prevent cash hack in kit ?

insthync commented 1 year ago

It won't be hacked because currency thing will proceeding at the server, so change anything at the client won't be affected

temel61 commented 1 year ago

I see you but we tried lucky patcher and hacked game.Infinitive cash by lucky patcher in my game.Use lucky patcher in my mobile mmorpg game (made with this kit) -> https://play.google.com/store/apps/details?id=com.TemelKIRCI.ErlikOnline .Lucky patcher somehow find a way to hack my game.

insthync commented 1 year ago

So I asked, how?

insthync commented 1 year ago

Hack from which part?

temel61 commented 1 year ago

Infinitive cash without payment by lucky patcher.I guess it changes app signature or package name.Need protection mode for this.I googled it and founded these, maybe help you to understand about issue.

https://stackoverflow.com/questions/13445598/lucky-patcher-how-can-i-protect-from-it https://www.edureka.co/community/162447/lucky-patcher-how-can-i-protect-from-it https://forum.ionicframework.com/t/is-there-anyway-to-protect-my-app-from-malicious-apps-like-lucky-patcher/196328 https://stackoverflow.com/questions/48792256/how-can-i-stop-my-app-from-being-lucky-patched https://stackoverflow.com/questions/66196159/how-do-you-protect-your-in-app-purchases-against-lucky-patcher https://stackoverflow.com/questions/10585961/way-to-protect-from-lucky-patcher-play-licensing https://stackoverflow.com/questions/30023618/android-anti-piracy-stop-patchers

insthync commented 1 year ago

But as I said, all currency thing must be proceeding at the server, so changing anything from client must not affected, are there any feature you add which relatesto currency?

temel61 commented 1 year ago

I did not add anything about currency.İf kit proceed in-app purchase and verification at server side, it should not be hack.You can check it on your own game or kit.You will see that It will be hacked, you will obtain cash without pay money.I found some piracy checker scripts and tools for google play on github.I will try all of them.

insthync commented 1 year ago

So... , might be the in-app purchasing system which is cause of the issues?

insthync commented 1 year ago

Only cash which only can be bought with IAP system can be hacked in your game?

temel61 commented 1 year ago

of course.You open cash panel in kit and click a cash package, open lucky patcher, click button on lucky patcher, you will have this package without pay money.Some people use this method and have thausands cash(diamond), I follow them on database, I do not receive any money on my google play account and ban account.I do not want to watch database anymore.I need to prevent lucky patcher.

SnaiperoG3D commented 1 year ago

of course.You open cash panel in kit and click a cash package, open lucky patcher, click button on lucky patcher, you will have this package without pay money.Some people use this method and have thausands cash(diamond), I follow them on database, I do not receive any money on my google play account and ban account.I do not want to watch database anymore.I need to prevent lucky patcher.

Did you find something?

insthync commented 1 year ago

If you are rushing, you can try to implement it in MMOServerCashShopMessageHandlers.cs class, -> HandleRequestCashPackageBuyValidation function, you can get receipt data from request and use it to validate IAP at the server.

Or just wait for me to do it, the old Unity IAP system doesn't have any receipt validation APIs,

About my personal projects, I've made it pass the receipt to a web-service which made for that purpose.

SnaiperoG3D commented 1 year ago

If you are rushing, you can try to implement it in MMOServerCashShopMessageHandlers.cs class, -> HandleRequestCashPackageBuyValidation function, you can get receipt data from request and use it to validate IAP at the server.

Or just wait for me to do it, the old Unity IAP system doesn't have any receipt validation APIs,

About my personal projects, I've made it pass the receipt to a web-service which made for that purpose.

ive found a receipt verification and asked players who can patch game via lucky patcher and it seems to work. but i thought maybe there is a way to verificate inapp in server somehow, something like this: client send to server data about inapp, server ask google api is it true or not, then server do some stuff. i have a multiplayer game, but not have any database yet, and all what i found its a verification in moment when user buy something

insthync commented 1 year ago

I already implemented server-side IAP validation in 1.82c3, you will have to setup IAP obfuscating

temel61 commented 1 year ago

@insthync please can you share your MMOServerCashShopMessageHandlers.cs file and server side function with us ?

temel61 commented 1 year ago

my I has changed it like that

public async UniTaskVoid HandleRequestCashPackageBuyValidation( RequestHandlerData requestHandler, RequestCashPackageBuyValidationMessage request, RequestProceedResultDelegate result) {

if UNITY_EDITOR || UNITY_SERVER

        bool validPurchase = true; // Presume valid for platforms with no R.V.

        // Unity IAP's validation logic is only included on these platforms.

        // Prepare the validator with the secrets we prepared in the Editor
        // obfuscation window.
        var validator = new CrossPlatformValidator(GooglePlayTangle.Data(),
            AppleTangle.Data(), Application.identifier);

        try
        {
            // On Google Play, result has a single product ID.
            // On Apple stores, receipts contain multiple products.
            var resultValidator = validator.Validate(request.receipt);
            // For informational purposes, we list the receipt(s)
            Debug.Log("Receipt is valid. Contents:");
            foreach (IPurchaseReceipt productReceipt in resultValidator)
            {
                Debug.Log(productReceipt.productID);
                Debug.Log(productReceipt.purchaseDate);
                Debug.Log(productReceipt.transactionID);
            }
        }
        catch (IAPSecurityException)
        {
            Debug.Log("Invalid receipt, not unlocking content");
            validPurchase = false;
        }

        if (validPurchase)
        {
            // Unlock the appropriate content here.

            // TODO: Validate purchasing at server side
            IPlayerCharacterData playerCharacter;
            if (!GameInstance.ServerUserHandlers.TryGetPlayerCharacter(requestHandler.ConnectionId, out playerCharacter))
            {
                result.InvokeError(new ResponseCashPackageBuyValidationMessage()
                {
                    message = UITextKeys.UI_ERROR_NOT_LOGGED_IN,
                });
                return;
            }

            CashPackage cashPackage;
            if (!GameInstance.CashPackages.TryGetValue(request.dataId, out cashPackage))
            {
                result.InvokeError(new ResponseCashPackageBuyValidationMessage()
                {
                    message = UITextKeys.UI_ERROR_CASH_PACKAGE_NOT_FOUND,
                });
                return;
            }

            AsyncResponseData<CashResp> changeCashResp = await DbServiceClient.ChangeCashAsync(new ChangeCashReq()
            {
                UserId = playerCharacter.UserId,
                ChangeAmount = cashPackage.CashAmount
            });
            if (!changeCashResp.IsSuccess)
            {
                result.InvokeError(new ResponseCashPackageBuyValidationMessage()
                {
                    message = UITextKeys.UI_ERROR_INTERNAL_SERVER_ERROR,
                });
                return;
            }

            // Sync cash to game clients
            playerCharacter.UserCash = changeCashResp.Response.Cash;

            result.InvokeSuccess(new ResponseCashPackageBuyValidationMessage()
            {
                dataId = request.dataId,
                cash = changeCashResp.Response.Cash,
            });
        }
        else
        {

        }

endif

    }
temel61 commented 1 year ago

luckypatcher is not working but I cannot buy nothing :(

insthync commented 1 year ago

It is already shared

insthync commented 1 year ago

Included in the update about a week

insthync commented 1 year ago

https://github.com/insthync/UnityMultiplayerARPG_MMO/blob/main/Scripts/MMOGame/Networking/Map/MMOServerCashShopMessageHandlers.cs#L313

tubhluas commented 1 year ago

My purchase won't work, it pop up connection timeout and didn't reward cash reward. Is there a method that i missed? I have also setup receipt validation obfuscator.