"Security is no small matter": What should I do when the game encounters security problems?

On March 5, 2024, Tropic Haze, the author of NS simulator "Yuzu", announced that it had reached a settlement with Nintendo, paid 2.4 million US dollars in compensation, stopped the subsequent simulator development and operation, and closed related websites.

Although many players complain that they wouldn’t use the simulator if it weren’t for the poor performance of NS machines. However, with the increasing awareness of copyright of players today, almost no one will refute the fact that "cracking games is illegal". "Game safety" is not only related to game manufacturers, but also closely related to players.

Some players are worried that they will be liquidated by Nintendo after using Yuzu simulator.

In fact, "game security" occupies a very important position in the game industry, and both players and practitioners have to deal with it almost every day. However, people usually don’t discuss it much, because "game security" has certain technical barriers.

In China, game security is almost directly linked to big factories. Because of the high cost of the security team, only big factories have enough financial resources. Large factories can make adequate plans before safety accidents happen, but on the other hand, small and medium-sized factories and independent developers, which also occupy most positions in the industry, often find it difficult to make appropriate responses when faced with various safety problems.

To this end, we found a high-tech security service provider FairGuard, which focuses on game reinforcement and anti-plug-in, and jointly found some game security cases that are close to gamers and practitioners and exposed to the public, and analyzed them from a professional perspective. We hope to let the public fully understand the specific operation, function and significance of game security.

In the field of game security, the worst professional but most common case type is DDoS attack (distributed denial of service attack). Because of its characteristics, small and medium-sized manufacturers and independent developers are more vulnerable to such attacks.

For example, the mobile game "Lesonas" launched on February 29th this year was attacked by DDoS organized by ACCN. The game had to be delayed for 1 hour, and many players reported that the game was stuck on the first day. Every time they read a line, it took more than 10 seconds to get to the next sentence. The main means of ACCN is to ask the project team to pay the "protection fee", otherwise it will keep attacking. Coincidentally, a mobile game with 7 digits for users is also attacked by DDoS at the service node. If it is not solved in time, the losses caused are incalculable.

Whether there are too many players or they are attacked can be intuitively observed from the background data.

The basic principle of DDoS attack is that the attacker uses a large number of "broilers" (computers remotely controlled by hackers) to occupy the bandwidth or CPU of the game server. If the game server is compared to a hotel, it is like the hotel just opened, and suddenly a group of people came to the door of the hotel to block the door, so that normal diners could not squeeze in, or this group of people entered the hotel and occupied most of the tables, and kept asking the waiter to order, but the waiter could not drive them away, and other diners were also affected.

In order to improve the efficiency of making money, it is often the studio with clear division of labor (such as ACCN organization) that uses DDoS attacks for extortion. Some people will "find" the games to be launched, and record the volume, type and online time of the games. Others will launch attacks according to these records, and there may be a special group of people who will be responsible for contacting various game project teams to confirm the payment.

A "special person" responsible for collecting money

Of course, these behaviors are illegal, but it is difficult for the project team to trace the source and pursue the responsibility. First, the members of such organizations may not be in China, and the server IP address has been transferred several times; Second, attackers generally use virtual currency transactions such as Bitcoin.

Every year, there are a large number of announcements about developers being blackmailed by ACCN organizations on game platforms such as TapTap. Although some platforms and publishers will provide protection services, for developers, "I am not afraid of thieves stealing, but I am afraid of thieves remembering". Attacks that come from the dark and I don’t know when will always be a hidden danger.

From the perspective of technical protection, DDoS attacks are only a matter of money. The volume of the game is different, and the traffic of the attack will be different. After all, the attack also needs to cost. If this degree is not balanced, it is likely to be a loss-making business.

The cost of "broiler" is low, but the cost of preventing "broiler" is high. For example, if an attacker uses "broilers" to attack the game server with 200G of traffic, then the game project team may have to buy 200G of public cloud (such as Tencent Cloud and Alibaba Cloud) resources for protection. The former may cost only a few hundred yuan, while the latter needs tens of thousands of yuan.

Protection products on Tencent Cloud

Attackers often take the lower value of the two as the "protection fee", but the project team can’t guarantee that the other party is honest. If the attacker "steals well" and only collects the protection fee once, the project team can barely accept it; But if the other party thinks you are a "fat sheep", they will blackmail you again and again. Many times, the project team dare not gamble, but they have no money to buy special protection services, so they can only pay the money.

In this regard, the relatively professional advice is to enhance safety awareness. Some developers don’t have the concept of prevention, and they often make up for it after the incident. However, the profit lost after the first DDoS attack is more than the money spent on early protection, which is not worth the candle.

According to the experience summarized by professional security service providers, the low-cost method is that as long as the project team buys public cloud resources or corresponding protection services in the first month of online, there will be basically no more studios to launch DDoS attacks. Small games can directly solve the problems that may cause great losses by spending less money.

Compared with DDoS, most people may know more about plug-ins and pay more attention to the impact of plug-ins on their own game experience.

Some plug-ins can monitor or directly modify game files, which will cause serious damage to the game ecology. FPS games have always been the hardest hit area for black-and-gray attacks because of their high category popularity, high cheating income and data storage in the client.

For example, in the "fake match" incident of the professional team "Crossing the Firewire" last year, the team invited the anchor team to play against the professional players in an open environment, and speculated through subsequent offline battles and whitewashing. Players find that the plug-in used by the anchor team is extremely concealed. If it is not because of the complete victory over the professional players, it is difficult for people to think of using the plug-in. In related reports, this kind of hanging is also called "anchor customized hanging".

There are two characteristics of "anchor custom hanging", one is just the right function castration, and the other is the anti-detection means with external intervention. The former is to make the anchor "icing on the cake" in technology and provide good enough "effect" in the game. For example, the "lock" function can only be triggered when the enemy appears and the sight is close to the enemy’s body. It is difficult for the naked eye to tell whether this tiny moving trace is from the plug-in. As for the latter-teams that do "anchor customization" services often sell special equipment together with plug-ins and put them in the equipment, which makes the official detection methods fail to some extent.

From the point of view of protection, game manufacturers often get plug-in samples first, and use the similar identification code in the plug-in samples to carry out preventive testing in the player’s game. If an official identification code appears in the background data of a player, then the official has the right to take measures, and generally it will not be blocked by mistake. However, the identification code of the anchor custom hanging is separate, and this process naturally doesn’t work.

However, even if the player’s behavior is not detected by the conventional process, the official can make manual judgment, which is based on the background environment and some behavior data of the player-reporting is meaningful at this moment.

If a player receives a large number of reports from other players, the official will check his background environment and behavior data, and give him a risk rating according to the results of the inspection. There are many dimensions of rating, generally to see whether the memory has been modified or whether it is in an unconventional environment (such as a virtual machine).

The security team will send the high-risk player ID to the project team, and the project team will decide the specific measures to be taken later. Some players may be "big R", charging a lot of money, and the direct title may cause legal disputes. If the manufacturer fails to produce enough "objective evidence", there will be a greater probability of losing the lawsuit. Therefore, some manufacturers will turn a blind eye to "big R", and for players below "small R", they would rather kill by mistake than let go.

Compared with anchor customization, "script" is less harmful, but it also has a direct impact on the balance and life cycle of the game. Scripts often appear in role-playing, card and strategy games. From the perspective of protection, scripts are directly linked to the studio, and MMORPG with economic system is the hardest hit area of the studio.

The role of scripts is to efficiently collect in-game resources and realize the obtained resources. In the long run, when the resources in the game are collected too much, the resources will become cheap, and players will tend to find a studio to buy resources instead of "earning" resources through their own game labor. In order to reduce costs, scripts often run on virtual machines or in the cloud. A studio with more than a dozen people may open thousands of scripts at the same time. In other words, in fact, the script is "endless".

Another phenomenon derived from scripts and studios is the "initial number". Chen Shiliu, the technical director of FairGuard, talked to me about this: nowadays, the second tour often requires players to exchange growth resources or roles through repeated work in the game. However, after the game has been in operation for one or two years, it is difficult for newcomers with self-built numbers to catch up with the progress of the game, and it is a common choice to buy "initial numbers" from the studio.

For example, on August 30, 2022, Nexon, the international service operator of Blue Archives, permanently banned 280,000 initial numbers, including not only those in the studio, but also many that have already flowed into the hands of players. This has caused "inflammation" among the players-players have taken lessons in the game and continued to play for a while, but after the manufacturer banned it, they did not provide compensation measures. Players will naturally question: Why didn’t the manufacturer deal with this violation immediately, but it took some time to deal with it?

Nexon has issued a ban announcement.

Chen Shiliu told me that this is because the script does not modify the game memory data, but is just a fixed "simulated click", brushing the trumpet and licking the wool. Therefore, the security team needs to proceed from the risk situation of the equipment and combine the behavior judgment of the player after boarding the number. For example, players need to touch several fixed positions on the screen when doing daily work in a mobile game, but the time and operation logic of manual operation and script opening are different. In the case of background protection, the background will immediately detect the abnormal behavior of players and prompt that there is script risk. However, unlike FPS’s "anchor customization", the connection of the second tour is often "weak connection", and this behavior of hanging scripts and brushing resources cannot be reported. Game manufacturers can only observe it for a long time and regularly "one pot".

"One pot" means lag, so it is difficult to consider whether there are players in the account playing normally and whether there is recharge behavior. It is worth noting that while the players are "on fire", there are also many examples of the game rising due to the reduction of studios.

In Japan, the origin of the "initial number", many manufacturers have acquiesced in the existence of the initial number and formed a "symbiotic" relationship with the studio during their long "Yan Shang" career. Some games may be small in size and lack of newcomers, and the initial number even plays a role in saving some channels and announcing costs for developers. As long as it doesn’t directly affect the experience of other players, some developers will tolerate some behaviors that slightly modify the game memory, such as "variable speed hanging".

Other manufacturers adopt the attitude of "people don’t lift, officials don’t investigate". For example, the "ACT" plug-in of MMORPG Final Fantasy 14, if the player only uses its "damage monitoring" and "mechanism broadcasting" functions, the official will not take the initiative to intervene. After all, this plug-in has really improved the player’s game experience. But in principle, the game is not allowed to use plug-ins. If you take the corresponding test data to "police" other players, it will be officially banned.

"Police" Plug-in in Final Fantasy 14

Generally speaking, whether it is a plug-in or not, it is necessary to analyze the specific situation. For players, as long as the game is played according to the normal process, it will definitely not be banned. In this process, manufacturers need to reflect on whether their game design and version planning are unreasonable, and whether players must rely on some kind of soft plug-in (script) to get a good experience? If this is the case, it is not surprising that after the manufacturers take measures to crack down, they are "burned".

Strictly speaking, modifying the plug-in of game memory is also a part of cracking, but there are many more serious cases of cracking, and in the field of game security, anti-cracking is also the most important part.

In cracking, the most typical case is Legend. In the early years, "Legend" was cracked, and the source code was leaked. Some people deleted the source code with ulterior motives and added their own servers, which became a private server. In the field of black ash production, when a game is cracked, the cracked results will inevitably spread like a virus. When private servers can generate huge benefits, many people will ignore the law and start taking risks.

Under normal circumstances, game developers need to find the copyright party to request authorization to make genuine products. Private servers are like "tax evasion", which saves the step of paying money to the copyright party. There are many benefits in private servers, so there are fewer players playing genuine ones and the losses caused are incalculable.

Li Lei, marketing director of FairGuard, said that there are at least 20 billion industrial chains in the "Legend" mobile games, which are being attacked every year, but they just can’t be beaten.

A small game cracking platform

Of course, "Legend" is because the code leaked and cracked too early, and there will be a situation of private servers. A more common "crack" is to make paid games available for free. This has also brought a series of chain problems: after some small games with in-house purchases are cracked, they will be sold online at low prices, causing losses to developers and operators; Embedding some programs in the installation package, collecting personal information of players during installation, and then selling the information for profit; Implanting illegal advertisements in the original internal purchase part to achieve the effect of imitating genuine products and making money; What’s more, it will adopt a "subscription system" to make profits systematically, far exceeding the bottom line that game security can tolerate.

However, there are fewer cases of cracking the whole game, while there are more cases of cracking encrypted resources. For example, the pictures, audio, text and other contents in the game are all "game resources". Before the game goes online, these resources need to be packaged and encrypted. Generally, the encryption methods of game manufacturers are relatively low, so they have to entrust a third party to further encrypt.

Li Lei mentioned that in recent years, the demand for content-based secondary games has suddenly increased. On the one hand, because the art cost of Second Tour is getting higher and higher, art resources have become one of the most important project assets, accounting for the bulk of the project cost. Once the art resources are cracked, it is very likely that there will be competing products with simpler playing framework but similar art content in the market soon-in the legal sense, the criteria for judging plagiarism and skinning of games are still strict, and developers may realize that competing products have cracked their own art resources, but it is difficult to find tangible evidence.

On the other hand, the cracking of resources means "spoiler", which will affect the ecology of the game community to a certain extent and may indirectly interfere with the version planning of the operators. For example, a second tour puts the character resources to be sold into the game in advance, which is cracked in advance and spread in relevant communities. This character will gradually lose its appeal to players in the information flow, resulting in a decrease in profit.

Li Lei highlighted the resource leakage incident of "Girl Frontline 2: Chasing and Releasing" last year, that is, the "Mrs. Raymond" incident. This resource leakage directly led to the subsequent public opinion outbreak, so that the developer scattered the network and lost the trust of the players. From the point of view of protection, it is inconceivable that with the size of "less than the top 2", there are security problems in game resources.

Last October, the unpacked content of Little Top 2 was everywhere on the Internet.

Li Lei said: "Generally, medium and large-scale games will contact professional companies to do encryption work six months before the start of testing. PvE or relatively’ stand-alone’ mobile games need to prevent situations like’ less top 2′, and PvP games should consider whether the cracked resources will be used to make plug-ins."

In fact, once the popular game resources are leaked, they will be spread quickly and widely. Although this behavior is illegal, it is difficult for game companies to hold the disseminators accountable. At this stage, what developers should do is to keep an eye on whether their project resources are used for sale or further malicious use to prevent the loss from expanding.

In the process of communication, we always mention a problem: some small manufacturers or independent developers easily ignore security issues, or have relevant knowledge, but lack experience in dealing with them. Although large and medium-sized factories have accumulated more or less relevant experience in the development process, they will sometimes "stumble" when faced with the rapid change and increasingly rampant black ash production.

In fact, whether it is reality or games, security has always been a big problem. As a developer, what you should do is to make a good plan in advance as far as possible to avoid problems and then find ways to solve them.

The so-called plan, buying "outsourcing services" from professional teams is an option, but not all. Developers should consider some design logic when making games: will it be used by criminals? Can you do some verification work from the server to improve the intrusion threshold of cracking and plug-in? In fact, these jobs don’t cost too much, but are more about ideas and "intentions". On this basis, if something goes wrong, we can avoid more losses to some extent by looking for a security team to deal with it.

For developers, such concepts and "intentions" are particularly important. If there is an excellent game, because the developer lacks security awareness, he doesn’t even know how to deal with the most basic DDoS attack problem when he goes online, which makes a team’s efforts for several years go up in smoke. This is not only the personal loss of the developer, but also the loss of the game industry.