
Browser Games Aren't an Easy Target - jsnell
http://jakob.space/blog/browser-games-aren-t-an-easy-target.html
======
xg15
> _So I went back to the debugger and placed some breakpoints around where the
> WebAssembly module is loaded, realizing that its only purpose is to
> deobfuscate the JavaScript that eventually makes it into that "SOURCE"
> pseudo-file I saw earlier. [...]_

> _So… the WebAssembly is essentially generating JavaScript on-the-fly. Of
> course, all renditions of the code do the same thing, but the variable names
> are changing. [...]_

> _So it seems the WebAssembly module is doing some sort of tampering
> checking, [...]_

I remember various discussions when WASM was specced about the danger of WASM
blobs being used for code obfuscation.

The fears were dismissed with the argument that WASM is easy to decompile and
that there is a textual representation to preserve "view source"
functionality.

And yet, as soon as WASM is practically usable, we get this - an application
that uses WASM _solely_ because it is hard to inspect in the browser.

~~~
clktmr
Javascript can be obfuscated too. What is the difference?

~~~
xg15
Well, someone went to the trouble of writing a Rust binary just to hide the
game code, when they could have used standard JS obfuscation instead. This
suggests to me that WASM has some properties that make reverse-engeneering
harder than obfuscated JS could do alone.

This would give some validity to the fears of WASM becoming the "new Flash"
that were voiced when it was still in development.

~~~
ReverseCold
> new Flash

... but Flash was easy to reverse too, just download the .swf file and use one
of many tools to reverse engineer it. It's probably why there are so many
"hacked" flash games available if you search for them.

~~~
Arbalest
I never really found any of those tools. Granted I could have looked harder.
Perhaps I was looking in the open source world too much and they usually came
as binaries?

~~~
tetris11
[https://github.com/AndreyMiloserdov/jpexs-flash-
decompiler](https://github.com/AndreyMiloserdov/jpexs-flash-decompiler)

------
tetris11
I also take a weird pleasure in running `scanmem` on some of these io games
(not the multiplayer ones) and just messing with the values so that I can win
everything.

I know a lot of time and effort goes into game development, and that I should
take the time to appreciate the rhythm of the story and the nuances of the
gameplay... but I am an addict.

I don't casually play games. I'm all in, or not at all. I will play day and
night until a game is finished and then I will move on with my life. As an
adult with a full time career I can't do these marathon sessions anymore, and
so cheating is a great means for me to accelerate through a game, tick the
mental block of completion, and then be refreshed Monday morning with my mind
focused on work.

~~~
Eric_WVGG
It's cool, you're just playing a different game.

------
redka
It's slightly annoying that when I create a new game (for the browser) or
think of ideas for games I inspect things through the lens of cheat-enabling.
It happens to the point that I dismiss ideas based on the fact that there is
no viable way for me to stop cheating when it leverages it. The funny thing is
that I did most of what I could (source-like networking) and basically no one
plays my games so the risk of cheaters spoiling it for everyone is super slim.
I wonder if it ever makes sense to think in those categories or am I just
paranoid.

~~~
marcus_holmes
that does kinda feel like premature optimisation. First make a game. Second
make a game that people want to play. Third make a game that people want to
hack. Then maybe look at stopping them from doing that.

Hard to resist that nagging thought, though.

~~~
judge2020
Knowing and designing around the unavoidable wave of cheaters is extremely
important when building online games.

If you build a multiplayer game then come back to "deal with cheaters" only a
few months before launch (or heaven forbid, after launch) you're probably
going to end up taking the easy route by using invasion ~~spyware~~ DRM
solutions, which don't stop cheaters once it's broken. To contrast, designing
the game around cheaters means you might actually implement sane networking
design, such as nearly everything being server-authoritative, aka. "never
trust the client". If your client is broken in to, the best your cheaters can
do is script the game (scripting cheats are currently the only ones available
for Dota2 and probably League of Legends) or see a small amount of information
that's otherwise unknown (for dota 2 you can see which enemy illusions are
fake, for example).

Of course this approach can be taken too far, eg. in Call of Duty: Modern
Warfare (the new one) sometimes your camera positioning can lag due to packet
loss; this probably stops some aimbots but things like camera orientation
probably shouldn't be handled server-side.

------
Drakim
Very enjoyable read. It was especially interesting seeing the obfuscation
techniques the devs had created to prevent cheating using WebAssembly.

------
thrower123
Alas, we killed Flash. It's undeniable that that technology enabled a Cambrian
explosion of creativity.

~~~
mysterydip
I'm surprised someone hasn't made a flash-equivalent framework/environment for
html5 or webassembly yet.

~~~
TomGullen
We have, with Construct 3
([https://www.construct.net](https://www.construct.net))

Recent addition of our timeline editor means we think it ticks all the boxes
as a replacement.

~~~
terramex
Can you create graphical assets within engine in Construct (vector or raster)
or do you need to import them?

~~~
lelandbatey
Yes, within Construct 3 you are able to create your graphical assets. Here's a
demonstration of someone adding a sprite to their game which shows the
interface for drawing the raster sprite:
[http://www.youtube.com/watch?v=gVGOYvZxlqk&t=3m8s](http://www.youtube.com/watch?v=gVGOYvZxlqk&t=3m8s)

------
webdva
Have you heard of Hordes.io? It's an advanced multiplayer .io game.

------
ahmeni
A very decent breakdown of some more modern obfuscation and deobfuscation
techniques. It's nice to see some Rust getting used as well, I wonder if it's
made things easier or more difficult for the krunker.io dev in the long-run.

