The Daily Click

::.

Securing your INI files

Author:

DeadmanDines

Submitted:

22nd January, 2003

Views:

6347

Rated:

Okay, so you've decided you want the ease-of-use of an INI file for your saving system, but don't want users to find them easy to hack? Well, let's look over some of the things you can do to hinder them.

Naming
INI files can, as most of us know, be editted in a standard text editor like Notepad, so to start with, let's make it harder for them to actually understand what they're looking at. Eg: Here is a standard INI file, with no safety measures:

[savedata]
score=11
lives=3
health=100
level=6

So, to make that harder for a hacker to read, let's change some of those names to acronyms only the developer would understand - we change 'savedata' to 'PDR' (Player's Data Record), 'score' to 'PPC' (Player's Point Count), 'lives' to 'ARC' (Available Respawn Count), 'health' to 'DRL' (Damage Resistance Level), and 'level' to 'cgf' (Current Game Frame). Already it now looks like:

[PDR]
PPC=11
ARC=3
DRL=100
CGF=6

But this doesn't stop the player looking at their score, saving, then closing and finding that value in the INI, regardless of its name. To get around that, we do a very basic form of encryption. Create another item, called 'dek' (Data Encryption Key), and set its value to 3. Add 1 to it to get 4. Now, we set any other value to [value to be saved]*([dek]-1). This now gives us:

[PDR]
DEK=4
PPC=33
ARC=9
DRL=300
CFG=18

That should give our would-be hacker a problem and a half. But surely the best way to keep something safe is to prevent people finding it, no? Well let's now focus on the name of our ini. We all know that TGF/MMF come with cncs###.dll files (cncs32 for 32-bit-TGF, and 232 for 32-bit-MMF), so why not rename it to 'cncs332.dll'? It doesn't need to be named .ini to be read by the INI object, and people expect to find DLL files on their hard disk. It'll stand out less than 'savegamedata.ini'.

But we can do even more than that! Why not use the Zip/Unzip objects - after all, they can be passworded, and with different keys to standard zip files, so that zip-crackers find it harder to break into. We can save our ini into a passworded zip file, extracting it temporarily to a temp folder when needed, but removing it when it's done with. We then rename this zip file to something like 'cncs332.dll', so it looks like it should be there, and voila! If someone's going to get through that, then they're one determined person indeed - likely with nothing better to do, lol.

I hope that's helped any who weren't quite sure how to prevent people hacking their gamesave inis. It's not flawless, but it'll put most but the very hardcore crackers off.

*Dines

Posted by - Min -

22nd January, 2003

Realy helpful article, thanks!

Posted by David Newton (DavidN)

22nd January, 2003

Very good... but the acronym use is likely to confuse the programmer as well (well, me at least). Good idea with the renaming of the file, though.

Posted by Hagar

22nd January, 2003

Good Article i thought you might have discussed the encryption object though, as that can do text files.

Posted by Buster

22nd January, 2003

Hey! Good one! I liked the Zip idea.

Posted by DeadmanDines

22nd January, 2003

I tend to have a little comment in my code, explaining what each acronym is, if i can't remember. The examples aren't very good, but it gives the general idea.

Posted by CYS

22nd January, 2003

Good.

Posted by Shen

22nd January, 2003

Cool ideas

It's also good to have a seperate table of what does what when encoding INIs.

Posted by Mr Saturn

22nd January, 2003

PLEASE, don't hide your INI files. That is just rude to the user, and junks up there computer. All files the game uses should be in the games directory.

Posted by Tigerworks

22nd January, 2003

Bad idea to rename your INI like that. It probably confuses you more than the user you are trying to prevent hacking your INI.

There is one simple solution which beats ANY other method by FAR, you can keep your INI file the same name, keep item and group names the same, not bother with password extractions, and is virtually unhackable:

Binary object: Load the INI file, Compress, Encrypt.

Posted by podius (Alan C)

22nd January, 2003

i used inis, but they are very easy to "hack" all you have to do is look for correlations between numbers. the only way to prevent hacking is by making "conversions." like, top score = 1000 saved on the ini will have something like x3+100, so, 3100. that'll make it harder for the players to change the numbers b/c they dont' know what they mean.
and in the game, u can put a "impossible" number detect when a player changes the ini, and its possible to recognize it (like, lives= 1000 when the max is 9)

however, after using inis fo ra while, i started using arrays. it holds more info and is harder to "hack"

Posted by The New SnS

22nd January, 2003

another way to protect your ini files is to use the file encryption object and have something like this at the beginning of the application: START OF FRAME -> Decode file with ### . Then as a global thing say: END OF APPLICATION -> Encod file with ### . Make sure the #'s are the same. Also you have to add SET CURRENT FILE to the events before the rest of the stuff occurs. this way, if they try to open the ini when the program isn't running, they won't be able to open it. this is the ultimate security of ini files. i think that that plugin only works for CnC & MMF only though... and if they had MMF they could crack it eventually... also, the more #'s in the code the merrier and harder to crack..

Posted by Crystal Clear (H.E.S)

22nd January, 2003

Very good ideas.... ill try some and see whats the most effective.

Posted by DeadmanDines

23rd January, 2003

Yeah, there are better methods, but those are some of the simple ways I've found effective. I save most of my external files in passworded zip files - i don't always rename the groups/items, but i do tend to rename the passworded zip. I oughta try getting to grips with the binary object - I know its basic functions, i'll try working on the other stuff (like encryption).

Posted by Aali [Crazy_Productions]

23rd January, 2003

Sunny Nook Software: so what if someone hacks the file when the game is running?
wouldn't it be decoded then?

Posted by AfterStar

23rd January, 2003

Good point Aali!
Best way to protect inis is Tigerworks method!

Posted by FunkyPapa

23rd January, 2003

Actually the best way is to make your own encryption code based around date/time. This could be a bit hard though and certainly not something for the newbie klikker.

Posted by Tigerworks

23rd January, 2003

The Binary object is the best way. With any other encryption object, it is merely a byte shift and easy to hack with a little work.
Also since the file is compressed, it is even harder to hack - and your files are smaller.
I tell you again, renaming anything, multiplying any values etc. is NOT a good protection method.
You can still open INI files when the game is running. Using the binary object, don't save over the old file, save it to something like temp.dat in the same directory as your game, retrieve all data from it, then immediately delete that file.

Posted by Pete Nattress

23rd January, 2003

sounds like to much trouble to go to just to prevent people looking at the INI files that you're putting in their computer. like Mr Saturn said, it's rude.

Posted by DeadmanDines

24th January, 2003

What's rude about it? Protecting the INI prevents the user hacking it and ruining their gaming experience.

Posted by Joshtek

24th January, 2003

if your using arrays you still have to be careful tho!

Posted by Erik

25th January, 2003

i youst use the encryption object for c&c. It encrypts the object and decrypts it only for a short amount of time youst while loading the data for the load game function.
That makes your save ini look like nothing understandable.
like
(%/&()"&(/"#=%?(=%()/¤#)%(/¤=

(
Or something like that.

Posted by Silveraura

25th January, 2003

Nice Article! If someone can get through all that then who cares if they hack it! They did the work, they can do the hacking!
A way I did the INIs on Diamond is using codes.

Posted by Crystal Clear (H.E.S)

25th January, 2003

Replying to Ali: )so what if someone hacks the file when the game is running?
wouldn't it be decoded then? )
no not nescercelly i just uploaded a page that Answers your Question and many others.
http://www.geocities.com/gerudokingau/Securing_INI.htm

Posted by Crystal Clear (H.E.S)

25th January, 2003

I dont know if this idea works???? oh but probably the best Idea is what Dines said to make it cncs332.dll

Posted by Aali [Crazy_Productions]

30th January, 2003

Replying to Crystal Clear 2002: well if you do it just like Sunny Nook Software said.. it will

Posted by Crystal Clear (H.E.S)

1st February, 2003

yeah that does workk.. i dont think the ione i did does work. i was trying to make it where they cant Get into it when its running and when its not.. but it ended up screwing up..
i might try the AA object for my nex game..

Posted by Simon Colmer

15th February, 2003

wooooooooooooooooooooooooooooooh that is one heck of an idea, i already rename mine but thats impresive!

Posted by Jenswa

21st March, 2003

why not enter your save files in the windows registry
or place them in c:/windows/system/backup as
rungame.dll,nobody will suspect that, or hack into
the registry simply,because no one knows it exists,
but that encryption is handy.

Posted by Kramy

2nd September, 2003

My RPG uses the same thing basically. All the chars are stored in .\Chars\"charname".dat but I am going to encrypt them, zip them, rename the zip, then encrypt the zip again if it's possible(but if not I'll just settle for encrypting it once).

In my RPG(since the 1000GBV/GBS objects are not working) I load everything into .\RPG.dat and then jump to next level, and load all the values back. The hacker would have to have VERY quick reflexes(about 6 miliseconds) since there is no pause feature.

Funny thing though is I use a list file to replace the 1000GBV/GBS objects...only I'm saving all the list values/strings via ini...

Posted by Kramy

2nd September, 2003

Good article!

Posted by Muz

20th June, 2008

Tigerworks' solution is best, IMHO. I wouldn't want to rename my names either, that becomes pretty darn confusing after not seeing it for a while. But.. your article explains to me all those cncs332.dll files I've seen lately

Posted by -J-

18th January, 2009

There are encryption extensions now that change your text into jumbled letters

I'm not sure they were around when this article was written.

Posted by DeadmanDines

2nd February, 2009

They were, but I wasn't very good back in 2003

Posted by Cameron L Mercer

1st July, 2009

Heres something: 
 
For like a key that keeps track of the players current level, set it to a WORD! (obvously other than the level name) 
 
level=ivegotcandy 
 
People can guess and figure out formulas with numbers (it's not a time consuming process either), but saving the levels as words is the only thing thats stopped me - how would you know what word to guess? 
 
Oh, and PLEASE dont hide your ini files! I hate uninstalling a game then finding some cryptically named save file in my windows directory a year a half later 
 
(checkthisout.ini, for any of you who've played the electroid games)
Comment edited by Cameron L Mercer on 7/1/2009

Author Info

DeadmanDines
Best Article Writer

Registered
27/04/2006
Points
4758

Worth A Click