Ridiculously high scores? No problem!
Two things became apparent after I added high scores to Milpa: first, people are doing exceptionally well at the game. Second, the game is easy to hack. Check out those scores:
Several people were getting higher than Year 30, doubling my personal high score. I didn’t expect anyone to get that far. So, hey, you guys are awesome.
Second, the game scores are totally hackable. Year 88? No way. I took the precaution of encrypting scores before they are sent to the server, but that doesn’t stop something I knew nothing about: easy-to-use tools that can modify game memory during runtime. These tools allow you to find where a score is stored in memory and edit its value. One of these tools is called Cheat Engine.
There was a recent Digg article about hacking games where many of these tools were mentioned in the comments. People generally seemed enthusiastic about sharing different ways to cheat.
I downloaded Cheat Engine and within 5 minutes hacked Milpa. Watching the score jump from 1,000 to 100,000 felt like I had just won the lottery. It gives a sense of accomplishment, and a chance to show off to others. In a sense, it’s like playing a whole other game with a new set of rules and your own goals. So I can see why people do it.
I thought about leaving the hacked scores in and just watching to see what happens, but ultimately, that is not fair to the people who legitimately make high scores. So I did a couple things.
First, I made the game more difficult after Year 13. People getting to Year 36 is great, but at that point the game becomes a test of endurance rather than skill - playing one game must take longer than an hour, which is not at all what I intended. Because of this change, I deleted all scores higher than Year 13 so that all high scores represent the same difficulty level.
Second, the game now encrypts in-game memory. The game is still hackable, and always will be as long as the game logic exists on the client, but now hacking a score in the same manner won’t be possible. So if you want to hack, you’ve got a whole new set of rules to deal with. 
Refresh the page to get the latest version of Milpa, and click the i button to make sure you’ve got version 1.2.1.
May 14th, 2007 at 2:10 am
Hi,
encrypting the memory is useless, because it is still hackable. You have to decrypt it from time to time… Would it be possible to send user moves to server, to verify the score on server? Then, hacker will have to know the moves he has to play, not only the the score. The problem is, it will add (maybe) too big load on the server.
Few comments to the game:
- from 13th level the Goal was rising too slowly ( your score + constant + 20*level# ), this is not good, because depending on the luck you have, your score may vary in the range of 1000. If you are unlucky, you will end too soon, but if you have a good luck, you may play for another 25levels and increase score by 100k.
I would suggest to make the Goal quadratic function of level# only -> not to depend on my_score_from_previous_level. Another solution would be to move skull faster each level.
I would also like to see 6th type of fruit
I like the game very much, thanks for development.
May 14th, 2007 at 6:47 pm
108,440 on Year 34? Nice move, xcheater.
You’re right, there was a period in the game where the score was still easily hackable: the Game Over screen and the Submit Score screen. I’ve fixed it now. Care to take a stab at version 1.2.2?
May 15th, 2007 at 2:31 am
You assume, I’m changing game memory, and/or packets sent to/from server. That is wrong
So I will just use same method again.. Any ideas?
May 15th, 2007 at 5:53 pm
Well, there’s two things I would have no control over:
1) a bot to automatically play the game with the best strategy, or
2) if the game code has been edited on the client.
But I don’t think it’s either of those. Care to give a hint?
May 15th, 2007 at 6:03 pm
1) not the best one, but works
http://youtube.com/watch?v=BxP-rrRo9yo
May 16th, 2007 at 8:05 am
The problem of the game is that it gives complete information about the comming tiles. Even a person can take screenshot, pause the game and think about it for hour, then it is just clicking challenge… You should limit possibility to pause the game to time between levels ( in fact, when skull has reached the end of the row the state of the game is not different from paused game ).
Creating the bot is not that hard, because you have to get pixel from only 11 positions to get everything you need for high score. First version of my program had 400 lines in C++. There is probably nothing what you can do about it. You can check that I’m clicking only on 12 distinct points, but I can add rand() there… You can count that I click 120 times per second ( sometimes game ignores first few clicks, so I’m clicking multiple times in loop
), but I can limit that too. You can slightly move, or change colors of fruit, but that can be solved too.
The best thing to do is to think about the games, which can not be played by bot or which can not be played by bot better then by human.
Now I’m giving up, you can delete my high scores, because I know I had cheated.
It was fun to write the bot. In the end it was reading the types of 11 tiles in the middle row and 14 comming tiles. If I executed it multiple times I believe I could score 150 000
But as I said: I really like the game.
May 16th, 2007 at 11:21 am
You’re right, there’s really no way to detect a bot - if the bot creator is clever enough.
What can I say, I’m impressed. I wouldn’t mind seeing your code.
November 9th, 2007 at 5:29 am
Holy crap. Way too much effort to cheat! I’d rather spend that effort writing my own game.