Securing your INI files
Submitted:|| 22nd January, 2003
Okay, so you've decided you want the ease-of-use of an INI file for your saving system, but don't want users to find them easy to hack? Well, let's look over some of the things you can do to hinder them.
INI files can, as most of us know, be editted in a standard text editor like Notepad, so to start with, let's make it harder for them to actually understand what they're looking at. Eg: Here is a standard INI file, with no safety measures:
So, to make that harder for a hacker to read, let's change some of those names to acronyms only the developer would understand - we change 'savedata' to 'PDR' (Player's Data Record), 'score' to 'PPC' (Player's Point Count), 'lives' to 'ARC' (Available Respawn Count), 'health' to 'DRL' (Damage Resistance Level), and 'level' to 'cgf' (Current Game Frame). Already it now looks like:
But this doesn't stop the player looking at their score, saving, then closing and finding that value in the INI, regardless of its name. To get around that, we do a very basic form of encryption. Create another item, called 'dek' (Data Encryption Key), and set its value to 3. Add 1 to it to get 4. Now, we set any other value to [value to be saved]*([dek]-1). This now gives us:
That should give our would-be hacker a problem and a half. But surely the best way to keep something safe is to prevent people finding it, no? Well let's now focus on the name of our ini. We all know that TGF/MMF come with cncs###.dll files (cncs32 for 32-bit-TGF, and 232 for 32-bit-MMF), so why not rename it to 'cncs332.dll'? It doesn't need to be named .ini to be read by the INI object, and people expect to find DLL files on their hard disk. It'll stand out less than 'savegamedata.ini'.
But we can do even more than that! Why not use the Zip/Unzip objects - after all, they can be passworded, and with different keys to standard zip files, so that zip-crackers find it harder to break into. We can save our ini into a passworded zip file, extracting it temporarily to a temp folder when needed, but removing it when it's done with. We then rename this zip file to something like 'cncs332.dll', so it looks like it should be there, and voila! If someone's going to get through that, then they're one determined person indeed - likely with nothing better to do, lol.
I hope that's helped any who weren't quite sure how to prevent people hacking their gamesave inis. It's not flawless, but it'll put most but the very hardcore crackers off.
Best Article WriterRegistered