Here’s another unfinished game I was working on in my spare time, this time for the Unreal 4 engine. The last time I touched it was probably sometime early this year, so here is the source code now that I realistically know I won’t be doing anything else with it. It’s almost entirely C++, blueprints were only used on things that required it such as model animations, sounds, data, shaders, etc.
Source code available here and if you want to try a prebuilt version just to play, you can grab it here.
This game is a lot more polished than the Valhalla Run game I made in Unity. It was supposed to be a small scale recreation of the Darkfall: Unholy Wars combat. So an arena, survival game, battle royal or something like that. The core combat was about 85% done, the real work remaining was in creating the gamemode, the maps, models, animations, textures, and all those extra bits I have little talent for. It already functioned as a multiplayer deathmatch using Darkfall-ey combat and many of the abilities from the game.
Source codeRelease binariesGameplay video (not mine)
I haven't touched Unity in a long time (Unreal 4 is way better!) but here is the complete source to Valhalla Run, the gravity-manipulating 3D platformer that I used to win the SBU game programming competition.
If you’re an aspiring game dev or just want to pick apart some code, this is for you.
Source code
Disclaimer: I do not endorse virtual item/crypto gambling and the site I developed is essentially shut down at this point.tl;dr version: Some virtual item gambling sites use provably fair as a cop out and users don’t understand that it doesn’t guarantee a site isn’t rigging or giving out prior knowledge of rolls. Most sites, including the big names, have a provably fair that either allows flat-out rigging or giving out prior knowledge, such as to streamers or friends. This article goes over some examples.
I developed one of those sites. It was a huge undertaking, I don’t recommend it to the feint of heart or to one man teams like I did. Anyway, one of many things I had to do was to create a system to ultimately determine the winner of rounds, in a close to truly random manner, and have the method provable to not be rigged or predetermined. Not having done it before, I did what any developer does: I looked on the Internet for examples. In the end, I decided to make our own from scratch because I found out the phrase “Provably Fair” is just something being thrown around by these sites with no meaning.
For the most part, the results are fair, but only if none of the contestants have any friends with the administration. I found out that streamers and youtubers have actually been caught in the past, being given prior knowledge of a result, so they could make videos of them “winning big”. Then both the site and the celebrity get publicity. Everyone wins, except for the average player. I want to be clear: the CS:GO Diamonds scandal is only one example of a site that could be giving prior information or flat out changing the results. I am not accusing anyone in this post of doing so (except diamonds), but I am saying that they could do so.
In this article I’m going to go briefly over what provably fair is, use a couple sites for case studies, and then I’ll go over my personal algorithms at the end. I’ll also go over a few theories/solutions, but they’re mostly just there for entertainment because of how wild they are. There is no simple fix!
What is Provably Fair?
If you go on these sites and decide to gamble your skins, you’re obviously going to be suspicious, even if it’s a site that says it has a ton of people. One way to garner trust is to have one of these provably fair systems in place. If you do a quick google search, you’ll understand it more than what I can or should put here. The tl;dr version is that it uses a bunch of complicated math and stuff to do other stuff, you probably don’t understand it, and it uses big words so you’ll believe what they say. That’s a commonality with cryptography.
The problem is that, of the many sites I’ve seen, none of them have a system that actually uses something that is provably random. When I say random, I mean that the winning ticket / winning percent / winning roll was determined in a way that it could not be known by the server operators or anyone else. Additionally, it would also need to be in a way that the server operators or anyone else could not flat-out set or rig a match result to what they want.
Provably fair is something you see a lot in bitcoin gambling sites. The reason being because they actually have a third-party source for determining rolls: the block chain. When a person deposits their bitcoins, the site is going to use the transaction data in the rolls. The site does not control that data and it is hard to predict what that data is going to be. It’s perfect for helping determine rolls.
CS:GO sites that I’ve looked at do not have this. All of their data is determinant and generated by the site. I did not see a single site that used either third-party sources, some form of verifiable entropy, or any other way that could prevent operators from knowing results. Some site algorithms actually allowed flat-out rigging of results or did not have a published algorithm whatsoever!
Case Studies
When I do these, I will start off by saying which type of site it is: either that the results can be predetermined and given to other people or it is flat-out able to be rigged. I will also list a few sites (definitely not all!) that use the same or a very similar system, go over their algorithm, and at least one method to rig. Again, I only state that they are capable, not that they are guilty of doing so.
CSGO Wild
Type
Coin flip is both able to be rigged and results given to others before hand. Operators are able to give results of roulette before hand.
Similar algorithms
csgojackpot
csgolotto
csgochance
csgo2x
csgofast – Winner for roulette is based on a sha224 hash of the winning percent. Can give results before hand and set results before the round starts.
csgo500 – Needs verification. They obfuscate their client code but from what I could tell from viewing the websockets and prettyprint, it’s similar. They also don’t publish any of their methods despite saying they use a provably fair system in their FAQ. I also found it funny that their Steam group is populated with huge amounts of accounts that have not even set up their community profiles yet – obvious bots or something shady going on there, just go to the later pages of the member list and take a look at the accounts. Also, for some reason all of their group admins have Steamworks badges. Very strange.
many others – Just use google, this is probably the biggest one. The big point is that the winning percent is generated when the round starts and isn’t based on any identifiable source besides whatever internal RNG (or operator choice) the server uses.
Their provably fair
You should not say that you are keeping the rounds truly random. There is nothing truly random or even pseudo-random about them, if the operator did not want them to be. This is completely misleading. The round hash is simply there to prove that they are not changing the result of a round after it is created. It does nothing to prevent people knowing the result or setting the result before the person creates the round. Also, since coin flip rounds are not against the house, the house has nothing to lose by letting streamers win big. Of all the provably fairs I’ve seen, this is most likely the weakest one.
Potential method(s) of rigging
The winning percent is chosen by the server when the round starts. There is no way to know how the server determines it. The page literally says “the server generates a salt, and a winning percentage to identify the round”. It does not say how it generates it. The salt is just there to prevent rainbow tables reversing the winning percent. The winning percent is not based on some verifiable or determinant source. They have complete control over the result before a round is created. If they wanted a person to win or lose or a color to win or lose, they could simply mark the next X rounds at whatever winning percents they desire.
The winning percent is known by the operators so they could tell people to join or not join certain rooms to guarantee wins.
They could tell others to bet on a certain color in the roulette to win on stream/video.
CSGO Double
Type
Able to give results before hand.
Similar algorithms
csgostrong (slight difference. uses current date instead of lotto)
csgocosmos (identical to csgostrong)
csgocircle (identical)
csgohouse
csgoroll – Uses a selectable client seed instead of a lotto. This weakens the algorithm further by making it so the operators can tell users what client seed to win with. It would be stronger if it didn’t use a lotto/client seed at all.
csgoempire (slightly different)
Their provably fair
This site uses a pretty simple algorithm. One thing I like about it is that it does show how it determines the winning percent: by taking a part of the resulting hash and converting it to a number. SHA256 is pretty much uniformly random to the casual observer and only tiny bumps in the distribution would occur. Additionally, the use of a daily seed makes it computationally impossible to rig anything beyond the first handful of matches for a day. This makes it leagues above the other sites simply for the fact that it determines the winner in a way you can verify. They do that rather than simply determining the winner, then making it so you can verify they didn’t change the winner. Of course, this system is not perfect. Not perfect at all.
I also want to look at their use of lottery numbers. This is completely useless, extra information. There is really no reason to have it here. Both the server and the client know what it is at all times. It serves no purpose other than to make the algorithm seem more “legit” by having a third party source incorporated. The problem is that the source is 100% transparent. They would achieve the same level of fairness by replacing the lottery numbers of every day with the word “dog”. It’s like having a salted hash but telling people what the salt is – totally useless. Not good or bad, but useless.
Edit: the owner of Double tells me about their use of lottery numbers. They generate their server seeds based on the previous ones and all seeds have been determined from the moment the site was created. He also tells me that other sites using similar algorithms simply generate a new seed from scratch every day. They use lottery numbers to make it so the server can’t generate strings of “favorable” rounds. So it avoids the operator purposely generating strings of rounds that are the same color, turn up not green, etc. People would be more likely to fall for the gambler’s fallacy and not bet on the same color.
Potential method(s) of rigging
The server operators know the results of every round before it happens. They know the round_id, everyone does. They know the lotto, everyone does. They know the server_seed, they’re the site operators. That makes it extremely easy for them to give advanced knowledge to other people in the guise of them winning big on stream/video.
Use alts to egg people to the losing color via chat.
Afterthoughts
This message is a bit interesting. Apparently somebody pretended to be the site owner of CSGO Double and then distributed some obfuscated javascript and told people to execute it in their chrome console (BAD IDEA!). It was something that caused the user to transfer all of their coins to the author of the script. This was something I prevented within 10 minutes by using a salted hash of both steamids (person transferring and the receiver) as an auth cookie, yet this site has had this notice here for weeks.
I also came across this video. It’s the same guy from the CSGO Diamonds scandal, winning big and acting super surprised. Is it acting, is it real? I’m not sure but the fact is that it could be.
https://www.youtube.com/watch?v=hqIjjGq8vyU
CSGO Diamonds
This one is interesting because it has already admitted to rigging with the guy in the previous video. There’s a big fiasco and people are still using it. You can simply google “moe cs godiamonds” to find out more.
Type
Able to be rigged and results given to others before hand.
Similar algorithms
None that I saw, although I didn’t do much digging in to it because of how debunked it already was.
Their provably fair
This one is a bit more complicated than the others. It adds together a server seed, a client seed, and a nonce to generate the winning percent. Additionally, all the seeds it shows you are sha256 hashed to hide what they are until you change them. The client seed is something you pick and the nonce is simply the number of times that you’ve used the seed.
When you change your client seed, the future server seed is set to your current seed. This way it lets you see what you’re going to get before you get it. It also gives you the unhashed version of your previous server seed so you can verify it. This is a really huge complicated mess that all falls apart because of one truth: you don’t know the future-future seed. In other words, the seed you would get if you were to change your client seed twice. You might say, “but wait, if they were rigging wouldn’t they need to make the server seed match up to my client seed?”. Not at all. The reason is simple: because the end result of a round can be the same given different rolls. For example, roulette can still land on the same color if you get 20 or 20.01 as your winning percent.
Potential method(s) of rigging
I’ll start off by reminding you: they actually already were caught rigging.
The site operator and a streamer can cooperate. The site operator could make the person get a certain server seed in their “future+1” slot and then tell them which client seed they should pick to win big. No one would be suspicious because the server does not display (or even imply the existence of) a future+1 server seed but nothing says that one can not exist. This is just my theory but again, they have been caught doing something extremely similar if not exactly what I’m describing.
My Algorithms
These are the ones I decided to use. I am not saying they are perfect but I am claiming that they are better. I’m open to peer review from anyone technically inclined.
First, we use a list of daily secrets, extremely similar to what double and a few other sites use. Even bitcoin sites use this system.
The roulette algorithm is also similar to double except for what we use in place of the “lotto”. Instead of using the static lotto numbers, we use the total amount of coins wagered in the round. The reason for this is simple: it’s chaotic. There is no way to tell people to bet on a certain color because at any time, many people are betting, changing their bet amounts, etc all up until the time the wheel starts to spin. The winning percent is determined right as the timer hits 00.00. The detailed results of every round are available for all to see so it would be impossible to change them. csgobig uses a similar system for their roulette and they claim pretty boldly that their system is 100% fool-proof. I’ve also thought of ways to potentially make it even more chaotic, such as multiplying or modding wagers of individual reservations by their order, time entered, etc. I’m not a mathematician, so maybe someone can chime in here.
Coin flips also use the daily secrets and we use the participant steamids and wager as extra entropy for the round hash. The problem right now is that all of this info is (potentially) known by the server, so we’re looking for ways to plug this one up. If one thing is for certain though, I have not seen many 1v1 games on these sites that determine the winner AFTER the person has joined. Simply for that fact, I believe my algorithm is leagues ahead.
Theory Crafting
This dilemma has had me thinking for a few days now. Just how can you create a system that is truly provably fair? I’ve had a few thoughts but most of them I’ve disproved already. Most of them are extremely elaborate. Here’s a few that I’ve mulled over:
Trusted Third Party (players vs. house game)
We’ll replace the lotto again. Let’s consider replacing the lotto with a new value, we’ll call “3rd_party_hash”. This setup would require a trusted, third-party site with no affiliation with any other sites, setup for the single purpose of providing CS:GO gambling sites with hashes. Obviously, this plan falls apart right here because no such thing really exists, but let’s humor ourselves.
The gambling site will request, when the round ends and the wheel about to spin, a 3rd_party_hash with the round_id as the input. When the third-party site receives this request, it will respond with the 3rd_party_hash but will also enter the round_id / 3rd_party_hash combination in to a public database. If the server requests the same round_id again, it receives the same hash. The third-party site would generate their hash using some publicly available algorithm, such as using a daily server seed.
Pros
Completely unriggable and completely unable to give results. If the gambling site requested the 3rd_party_hash early, the third-party site would have the combination on their public list. This would invalidate all trust with that site. Additionally, if anyone entered a wager after the public list received the request, it would also invalidate all trust.
Cons
Requires absolute trust in the third-party site. The operators would have to be saints. The server would be placed in a temple of Buddhist monks that have abandoned their material possessions.
Requires the third-party site have 100% up-time.
Very complicated.
Rotating Client-side Seed (players vs. house game)
Rotating Client-side Seed (players vs. house game)
Let’s take for instance, the CSGODouble algorithm from above. Instead of the lotto we’ll use a client_seed. The difference here is that the client seed is not stored on the site, but rather in the browsers of all of the contestants. At the end of the round, the server would request the seed from the player(s) via websockets. If they didn’t respond, it would go to the next candidates. How it picks the candidates and how it rotates is another story.
Pros
Results couldn’t be rigged sometimes.
Cons
Could rig the results sometimes.
Game not based on luck.
This one’s really, really simple. Just have a game that isn’t based on luck or any rolls.
Game not based on luck
Pros
Can’t rig!
Maybe you have something unique.
Cons
Very hard to develop, relatively speaking.
Would need to have great game design skills. You would need to have a game that can be played quickly, yet also be relatively fun and based on some skill or strategy.
A real-time game is out of the question when money is involved. There would be a ping discrepancy, botting, cheats, etc. A strategy game of some sort would be best, but the game would need to have a meta. There couldn’t be a “one strategy beats all” approach.
Taking a risk by creating something new.
Closing Thoughts
It’s been a really interesting experience trying to make not only the entire site but these algorithms. I learned a lot, it was my first attempt at nodejs and it became one of my favorite platforms. Programming the bots, sharpening my CSS, HTML, and JS skills, running a cluster, overcoming the issues of concurrency in NoSQL, it was all a good learn.
Personally I think that most site operators have no malicious intentions and simply incorporate these algorithms without fully understanding what they do or what they’re meant to do. I think some even acknowledge that they’re flawed but they simply have no other alternative. The same thing goes for the average user who trusts a site just because “provably fair” is somewhere on the page. Remember: even if a site says it’s provably fair, it does not mean that it is provably honest.
I wrote an addon that extracts the tags on booru posts and Illustration2Vec to your clipboard. Which is very useful if you like tagging your saved images with things like Hydrus Network. It’s in its infancy so it might not support every image booru out there but it pull requests for new CSS selectors are welcome. The script auto-updates so feel free to make github issues with requests for sites that don’t work.
Download
Speaking of which, Illustration2Vec is probably the coolest thing I’ve seen in a while. Give it an image (it works best with vectorizable things like illustrations) and it’ll use machine learning and image parsing algorithms to automatically tag your image. It’s surprisingly accurate too, being able to detect minute details and give the image accurate tags.
And if you don’t know what Hydrus Network is, it’s the second coolest thing I’ve seen in a while. All images can be hashed with sha256, a hash so long that there will likely not be any collisions with any other images. Hydrus lets you attach tags to those hashes so you can have your own personal collection and very easily sort/search through thousands of images and videos based on those tags. The meat though is that it can also subscribe to tag + file servers so you can see the tags that other people have given to them. There’s already millions of image -> tag mappings and it was funny seeing my ancient image macros having content tags on them. There’s a whole bunch of exported tag databases for various image repositories and an already-tag-updated installation at /hydrus/
EDIT: SteamDB have since added a rating and discount filter to their website.
Here’s another Tampermonkey script. Steam sales are a great and often you want to see which games are the most percent off. Steam itself doesn’t have this feature, but SteamDB has a great sales section that lists all the games, how much they are, what percentage they’re off, and what rating they have. You can sort both sites by rating. You can also sort SteamDB by percentage off but unfortunately you cannot filter by minimum rating, resulting in a list of games with crappy ratings to sift through. This script fixes that by completely removing all games with bad ratings. If only Steam itself had this feature for its front page.
As usual, you’ll need Tampermonkey for Chrome or Greasemonkey for Firefox. It’s untested for Greasemonkey. Change the line with min_rating to whatever number you want. I’ve set it to 80%. Anything 79% or less will not show up at all.
// ==UserScript==
// @name SteamDB Bad Game Remover
// @namespace http://average.website
// @version 1.0
// @description Remove games on SteamDB that have less than a certain rating.
// @author William Moodhe
// @match https://steamdb.info/sales/
// @grant none
// @run-at document-end
// ==/UserScript==
/* jshint -W097 */
'use strict';
//////////////
// What rating does the game need to show up on the list?
var min_rating = 80;
//////////////
var ratings = document.querySelectorAll("table.table-sales td:nth-child(7) > span");
var removed = 0;
var td;
var inner;
var rating;
var i;
for (i=0; i < ratings.length; i++)
{
td = ratings[i];
inner = td.innerHTML;
if (inner.substr(-1) == "%")
{
rating = Number(inner.substr(0, inner.length - 1));
if (rating < min_rating)
{
td.parentElement.parentElement.style.display = "none";
removed++;
}
}
}
console.log("Removed " + removed + " bad games.");
Now you’ve done it. You’ve accidentally clicked a link to click bait, a top 10 list, an annoying Let’s Player, or you’ve dared to see more than two videos on a certain subject matter. You’re cursed to always see thumbnails of garbage videos for the rest of time.
There’s a couple addons floating around that advertise removing all YouTube recommendations. They’re quite bloated though, and some of them didn’t seem to work for me. We’re programmers though, we can fix this. Enter Tampermonkey and mutation observers. It’s easy enough to remove all the parent elements of spans containing the word “Recommend”. YouTube has a load more button though, so a quick fix for that was the use of mutation observers. These things observe elements, attributes, or the entire page for changes to the DOM and report back to javascript with them. So as new content is added to the list of videos, we can filter those too. The result is a nice, clean front page with only channels that you’ve subscribed to.
You’ll need Tampermonkey from the web store here.
After you’ve installed that, press the icon in the top right and press Add new script. Paste the following code in and press CTRL+S to save.
// ==UserScript==
// @name Suggest-me-not
// @namespace http://average.website
// @version 1.0
// @description Removes suggestions and recommendations on the YouTube front page for channels you aren't subscribed to.
// @author William "JetBoom" Moodhe
// @match https://www.youtube.com/
// @grant none
// @run-at document-end
// ==/UserScript==
/* jshint -W097 */
//'use strict';
function removeSuggestions()
{
var spans = document.querySelectorAll("ol.section-list span");
// Remove ancestor li element of spans that have recommendations.
var span;
var par;
for (var i=0; i < spans.length; i++)
{
span = spans[i];
if (span.innerHTML == "Recommended channel for you" || span.innerHTML == "Recommended" || span.innerHTML == "Want all the latest updates? Subscribe now.")
{
par = span.parentElement;
while (par != null && par.nodeName.toLowerCase() != "li")
par = par.parentElement;
if (par != null)
par.style.display = "none";
}
}
}
// Mutation Observer to check for DOM changes to the section list.
var content = document.querySelector("ol.section-list");
if (content)
{
var observer = new MutationObserver(function(mutations) {
mutations.forEach(function(mutation) {
removeSuggestions();
});
});
observer.observe(content, {childList: true, subtree: true});
}
// Immediately remove suggestions once.
removeSuggestions();
Edit: Both of the remakes of DF 1.0 have some sort of detection for this, although I think it’s just that DF 1.0 in general already had teleport detection, not that the new companies programmed in detection themselves. New Dawn is particularly adamant about this and has made some of their own anti-cheats built off of the work of myself and other white/gray hat members of the community.
About a month ago I decided that my love-hate relationship with Darkfall was over and it was time to give back to the community (what’s left of it) one last time. This particular game company decided to simply brush under the rug every complaint or known hack so I decided to see what I could do to maybe force them to update. Very gray hat but hey, maybe they’d finally do something, right? Nope. Because at the time of editing, their game has been shutdown for an unknown amount of time, probably never to come back up. They blame the financial situation in Greece catching up to them.
Some history
Hacks have always existed in this game in one form or another, ever since the first iteration of the game came out years ago. Radar, ESP, sticky hack (basically an aimbot), and teleporting to name a few things. Up until this point I had never tried any of them except setting my velocity to fly around back in Darkfall 1.
Darkfall trusts the client with basically every piece of data it sends. Obviously it’s going to be hard to detect or hinder client hacks like radar, esp, and aimbots. All games are like that. But Darkfall is very trusting of the client so stuff like player physics, positions, and even projectiles (their creation anyway) are all client-side. I’m not sure what sort of cheats were being used behind the scenes. I’ve only played with a few people who have either said they had or I suspected of having wallhacks or radar, nothing more than that. This game also uses the best anti-cheat detection available: absolutely nothing.
Unhackable Wars
Back to projectiles. One odd thing about lag switching was that it allowed you to fire off about two dozen arrows in the same instant. Turn the switch on, fire your arrows, then undo the switch. Then watch as hilarity unfolds when whoever was in front of you instantly dies and flies back 100 feet or so. This is fine and all for those dime-a-dozen Nexon games that trust the client and install rootkits as an anti-cheat. Not so much for a pay-to-play MMO that hosts potentially thousands of players in one uninstanced world. I’ve always wondered just how much authority the server gives to the client. Teleporting is one thing, but is it trusting enough for the client to spawn projectiles at will? The short answer: yes and even from any location you want.
I whipped out my handy dandy Cheat Engine and after a bit of memory editing, scripting, and ASM code changing, Darkfall’s first public multi-hack was born. These videos highlight what you can do with low level characters. Obviously a leveled one would be far more annoying.
As of right now it features:
Instant teleport to anywhere and any height on the map based on map coordinates
Noclip to go through walls or zoom across the map
Velocity altering to fly around
Hovering to float under the terrain and loot graves
Wallhack
Detaching the camera from your character. Create projectiles, pick up items and relics, gank people, revive people, offer duels and have the duel ring appear a mile away, etc. from your detached camera.
This is actually some of the least horrible things I’ve found you can do. Playing for absolutely free, duping items, unbanning yourself, and spawning projectiles extremely fast just to name a few. It’s like these developers never considered security at all.
Afterthoughts
I decided to give the game a serious try for its sequel. Needless to say as soon as people got outplayed the first thing they would scream is hacks. Most game communities have these people, but Darkfall has by far the most amount of them I’ve seen besides Counter-Strike. I’m not even talking about hackusations I’ve personally received. Almost every person in the top 10% was a hacker according to the other 90%. Even if you showed them a recording of you beating them, they would make it seem like they actually believe it was impossible that this person could win over them legitimately.
I got kicks out this, I’ll admit. Being able to kill a guy, take all his stuff that he spent potentially hours farming, then having him foam at you. Its sadistic nature attracted some very uncouth players. It also had no instances and it had Quake-like combat. Darkfall was one of a kind in this regard and it’s a shame no competent company has picked up on the idea.
One hilarious part of all this was watching my puush file download count rising after posting the first iteration of this hack. When everyone already thinks you’re hacking, it’s like nothing ever changed when you actually start doing it. And when you see people who so adamantly believed and complained you were hacking are now using a public hack you just created, it brings a weird sort of smile to your face.
Since Unity terrain collision is awful, especially with custom character controllers, I made a script that automatically takes terrain data, creates a mesh, and then replaces the TerrainCollider with a MeshCollider using the generated mesh. I didn’t feel like giving up the fancy features of terrain drawing and exporting the mesh to a modeling program is too retro for me.
Since it’s run when the scene starts, it increases load times by a decent amount but shadows and baked stuff like that shouldn’t be changed. In order to compensate, I made it so a checkbox can be checked that puts the mesh in to the assets folder, which can then be attached manually in the editor. When you’re done testing your game you can export the generated meshes to actual assets to save load times.
Attach it to any terrain object and it will do its magic when the scene loads. I’m using low resolution height maps. You should be prepared to load for like 2 minutes if you’re not.
A lot of the script was taken from TerrainObjExporter. I had to do some changes in order to make the generated mesh exactly match up to the drawn terrain (flipping, reversing, rearranging indices, rotating).
Source code
