Amidst all the community/nationality drama, I’d like to bring up a more serious matter: (potential for) cheating.

So, first, a little bit of background:

I am one of the many players who ended up stuck in the quest “Release Goddess Salue”, wherein a barrier prevents players from talking to the NPC and thus progressing the main questline. Some players managed to bypass this obstacle through the use of Ice Walls, spamming buttons and luck. Eventually though you’re not allowed to teleport back to the Goddess and so it becomes much harder to progress.
While I know IMC is working on this bug, I decided to research it further and came upon an interesting discovery: a bloke managed to talk to the NPC by editting his in-game position using a hex editor.

This being a closed beta–combined with my passion for computer security, I felt obliged to test this out and to my horror and surprise it indeed works.
Your in-game coordinates are stored in your system’s memory, and with an hex editor and 5 minutes of your time you can find their specific addresses. These values can be modified and that’s instantly reflected in the game client: your character appears instantly at the specified coordinate values. What surprised me though was the fact that the server seemed to be OK with my character having instantly teleported 100 units of distance into a place that isn’t even supposed to be reachable by players (err technically it is supposed to, but it’s bugged so yeah). Furthermore, I was allowed to interact with the NPC there (I can finally resume my progress!) which means this isn’t just a “client-side” thing.

Now the reason for wanting to address this is simple: in its current state, it’s incredibly easy to write a program that interacts with the game client to allow cheatish things such as teleporting around, modifying your speed (I didn’t test this out specifically but if you can teleport around, you can move faster than usual, just use your brain…) and what not.

I’d like to share ideas with the IMC staff and the community. Of course there’s always the possibility of adding client-side security measures, including third-party software. But we know those can often be bypassed with little effort. A server-side implementation provides a more robust security against cheating, but can easily degrade user experience by requiring a tighter synchronization between client and server. In other words, lag would have brutal consequences on gameplay, which currently is not the case.

So, opinions?

I was wondering this too. I noticed during the lag and whatnot, especially during boss fights, that I was able to fight combat perfectly, which made me start wondering if combat was also handled client-side, and if it is, then that would be super open to hacking potential.

I’ve obviously not done any testing (just going by what feels possible to me), but if this is the case, then the game definitely needs to handle more things server-side. I realize that can (and will) increase server strain, but some things really just should be handled on the server’s end instead of the client’s end for obvious reasons, and a lot of this applies. Stuff like movement and combat definitely should be server end.

Yeah I also noticed that even while the server had actually crashed and was totally unresponsive, I was still able to do combat perfectly fine, only the server-side things such as picking up loot/changing zones/changing inventory and equipment and the like were frozen.

This game will be hacked to pieces in a week at this rate. At least the pve storyline will still be playable, but the economy and pvp will cease to exist due to the hack use.

I never had this issue, but now I know what the hell everyone was doing with those ice walls. I thought they were just screwing around.

You can’t expect the server to handle all the work. A lot has to be done client side. Cheat Engine works pretty weird and I agree the server should have disconnected him as soon as he had it open or as soon as the server realized he wasn’t where he was supposed to be. The game can detect if speed hacks are being used and disconnected said player right? I hope it can at this point. I wonder myself if HP can be easily frozen client sided. I’d hope that’s server side though, GodModes would be too easy. I care about my account too much to get myself banned in a beta though.

In a certain game I played you could edit your game files so you could attack 100 times faster. However, as soon as you attacked more than the server knew you should be able to you got banned/kicked out. Hopefully on release you won’t be able to get away with stuff like this. It’s a beta. It’s a lame excuse but that’s all I can say.

The nature of this topic might be what IMC calls “sensitive” or an “exploit” and shouldn’t be on the forums, just saying, not sure though.

Also, you saw the guy on Reddit.

This is a big deal. Unrestricted teleportation like that can be gamebreaking when abused heavily, and imc clearly doesn’t have the manpower to police it manually. Some sort of check that stops you if you move too far is necessary, even if it worsens lag.

One option for lag is using tighter checks when the server doesn’t have a heavy load. Cheaters won’t know for sure when that is, and the worst abusers tend to run 24/7 bots.

Combat requires some server management since you’d get conflicting results between different players otherwise, but it’s definitely worth looking into how much is or isn’t server side. I assumed they had servers divided up, with combat and items using different sub-servers, but that would still open the possibility of doing calculations client side. Can people use packet editing to make all their attacks crit, for example?

That’s more than possible. Heck you could send a packet that makes it so any player you choose disbands their guild depending on the game you’re playing. Stuff like that happened a lot in MapleStory. At a bare minimum they should encrypt their calculations so it’s not as easy as removing a piece of gear and re-wearing it over and over to find the address for your crit and other stats. That would stop a lot of newbies, like the guy on Reddit, from doing simple hacks like these. Even if the encryption is just multiplying X, Y, or Z number by 8.

Considering how responsive combat seems even when the server is stressed, I’d be willing to bet that yes, probably. Maybe even block/dodge. If these are all calculated client-side then there’s potential for enabling some sort of God Mode.

This reminds me of how pots take forever to activate when you’re lagging. Item use/drop/loot seem to be well handled by the server (in the sense it’s secure), but combat not so much. Ironically, I often get hit by telegraphed attacks after I’m well outside the range due to latency. One would think that’d not be a problem with so much done client-side…

I highly doubt combat is calculated client side. On kTOS I have many issues with latency. Attacks get delayed making it useless to player range classes. I had lots of position issues there. When I was clearly out of the AoE circle on my screen once the attack was done I got teleported back into the circle and received damage. It was desync between my client and the server due to the 300-500ms ping and the server won.

people already hacked the combat system they are able to kill enemies they’re not even looking at or off screen
it’s only a pyro mages doing it so far