Community High Scores..

[n0rtygames]

Hello,

So I'm thinking of taking a short break once I ship CB in a couple of weeks (really..) and move house to give my brain and sanity a rest from bullets and stare at the comforting white on black of Linux terminals for a while..

Something I'm considering doing is opening up a free service just for people who use this sub forum - which will basically be a primitive as fuck service allowing any application you write to submit a score via a HTTP Post and have a server side script do all the sorting in a database.

Then make scores accessible via a virtualhost on my domain for all to view.

It's simple and nothing complicated or overly secure - subject to falling over and breaking from time to time... just thought it would be a nice little offering. Question is - if I did it, would anyone really use it?

Cheers,
Steve

[nasty_wolverine]

You mean a database where games made by forum users are submitted and said users can rank games thus new users will have a guide to which games are worth giving a shot and developers can get valuable feedback?

It would be awesome, as i just created a barebones shmup engine(C++, SDL+GL) and currently working on a small shmup demo as we (as developers) could get organized feedback... if thats what you meant.

[n0rtygames]

You mean a database where games made by forum users are submitted and said users can rank games thus new users will have a guide to which games are worth giving a shot and developers can get valuable feedback?

It would be awesome, as i just created a barebones shmup engine(C++, SDL+GL) and currently working on a small shmup demo as we (as developers) could get organized feedback... if thats what you meant.

No! But that's actually not a bad idea - might have to see about that...

I meant an online high score system for peoples games

[DJ Incompetent]

Yes!

[Meseki]

I would definitely try to use something like that when/if I finish the game I'm working on. However, that would probably be a long time from now, as I don't have very much to show right now (though using a 3D engine makes some things, including Tate, much easier).

[mice]

Yes!
I'd make a QR-code image in my xblig games and point it to your service. Brilliant!

[n0rtygames]

Yes!
I'd make a QR-code image in my xblig games and point it to your service. Brilliant!

You know, I had that idea before... I thought it might just be crazy, but if someone else is thinking it... maybe.. just maybe it's sane

If we go down that route, I'll need to start thinking up some sort of secure algorithm with you for using a visible URL to post a score - since that's what you'd be doing with a scanned QR code.

See, I've got a need trick with XNA using high scores to ensure people can't hack and tamper with the scoreboards... It's an idea I gave to ProjectorGames and it worked in one of their pseudonym titles.

Basically, using XNAs random number generator - we're going to be getting the same value across all hardware if we use a seeded random. So we convert the scores in to a sort of checksum by using that combined with various values from the gamertag etc as the seed and call a rnd.next on it. If that entry in the score differs - we simply drop the score when it goes for insertion.

It's not the most elegant, but it's simple and stops tampering at a base level. Realistically speaking, for someone to want to actually hack a game that badly - it's got to be a good and reasonably high profile game... or the person has to be highly dedicated.

Either way, an application submitting a HTTP POST request is one thing - as it's going to be quite transparent to the user. We don't actually have to verify anything once it's been sent. Again, you'd have to have someone sitting there with ethereal or similar and actually looking to see what's going on. I suspect the majority of people old enough to possess that sort of know-how AND be playing a shmup in this day and age are probably old enough to respect the unwritten rules of not shitting where you eat..

XBLA kids though, with a URL that they can see... different breed entirely

[trap15]

Yes!
I'd make a QR-code image in my xblig games and point it to your service. Brilliant!

You know, I had that idea before... I thought it might just be crazy, but if someone else is thinking it... maybe.. just maybe it's sane

austere and I had the same idea that I was going to implement into Ketsui Arrange. But we figured it'd be a bit too complicated to do with so little free ROM space left, so we scrapped the idea.

[mice]

Make it happen!

?game=dinoshmup&score=EFDAAD6374AEEFBCDBCD&sec=AEDB61873ABDDE767212321

[BPzeBanshee]

I love this idea but I have no bloody clue how I'd do it in GM short of making my own server exe program for it (which goes completely against the HTTP Post idea).

[n0rtygames]

I love this idea but I have no bloody clue how I'd do it in GM short of making my own server exe program for it (which goes completely against the HTTP Post idea).

Any use?
http://gmc.yoyogames.com/index.php?showtopic=423462

To be honest I don't know the first thing about Game Maker so I'm really not sure how much use that is. Quick google for "game maker http post" brought that up as first post.

[BPzeBanshee]

That should be of use actually, although it requires usage of 39DLL (GM Windows DLL extension for better networking stuff) so I should be able to come up with something.

[Dave_K.]

I'm confused, will this service be usable by non-XNA homebrew games as well?

[n0rtygames]

I'm confused, will this service be usable by non-XNA homebrew games as well?

Yep! It'd just be a web service with a fairly generic way of submitting scores via a simple HTTP post. Entirely platform independant - so if your game is running on a device that can talk over port 80 - you'd be able to use it.

The reason Mice mentioned his XBLIG titles was because we don't currently have any means to talk to the outside world on XNA titles. It's all entirely garden walled. There's no getting out of XBLA.. you can't point your program at your server to talk to port 80 for instance.

However, if he generated QR codes which a user could scan with a phone - the thought behind it would be that on their PC, Phone or whatever device - they'd be opening up a web browser that contains the score submission URL for their title.


Of course the only 'gotcha' is security and trying to avoid fake scores being submitted in the event that somebodies home made game blew up and had a wider audience. That part needs thought

[trap15]

Give me a shout if you want some help with the obfuscation and encryption

[n0rtygames]

Cheers trap!

Not entirely sure what lengths you could go to with obfuscation or encryption in the example of using a QR code to submit via a URL however. Any values passed would be visible to the end user by simply observing the URL.

I also suspect that if we started doing weird stuff like bit shifting and the like on the client side, then (no offence) most of the GM using crowd would look at us like we were summoning Cthulhu...

That said, even if it was a simple mathematical operation based on some arbitrary value, the moment I tell anyone (eg via a howto) the formula to form a web request - security becomes redundant... It's not a problem for the regulars in this forum. I don't think anybody would risk face and take the piss... I'm just trying to think ahead in case someone gets lucky and their game goes viral or something..

[trap15]

Yeah, I was thinking of per-game keys that are randomly generated, so even if the algorithm gets public, then it's still worthless for all games except one. And only tell the algorithm to people who have a game ready for it to be implemented into. Minimize the attack surface

[n0rtygames]

Yeah, I was thinking of per-game keys that are randomly generated, so even if the algorithm gets public, then it's still worthless for all games except one. And only tell the algorithm to people who have a game ready for it to be implemented into. Minimize the attack surface

Hmm, let's think this through.. Think of the least secure scenario - which is a scanned QR code that ends up presenting the submission URL to the user in plain text (As I said before, anyone actually packet sniffing to try and figure it out should probably be encouraged anyway)

Presumably taking this approach, we'll end up with something like this:

Code: Select all

http(s)://www.amazinghighscoresystem.net/submit.cgi?gameID=ABFF122FAB?submission=SAOLDGJOASDGJSOADGJ123123123

Now, problems I see with that are that if you encrypt the submission part you're going to want a way of separating the users name from the score within that encrypted submission string. Perhaps a comma delimited value that gets mangled by some fancy obfuscation and turned in to something "unreadable" - if we dont, then there's nothing to stop:

Code: Select all

http(s)://scoresystem.net/submit.cgi?gameID=ABFF122FAB?name=Player1?submission=SAOLDGJOASD
http(s)://scoresystem.net/submit.cgi?gameID=ABFF122FAB?name=Player2?submission=SAOLDGJOASD
http(s)://scoresystem.net/submit.cgi?gameID=ABFF122FAB?name=Player3?submission=SAOLDGJOASD

Of course if you simply mangle a comma delimited string - then there's probably going to be some identifiable component in the middle of the submission string where it becomes entirely obvious that's the seperator between the users name and the score..

To be honest, I guess there's no problem in putting in a bit of manual work here and simply going "Right, I've generated your key... here's YOUR algorithm and here's an example of code to generate your submissions" - then making sure that the receiving end is able to verify this by making sure that a value contained in the submission string matches some sort of private key....

Yeah.... you're definately barking up the right tree. Relatively primitive implementations of public and private keys with some arbitrary re-ordering of characters in the mangled submission string should prove sufficient enough to deter most people. To be honest, if anyone ever spends the time to sit down and crack the whole bloody thing, I think I'd just laugh and send them an email saying "Bravo"

[n0rtygames]

Bumping because we should probably REALLY do this..

WTB Guinea Pig.

[rfeese]

I think that the basic way to implement the security for this would be to use a Message Authentication Code (MAC).

http://en.wikipedia.org/wiki/Message_au ... ation_code

A MAC would prevent tampering with the parameters, even if they are in plain text. A MAC basically acts as a cryptographic signature. It should be fairly easy to implement. All you need is a shared secret between the server and the game (you could have one for each game registered with the service). Then, an agreed-upon hash algorithm. When a score is POSTed, the MAC would be calculated by combining the payload values with the shared secret and then peforming the hash.

[trap15]

Yes, that's what's already been discussed :3

[mice]

I'll create a github-repo of what I have done for my games (as soon as I get the time for it).
Mine is quite limited in what is being thrown into the board, though.

What columns are actually required in the DB?

• - Id
  - Game
  - Tag/Username
  - Score
  - Difficulty
  - Ship/Character used
  - Num Continues used
  - Time Played
  - Timestamp
  - Platform
  - Game Version
  - Comment
  - Extra

No wonder my QR code images are huuuuge...

[trap15]

That's certainly a bit much; you've probably got a fairly inefficient encoding method too.

Game can be handled with a combination of encryption key and prepended to the code. Aside from that...

Name, Score, Mode, Character, Timestamp

Name takes however many bytes (but since it's ASCII I assume, you can crunch it down to 7 bits per character). Score is probably 4 bytes, mode and character can be stuffed together into 16 bits probably, timestamp could just be 32bit epoch time from 2010 or something.

Assuming a max name length of 16 characters... 14+4+2+4 = 24 bytes. Encrypt, encode in base64, pack into URL. Total "code" length: 96 characters. Assume "submit" URL is something like 'http://daifukkat.su/scoreboard/submit?', followed by the game code (probably 2 base64 digits will work).

Submit URL length: 50
Game code length: 2
Data code length: 96
Total URL length: 148
Smallest QR code settings:
- version 5, L error correction (154 characters)
- version 6, M correction (154 characters)
- version 8, Q error correction (157 characters)
- version 10, H error correction (174 characters)

Error correction levels:
- L = 7% recovery
- M = 15% recovery
- Q = 25% recovery
- H = 30% recovery

The higher the error correction, the less likely the QR code will be corrupt from various reasons (bad camera/lighting, shaky hand, etc.).

[n0rtygames]

For the actual DB itself:

keep:
ID
Game
Username
Score
Character
Timestamp

Things you can drop and why:
Difficulty - you can have a specific table set up for difficulty and use a different key
Game Version - same as above
Num Continues - Counting scores for credit feeding brings eternal shame upon you
Time Played - Local stat only
Platform - Again, not really needed. See Difficulty/Game Version
Comment - No comment
Extra - !

[trap15]

What is this "ID"?

[BPzeBanshee]

Unique keys are Relational Databases 101, "ID" is generally a good name as any for a unique key as a way to index the thing.

[mice]

Unique keys are Relational Databases 101, "ID" is generally a good name as any for a unique key as a way to index the thing.

What is this "ID"?

Yes, the listing I made was the DB entry columns.

Name, Score, Mode, Character, Timestamp

The timestamp is only serverside in my impl, isn't sent.
But yeah, I will need to compress the whole deal quite a bit. It's huge now and it doesn't have the hash sent in it yet...(since I can't bloody use the security package in XNA).

@norty: A different table per game and per version and per difficulty and per platform?
For HR, XSEED and TTS that would be...like...billions of DB tables. And I would need to create them manually for each update?
I thought the idea was for a central site/place for devs to have their hiscores and that it should be kind of generic?
And comments, man I would love to read comments for the scores players get. "My first no miss!!1! I rule!", "F**K this sh*t!".
Extra, in my case, got user agent at the moment.

[trap15]

Maybe I'll put together a prototype of this idea in a few weeks. I've got interesting ideas.

As for ID, no reason to put that in the QR code. Reason I put the timestamp in the upload data is so that it saves when the score was made, not when the score was uploaded.

[mice]

As for ID, no reason to put that in the QR code.

It's usually auto incremented in the DB.

[Kaleb Parham]

Yeah Im down. Only thing is I use Game maker Studio. It has an HTTP type of distribution, but then it'd have to be a web application. I would honestly need help adding it into the game since I've never done anything like that before.