Anti cheat thoughts

I’m probably going to regret this considering that I will have to reprogram my modloader gdmod if those thoughts become reality, if I even find a way to make it work again (even tho I really doubt they will).

The problem:

Code injection. With a little browser extension, you can modify the code after it got loaded by the browser but not by GDevelop which is still loading resources, and with that before the game even started you can assure yourself a permanent access to the current scene. That can be used for good, for example making cool mods or “resource hacks” (Modifying the sprites to customize gameplay experience). But of course that can also lead to cheating.

The solution?

The code cannot be modified before it got loaded by the browser, so we need to protect it while loading at this moment. This can be done by using Object.seal() on each code namespace, to prevent it to be modified.

Would that protect me completely?

No, there are 2 more ways to get access to the scene that would need to be patched.

  1. Global callbacks: they are really tricky as some extensions requires them but they act as “code from outside” themselves. I am not sure how to restrict that, maybe registering them in another file that is processed by GDevelop and automatically put into callbacks systems in RuntimeGame? Not sure this would be optimal.

  2. Prototype Pollution: if a scene is created and it’s constructor was overridden to expose itself globally, on each scene change we would get access to the current scene. We would need to Object.seal again for every class in the GDJS namespace

If I did all of that, would I be safe?

Not really. It is so difficult to actually do all of this, and there will always be someone for figuring a clever hack to get access to the scene, it isn’t really worth it.
Also if you publish the game on mobile or PC, or someone just downloads the games files from the website, all this work was for nothing as they can just modify the files to undo all of that.

Why did you waste your time explaining all of this then?

I got asked several times if avoiding modding or cheating through “magic JavaScript” is possible. I made this post to show that it may be possible but very difficult to actually do and would probably not be worth it anyways.

The actual solutions

  1. Accept cheaters and modders
    Cheats are not very cool, but look at the bright side, they mean people cared about your game enough to actually spend time and resources on modifying your game for their amusement. And some mods are pretty cool and it can really make your game more attractive and grow the community!

  2. Use the law system
    Have terms of service forbidding modding and cheating and sue people disrespecting that agreement. It will surely discourage anyone to try, and if they do you can maybe get some money from suing them and make sure that person won’t do it again.


As I said you get access to the whole game by doing this. It can lead to cheating because you can do all of that too. For example I have a template mod that can be considered a cheat for my GDMod project, and it uses exactly that to inject mods.

I think this is the point @arthuro555 is trying to make. His GDMod tool allow you to cheat and hack. For example, maybe I have a locked content that can be unlocked if you pay $1 and then if you paid the money then it would trigger an event in the game that change the value of a variable to unlock the content for you. With GDMod you can change the value of this variable and unlock the content without paying that $1.
An other example is the most common, let’s say you have a leader board and you can unlock the content if you make it in to the top 3. With GDMod you can set your score to 999999999 and job done, you score 1st and you can unlock the content.
Finally, If you distribute your game on Steam, you can even hack it so it does not require Steam to launch and job done there you have a pirated copy. So if this is not cheating and hacking I don’t know what it is.

I think some people expressed their concerns about this when @arthuro555 released the “mod/hack tool” and so he posted about the problem here which is a real problem with any HTML5 content even without this mod/hack tool of his.