I’m probably going to regret this considering that I will have to reprogram my modloader gdmod if those thoughts become reality, if I even find a way to make it work again (even tho I really doubt they will).
The problem:
Code injection. With a little browser extension, you can modify the code after it got loaded by the browser but not by GDevelop which is still loading resources, and with that before the game even started you can assure yourself a permanent access to the current scene. That can be used for good, for example making cool mods or “resource hacks” (Modifying the sprites to customize gameplay experience). But of course that can also lead to cheating.
The solution?
The code cannot be modified before it got loaded by the browser, so we need to protect it while loading at this moment. This can be done by using Object.seal()
on each code namespace, to prevent it to be modified.
Would that protect me completely?
No, there are 2 more ways to get access to the scene that would need to be patched.
-
Global callbacks: they are really tricky as some extensions requires them but they act as “code from outside” themselves. I am not sure how to restrict that, maybe registering them in another file that is processed by GDevelop and automatically put into callbacks systems in RuntimeGame? Not sure this would be optimal.
-
Prototype Pollution: if a scene is created and it’s constructor was overridden to expose itself globally, on each scene change we would get access to the current scene. We would need to Object.seal again for every class in the GDJS namespace
If I did all of that, would I be safe?
Not really. It is so difficult to actually do all of this, and there will always be someone for figuring a clever hack to get access to the scene, it isn’t really worth it.
Also if you publish the game on mobile or PC, or someone just downloads the games files from the website, all this work was for nothing as they can just modify the files to undo all of that.
Why did you waste your time explaining all of this then?
I got asked several times if avoiding modding or cheating through “magic JavaScript” is possible. I made this post to show that it may be possible but very difficult to actually do and would probably not be worth it anyways.
The actual solutions
-
Accept cheaters and modders
Cheats are not very cool, but look at the bright side, they mean people cared about your game enough to actually spend time and resources on modifying your game for their amusement. And some mods are pretty cool and it can really make your game more attractive and grow the community! -
Use the law system
Have terms of service forbidding modding and cheating and sue people disrespecting that agreement. It will surely discourage anyone to try, and if they do you can maybe get some money from suing them and make sure that person won’t do it again.