When creating games for the Starcraft 2 Arcade, developers are unable to save information to a server.

If you want to record information, that information is stored locally on a players machine in files called “banks”.

Any player can easily navigate to their bank file, read it, and edit it. On Windows, it’s as simple as going to Documents/Starcraft II/Accounts/YourAccount#/YourRegionID#/Banks/

Not every game records to a bank file, but those that do end up here.

99.9% of games on the Starcraft 2 arcade store data in an insecure format.

For the most part, just as many games don’t need security- if a developer only needs to save player preferences, it’s unnecessary to secure the bank file. After all, why would a player change their preferences in the bank file as opposed to just changing them in game? And if they did, it wouldn’t affect anything important.

But if they save something important, that the user shouldn’t edit, like statistics or character experience, progression, etc, they’ll need security.

There are a few common ways developers attempt to secure their bank files.

Most security features though, like those mentioned in the secure contact captcha comments, can be the target of bad actors. The more a specific feature is used, the more likely it is that malicious actors will develop a crack for it.

And just like Google reCaptcha, most developers on the arcade opt to use the same basic and already cracked security features that other developers commonly use, rather than making their own.

Some developers write their own security features, or combine their own with the common ones used in the arcade. In the example below, a developer took some unusual security measures.

One strength of this approach, is I have no idea which game I played that stored this bank file. The bank file name is gibberish, the sections are gibberish, and the keys are gibberish.

Of course if I only play one game, and its this one, and I wanted to hack it, I’d know this was the bank file for that one game.

I find it strange though that the developer chose to obfuscate the wrong thing. They chose to obfuscate the section and key names, but not the values. As you’ll see in my example of Ant War encryption below, the key names don’t really matter. It’s the values that most need obfuscation.

The key names could be anything. Here we see they’re a random assortment of lower case Ls and capital Is. Perhaps the developer’s text editor can’t distinguish the 2, but Visual Studio Code certainly can.

The fact that the values are not obfuscated allow us to make pretty important conclusions fairly quickly. The 1s and 0s are likely to be boolean values and my guess would be that they’re True or False that X perk or cosmetic skin is unlocked. 0 is likely to be false. So all I would need to do is apply one of the known digital signature hacks to this file and save it as having all those values being set to 1 (True) to unlock all the goodies regardless of not knowing which ones the keys refer to.

The only one that gives me pause is the key that has the value of GkPR-91jj-nKsf-dcdY. I don’t know what that is, but if I had to guess, the developer used two digital signatures and this is the second. Both likely have an easy hack available.

 

Ant War Encryption

Finally let’s talk about what I did with Ant War.

I secured Ant War’s primary bank file with obfuscation on many levels. I wanted to protect the integrity of the player statistics I record, their achievements, and the access to cosmetic skins players have.

First the key names may or may not relate to what the values are actually about. Hint: They don’t relate.

This demonstrates key names don’t matter. Rather than lllIlIIIIllllIllIllI, naming a key doghouse is just as effective. What is lllIlIIIIllllIllIllI? What is doghouse? Both cause confusion and are unrelated to the value saved. In my case, I chose names which are red herrings. I named something UNIT that might refer to Maps, and something MAPS that might refer to Units. Or maybe it actually refers to what it sounds like it refers to? Best to keep ’em guessing.

Second, the values themselves are obfuscated. Aside from combining multiple values into one long string, most of the data is never saved as it really is. For example, if a player killed 121 enemy queens, instead of saving that number as “0 121 0 0″ in a list of values that could easily be seen and compared to known stats in game, I did things like split that 121 into two numbers 61 and 60, convert those to letters like xa and xb, and then store them separately in strings like ” ab xa ub ks be xb lo gn ma”. Then when loading the file in game, I would interpret the letters and combine the numbers to form a Queens Killed count.

These are just examples and I’m not detailing the actual means of obfuscation. They’re approximations.

Third, the means of obfuscation aren’t consistently applied. Some values are saved one way, others another way. If one value string is figured out, other sections of the bank are still unsolved. This is one of the reasons why you see numbers and letters used in various formats in the example above.

Finally the bank has a custom digital signature that is completely hidden inside of the bank values. Instead of advertising the signature at the bottom of the bank or saving it as a random string of characters, the signature itself is obfuscated and designed to appear as just another obfuscated string of saved values. The digital signature pulls from various information in the game and about the player, and is unique to each player using techniques not commonly known. It does a bunch of math and generates a checksum that is saved and then checked when the game is loaded.

There are several ways to try and break the encryption for a bank file that is this secure, but the most common ones have been counteracted with counter measures. I know of only one other developer who does something similar (the guy who got me started on this), and he’s advertised to known bank hackers a cash prize if they could break his bank, and so far they never have. I’ve deployed several techniques that go beyond his, which I haven’t shared with anyone. And so I’d like to think that my bank file is invulnerable.

If you’re reading this and love a challenge and happen to break my encryption, please let me know. I’d love to buy you a beer! 😀