Make it harder to hack twine games

Ah. Well, as everybody keeps saying, there’s nothing that TheMadExile knows that a clever player can’t figure out. (Sugarcube is open source code… you can just read the whole thing.)

It’s just a different kind of puzzle.

1 Like

That’d actually be kind of cool if it were done on purpose, like one of those AR games, like in Metal Gear Solid 1 where you had to use the codex on the back on the game case, or basically all of Doki Doki Literature Club.

Anything that runs purely client-side can be hacked and reverse engineered – it’s just a question of time and motivation. Some design choices can make this more difficult – using a JavaScript-based language is not one of those choices – but ultimately this applies to anything.

The only way to make something entirely secure is to have a server-based component that they can’t hack – and even then, if the requests to the server can be easily hacked out or emulated without compromising the game behaviour, then it’s still insecure – witness the number of MMOs that have had third party “private servers” created. But you don’t want to be going down this road for an IF game anyway.

A certain amount of obfuscation may be worth it, but ultimately if they’re stuck enough on your puzzle that they don’t think they can continue without hacking it, and yet engaged enough with your story that they want to try, then it’s probably better to not put too many roadblocks in their way. Otherwise, write better puzzles. :wink: (And to some people, hacking the puzzles can be more fun than solving them normally anyway.)

I think this thread has gotten so long precisely because hacking is such a fun puzzle. Thinking of novel ideas for hacks is fun, and thinking about anti-hack defenses is also fun. (At least for the kind of person who enjoys solving puzzles.)

And maybe that’s the real answer to my “why prevent cheating” question: perhaps it would be fun for you, the author, to try to make a game that makes cheating as hard as you possibly can.

If that’s fun for you, you’d want to start by learning about information security and anti-piracy measures, learning existing traditional attacks, and brainstorm and implement as many defenses as you can. (Along the way, you’ll probably learn enough about information security that you could get paid to do it as a job!)

As @Greyelf pointed out, the attacker could just make a pirated copy of your game that doesn’t require a vault password. (It was a common anti-piracy technique in the 1990s to having the game start with a randomized password, based on a password list or decoder wheel in the game’s manual.) To prevent “hacking” your game, you’d not only need to prevent players from analyzing your game, but you’d also have to prevent players from cloning your game and changing their copy.

Good luck! :four_leaf_clover: :pirate_flag:

1 Like

Also, I’m surprised nobody’s mentioned this one yet: if you’re trying to prevent cheating, how on earth are you going to prevent players from posting a walkthrough online that spoils the game?

If the vault password is some fixed number, people can just post the password. A Google search is even easier than viewing the source.

(If the vault password is randomized, the walkthrough can give step-by-step instructions to generating the password.

I really enjoyed Ryan Veeder’s Crocodracula: The Beginning which has a guide in how to “crack” the game which is actually one of its central puzzles.

Hard Puzzle 4 include required ‘hacking’/ decompiling too, and I’m sure that’s at least partially a reference to how I decompiled the first and third games to solve them.


my vault password is generated on init game, everyone had unique password and there’ll be clue for this password in the mid of game.

everyone had their own views about their game, yes some of author let the player go wild with the game but unfortunately i’m not that kind of person.

i’m making the game with a lot of effort and i want the player had their best to beat the game but not by sneaking inside my code and bypass my work, yes some players will do bypass it with easy depend on their skill at programming or little hacking stuff, it’ll happen and i can’t prevent it but i can make it harder, yes? LOL

yes most popular author make their game as it is, they let players do all they want but i’m not that kind of author, is this a sin? i’m proudly held this sin with all my heart.

sorry if my english is suck , not my mother lang.

1 Like

The counter argument we’re proposing is that by preventing the players from checking your code for the answer, they will be bypassing your work. They’ll be passing right by everything from that point in the game and moving directly onto whatever other game they have in their backlog. Basically all of your work after the puzzle will be for nothing because you’ve blocked them from seeing it.

Players have short attention spans these days, myself included. I put about 15 minutes into a puzzle before looking for the answer. If the answer is not easily found, I drop the game (unless I’m seriously invested in it). I just don’t have the time or ability to care anymore, and there are new games released every minute, it seems. It’s not like the olden days where I was starved for games so I could invest time in being stuck on a puzzle.


Maybe I’m misunderstanding you (or you’re misunderstanding me), but it seems to me that you want to prevent cheating but you don’t know why.

I think that if you search your heart, you’ll find that this isn’t truly what your heart desires.

In particular, you didn’t say: “I think it will be fun to learn about hacking and add anti-hacking measures to my game.” Since you’re the only person who would benefit from preventing cheats, if you’re not enjoying the process, then no one is.

I do think it’s a “sin” to spend your precious time on this earth doing work that benefits no one, not even yourself. (It’s a “venial sin,” which does not result in the damnation of the soul.) :wink:

At the very least, think hard about how much time and work you want to invest in preventing cheating, and how you will feel when someone cheats anyway. Will you spend a day on this? One day is certainly not enough. A week? A month? Years? You could spend the rest of your life on this, and never succeed.

Every minute you spend failing to prevent cheating is a minute that would be better spent improving your game, or working on your next one.


People seem to have strong opinions about why this is a bad or good idea. I’d say that it depends very much on context. Yes, if the puzzle can be solved at all, then somebody can publish a walkthrough. But suppose the game is part of a competition where the first person to reach the end gets a big cash prize? In that case, if it’s too easy to cheat, that would discourage people from spending time on an honest attempt.

But the original question was: “Is there any way to prevent someone [from seeing] secrets within our games?”

Poppycock! Here, let me show you how to do it.


Thats what suggested earlier, though, you are using SHA-2 not md5.
It still wont solve the original question about someone to see the source code.

On the other hand, nice example for caberg how it can be done.

I’m on my phone and can’t see the source, so I’m just guessing at what’s happening… but if you can see the code on how it’s generated, can’t you also execute code to return the value? Not only can you view the code in browsers, but you can also run JS from the console.

The code encrypts the entire rest of the game (not much, just a line of JavaScript or so) using the passphrase.

The game says “The puzzle is fair and the answer is obvious once you know it.” That is, uh, non-obvious to me. (I wonder if it is actually a lie.)

To be clear, I have a strong hunch that @lft enjoyed making this, even if the answer turns out to be a long random password, which makes the whole exercise worthwhile.

The password is literally “obvious once you know it”, which I thought was pretty cute. I got it on first try. :+1:


My guess was gonna be ”impossible”, riffing on both the name of their comp game and the fact that the puzzle is “impossible” to hack :slight_smile:

1 Like

Yeah, I had in my head it might be “again”, based on what the dude says after your first guess is wrong, but got it pretty quick after that. It is indeed a fair though uninteresting puzzle!

1 Like

awesome this will make it more harder than before.

Yeah, that’s basically just a variant on what Kristian and I already suggested.

However, care to try again, but do it all within the context of a game written using Twine/SugarCube?

You see, you’re looking at the problem in isolation, not within the context of a Twine game, where a passage could simply be bypassed or the like. There’s a lot more to what needs to be done than just that one thing.

I should also note that if you’re running a local version (which is fairly common) or a non-HTTPS version of the HTML file, then your code won’t work in Safari, Internet Explorer, or the mobile version of Firefox on Android (source).

I cheated! I never solved the puzzle fairly (I agree that it’s a good one), but neither did I hack it. I just read the spoiler here on the forum.


Same here. :slight_smile:

To get back to the subject at hand, I agree with Linus that whether obfuscating or encrypting code to hide puzzle solutions is a good idea depends on the context. I mostly agree that it isn’t worth the effort in most cases, but in sometimes it can be appropriate.

In my entry for event 2 of the Ryan Veeder Exposition for Good Interactive Fiction, I hid a safe but not the password for it, the idea being that the code would be found in my game for event 3. Since if I were in the player’s shoes I would probably go source diving, I figured I’d spend 5 minutes to slightly obfuscate that part of the code. In his review Ryan mentioned running into the obfuscated code, so I guess it was worth it. :slight_smile: