How to make a GLOBAL LEADERBOARD system for your game 

Hope you guys enjoyed this slightly different style of video! ALSO Hostinger's amazing Black Friday sale ends December 5, so make sure you check it out before then if you need web hosting! Use coupon code CHERNO to get a bigger discount: hostinger.com/cherno

what made space invaders exciting was the 'heart beat' sound that sped up as the creatures moved faster and faster. plus the smooth left-right only action of the ship made playing the game really straight forward. you just moved left or right and fired. so simple but so effective

This is just a genius video, talking about a complicated topic in a really simple, yet kinda detailed way. Wish Universities would break their stuff down like this before going into detail.

in simple games like this, all logic can be fully deterministic. Game can send to server not total score, but list of actions (move left, move right, shot, etc..). And then simulate all this actions on server side in simplified game version (without rendering, sounds, etc.., just logic steps). But anyway this is not ease for complex games, and overkill for simple games. This only way to make scoreboard 100% real and accurate.

I love these series, keep doing the good work!

What if you have an exception that shows cheated scores only to known cheaters. That would fool them into thinking the cheat is working even though globally that score isn't visible by legitimate players. Another thing you could do is separate the leaderboards into cheated and non-cheated. I think Steam does that where in some games, if you're VAC banned, you can still play multiplayer but the games will generally matchmake you with other VAC banned players and prevent you from playing with legitimate users.

The scriptwriter deserves a bit of a raise here!!

Great video, much more interesting than the first couple minutes suggested! Caught a glimpse of your take on Space Invaders, looks amazing. Wish I could either design or implement such beautiful graphics.

That dream reference😂

Congrats on 500k subscribers!

I like this style of video its more like how Fireship does it, and its great. Saves time and gets to the point.

I think it would be cool to have high scores local to your country/city/whatever. Because for most people looking at world leaderboard they would be like just "meh, I wouldn't compete with world champions anyway, so why bother"

I like this new style of video Cherno. It's really refreshing to see some dev stuff like this as well as your regular game engine series. This is a real nice welcome and hope it turns into a new series in rotation cherno.

Great video as always

In addition to the controls you mentioned, I would personally have the game client request a nonce from the server, and add it to the payload of the POST request. The server then would hash the parameters and confirm integrity, like a CRC. Or, during the game installation process, generate a RSA keypair, and register the public key on the server. Then sign your POST requests client side with the private key, and confirm integrity server side with the known public key.

With a fully authoritative server model, it's really easy to rule out anything that's not within the game's boundaries. The only issue left is how to deal with people faking/automating valid game actions. That part heavily depends on the game's gameplay and is why cheaters/"hackers" are almost a non-issue in MOBA like League of Legends but are rampant in FPS games for example. You can try to validate if actions are humanly possible by validating the actions speed/accuracy/jitter, but if the bot stay within reasonable boundaries then it's not very effective. You can try to monitor/control what's on the player's system, but that's ultimately a fool's errand. Some people often say it's a "cat-and-mice" problem where devs find way to detect X stuff then cheaters switch to Y stuff not detected and so on. But ultimately, the player's computer is an untrusted platform on which you do not have physical control, so there's a wide range of stuff you simply cannot control or monitor. For example, if a cheater's bot is driven by an external system that's just a generic HID device reporting being a keyboard/mouse with some Razer mice hardware ID (which you have absolutely no software way to verify if the external HID device is "actually" a razer mice or just "saying" it is), then there's no actual way to detect or block that from any kind of anti-cheat.

you get my like for the shot at ea😂

TBH, this needed to be liveoverflow collab or something.

In the real world you would want to use an SSO to authenticate and go the extra step to load balance your server traffic before it hits your databases. for the case of explaining the concept this gets the point across. There's no way you your leaderboard doesn't get hacked so you might as well build it as well as you can and see what happens.

Collecting IP is not a good idea at all. IP are often dynamic and change ever day/week. Also because there is not enough IPv4, some ISP share one IP between multiple clients.

Hey Cherno, thanks for the video. Could we discuss vcpkg (the dep manager from windows) in the C++ chanel please?

I had ida open while he was talking about that "1 guy" 😅

Can you please make a technical series for creating a steam game?

The post data should include the RNG seeds and a doom demo file so anyone can "replay" the game. Trackmania has used this to great effect when catching cheats.

now I want to see CodeBullet attempt at cheating in Cherno's games

It's a very informative video. Like. Thanks for this information.

Love the joke about EA / Microtransactions. 🤣

Hello The Cherno, I want to build a system that receives sensory video, processes them frame by frame, stores those frames in selected areas, while sending the sensory video to the screen. I just started learning C++, and don't know what areas are most important for this kind of project.

"making cheating as hard as possible" GTA Online devs: i sleep

The cherno: or, OR, we can get Tim to do it

You could have used the three way handshake to catch cheating. Example: I want to submit my score. I click submit. The server lands me an ephemeral key. It encrypts and sends the results. Once the packet arrives the key decays. To verify the integrity the server re-computes the checksum(hash)

Space invaders didn’t have a leader board. Just a high score.

You missed out on the guy who would use the api and post his own score.. You should use encryption like RSA, i think, to get over it. Another thing is to make the score itself like a key, like the score shouldn't be a prime, or it should be divided by 6 but not 5, etc.. You could ban anyone using cheat engine, or at least warn them. There are more ways if you think about it. Hope this helps.

hey man can you please do a video on C++ Funtors and its use case, thanks in advance.

And yet this video is barely scratching the surface. Protecting your software from exploitation is an incredibly hard task that some may even deem impossible. It's ultimately a cat and mouse game and the security of your software/app structure is dependent on how much time you are willing to spend researching ways to make it harder for curious individuals to break your game apart. Some things that devs, tackling the problems and topics discussed in this video, can do are: encryption of strings ( plenty of sources available out there ), simple obfuscation and control flow manipulation ( this one is a bit harder to pull off but there are a few papers that can definitely nudge you in the right direction ), debugger detection, common reverse engineering tools detection. Lastly I'd like to say a few words from the point of view of a person that deals with breaking software on a daily basis: It's not so much about trying to be malicious or being a bad actor for the sake of it, it's more about exploring what's possible within the constraints set by anti-cheat / anti-tamper measures. I as well as so many other people find great enjoyment in exploring the intricate systems that make everything work, and of course eventually trying to modify them in a way that achieves a particular goal set by the "bad actor".

4:30 We were joking about Hostinger throwing free servers at Yan with Peter. Turns out it's absolutely true. Also I think Peter needs one, just saying.

10:28 ahem ahem 😂

Game tip #1: Humans like rising numbers *Except for golf, for some reason*

Idea for reverse engineering protection (it came to me when i was reverse engineering): just don't call function addNewScore() immediately. Put it in some queue that will wait for 1-3 seconds and only then call the function.

firing 5 bullets and a score of 100++ IS possible, never watched star wars ? one random shot, 10 troopers down

How about capturing all inputs and then "simulating" the game on the server, and calculating the score from that? You can still do computer assisted runs or whatever, but at that point, I'd say they deserve the highscore.

In theory, couldn't someone use machine learning to recognize what a high score game looks like. Then compare that to the new high score and determine if its sketchy or not and send for manual evaluation?

Nice👍.

$2b in quarters weighs 100 million pounds

2:00 😂😂😂😂😂😂😂😂😂😂😂😂

2:30-2:40 this actually doesn't work anymore due to the catastrophic (?) way in which society relates with itself nowadays I bet that most people who see leaderboards get instantly discouraged by the global leader who does nothing but play the game, and who they don't even know because it's not a small local arcade. Sad...

whhaahaha loved every second

I don't like the idea that the creators of the game are the only ones able to host the server portion, it would be better if the solution was a p2p network... so even if the initial devs abandon the project the community is less likely to follow.

Lol, the webdev comment hit home. I don't like it as well. I rather do anything else.

I think this is a good argument for not having global leaderboards or tracking high scores at all.

I expected something about ranking algorithms... I'm disappointed.

It kinda sounds like ur challenging people to find a way to cheat here.

Get to the topic. WTF

Ah yes, I'm the cheater here xD

Ease up on the f-stop. Less is more.

"We can't really stop cheating" --> WRONG!! THINK about the game code, and, data you're sending to the Leaderboard server. You need to continually validate the score in-game AND at upload time...obviously...but you need to use some of that non-internet critical thinking that was an absolute must in the past. You need unique, dynamic(!!) validation (including positional) included in that uploaded data, and, ffs, everything strongly encrypted - WireShark, CheatEngine etc shouldn't even feature in any discussion. I am stunned cheating is STILL an issue.