From the author of hacks: "storing encrypted data locally, alongside with the algorithm and the algorithm key/hash is a recipe for security incidents."
Game save editor is nothing new. You don't even need to hack the encryption of game save, if the app stores the data in plain form in memory like int goldBalance, a memory scanning and editing tool is enough to change the gold balance. In online gaming this
is an almost solved problem, you simply don't trust any local data, and you put all cheaters in the same server to reduce the award of cheating. Things get tough if you want to run offline as mandated by Microsoft for trial apps.
You should always store purchase history online as the user expect the purchase to still be valid after moving to another device. Validating the phrase receipts is something the user expects after moving from another device (A user won't
want to loose any DLC) and you can do it more frequently. You can make life tougher (e.g. no DLC or DLC expires shortly) if the device is not online, but remember don't put your business logic or important data in plain text or similar, at least add some
obfuscation.
There are more creative approaches to break into apps when .Net and HTML apps are not invented yet and C++ was the king. We used
software protection dongles and the dongle's producer sent a good load of best practices on how to best protect the algorithm inside the dongle, and protect the code in general like
placing traps to hang the disassembler (e.g. add an unused jmp to itself or fake an if statement using cmp but leave one of the branch uncoded). And remember that's back in the days when you have to know assembly code to break an app. Technologies change
but the rule hasn't changed, our app got pirated eventually. There is no silver bullet to protect your code or data from probing, so if your app is attractive enough, yeah it will be cracked.
Visual C++ MVP
