Questions about fighting-game security

Hello, and thanks for reading in advance.

I’m attempting to make a lookalike of Fat Princess (thanks, theRal) and after a few failings with the last few fighting games I’ve made in the area of security, I’ve decided to step my game up a notch and attempt to base as much as I can in server-code with little lenience towards the client.

For context, Fat Princess is a team-based/CTF-styled/class-based fighter where the goal is to rescue your team’s princess from the enemy stronghold and return her to safety. The namesake is derived from the fact the enemy team can feed your princess cake to fatten her and make her harder to carry.

There are only five unique roles one can assume in Fat Princess and only two types of attacks - regular and charged; thus, legitimizing damage values sent from the client shouldn’t be too difficult. I can simply store a table server-side of the maximum possible damage values each class can deal and rectify the value the client sends it if it doesn’t add up.

My questions arise in regards to hit-detection.

I’m using EgoMoose’s Rotated Region3 module for melee-style hitboxes, but how do I ensure the hitboxes the client sends the server are possible/legal? Should I even register hits client-side? On the subject of projectiles, my plan is to construct the actual ‘bullet’ itself server-side and use two primary loops - one to position the shot and another that checks for hits using raycasting. But then comes the issue of the Worker class.

image

When upgraded, the Worker is able to lob bombs that roll along the ground and explode after a delay. The nature of the bombs demands that they utilize default physics, and thus I naturally assume they be created server-side to avoid the possibility of desync between the client’s visual and the actual bomb created by the server. Am I missing something, or is my only option to simply eat the delay whenever a client tosses a bomb?

Here’s hoping someone has experience in this department to give me a few ideas to work with.

1 Like

To some extent, you have to trust the client a little. You can do the hit detection on the client side, and send the data to the server… But on the server, you might want to check to make sure that the player’s ping is okay.