I’m developing a game with online mode, but it’s opensource (SourceForge) and anyone can download the code, hack any checks and play against the official server with a hacked client.
I’ve been thinking about EXE file md5 checking, but anyone can calculate the genuine md5sum and send it to the server, bypassing that runtime check.
Is there any method to assure that the client is not modified? I know I must use server side checks because everything can be hacked. Other option is not committing some little part of the code and release EXE files compiled only in my computer, having all the files, but that goes against SourceForge rules I think.
As you stated, you need to check everything on the server.
Regardless of whether you release source code (remember Reflector!), you must never trust the client for anything (including its own integrity).
Note, however, that (ideally) you don’t need to make cheating impossible; you just need to make it harder to accomplish a task by cheating than it is to accomplish that task legitimately.
Rational people will not cheat to accomplish something if they can do it more easily without cheating.
However, some people will cheat for the challenge of the hack, even if it’s harder than doing it normally.