Join us on Slack!
The important thing is not to stop questioning. - Albert Einstein
Thursday, October 24, 2019
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 56
Guests Online: 52
Members Online: 4

Registered Members: 119260
Newest Member: humanremainstransfer
Latest Articles
View Thread

HellBound Hackers | Computer General | Programming

Author

Secure High Score List


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-02-08 04:17
I'm trying to figure out a method for securing a high score list in Flash, but i can't think of anything.

Assuming an attacker can decompile your application and just watch headers, i cant think of a method that would stop them from reversing any type of protection.

if all you do is call highscores.php?new=1276, an attacker can just swap out numbers.

if you try to write encryption, an attacker could just grab the prog and force a value through.

im not looking for specific code/actionscript knowledge, just general idea.

thanks


Author

RE: Secure High Score List

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 25-02-08 06:45
I'll think about it in school today and post my ideas if I get any ^^

Here are two links that you might find interesting. Also, remember that flash game scores can be modified by using for example Cheat Engine or other RAM editors Frown

http://www.inform. . .8&seqNum=3
http://ricardocab. . .postid=286


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .
Nope http://uber0n.webs.com/
Author

RE: Secure High Score List

Mouzi
Member



Posts: 144
Location: Finland
Joined: 08.08.06
Rank:
Newbie
Posted on 25-02-08 08:20
If the score is short enough, you can't find it with memory editor. I've tried :P And if you edit all findings it will certainly crash your browser. So if you make a game with short highscore numbers (like max 5 numbers) that one is ruled out.

I've been thinking about the same thing for my javascript games, but the visitors on my site don't have the skill to spoof the highscores if I just put all the javascript on one line so it's not so much of a problem :D

Usually it's best to just think of ways to make it more difficult to spoof. Like make the game save some variables (that affect the score) during the game and then build a hash from then and the server checks it. That would already make it pretty difficult to spoof. Just make it as obscure as possible.

EDIT: Also using variables and functions that have no name that represents their actions makes it more difficult to read the code and find where the score changes.

EDIT2: AND now that I remember it you should also make it so that if someone tries something obvious to spoof the scores (you could make a honey pot kind of thing) it bans that IP automatically. At least from making highscore entries. After all, hacking the scores will require some experimenting and if you get banned for mistakes you have to either get a new (web)proxy every time or give up. This was mentioned in that uber0n's second link too.


izuom.net/sig.gif
Steganographs

Edited by Mouzi on 25-02-08 09:40
You would try to hack it anyways.
Author

RE: Secure High Score List


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-03-08 06:24
Yeah i suppose between short high score numbers, honey pots and encrypting the .swf as best as you can it would be fairly difficult to reverse. not impossible tho.

this is driving me crazy however. im trying to think of something that could solve this problem. maybe Macromedia will release something in future versions of Flash that can do a better job hashing it or something. not quite sure, but they should be able to make a secure tool for this.

and just with lots of random variables, functions with names that are numbers, and lots of crazy math that doesnt really do anything, im pretty confident in my code right now. at least enough to put it on the internet.

and i doubt im going to be attracting hackers anyways, its just interesting to think about.


Author

RE: Secure High Score List


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 03-03-08 07:25
One way I know of (have never done it personally) is:

Have your flash send scores to a checking page that would keep track of your score...
So if someone was playing a game where they got 1 point per block they destroyed, and suddenly, they got 10000 points for destroying 1 block, the checking page would know they cheated.


Author

RE: Secure High Score List

yours31f
Member



Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank:
Uber Elite
Posted on 03-03-08 19:59
or check the max score on each level and make it check what level they finished.

if (score > level_max){

they cheated;

}


Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.


img259.imageshack.us/img259/3713/sigr.png
yours31f@live.com yours31f@yahoo.com
Author

RE: Secure High Score List

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 03-03-08 20:17
Feralas wrote:
One way I know of (have never done it personally) is:

Have your flash send scores to a checking page that would keep track of your score...
So if someone was playing a game where they got 1 point per block they destroyed, and suddenly, they got 10000 points for destroying 1 block, the checking page would know they cheated.


That would require secure sessions and cause a lot of traffic ^^


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .
Nope http://uber0n.webs.com/
Author

RE: Secure High Score List

yours31f
Member



Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank:
Uber Elite
Posted on 03-03-08 20:20
i like mine but



Just realize that someone will always find a way through it. -- me.


Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.


img259.imageshack.us/img259/3713/sigr.png
yours31f@live.com yours31f@yahoo.com
Author

RE: Secure High Score List

Uber0n
Member



Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank:
Hacker Level 3
Posted on 03-03-08 20:35
yours31f wrote:
i like mine but



Just realize that someone will always find a way through it. -- me.


I was just commenting. Please stop spamming the forums btw.


img230.imageshack.us/img230/724/uber0nsig3hj6.gif
http://uber0n.web. . .
Nope http://uber0n.webs.com/
Author

RE: Secure High Score List

yours31f
Member



Posts: 1678
Location: Dallas Texas
Joined: 27.04.07
Rank:
Uber Elite
Posted on 03-03-08 20:39
done. bye.


Debugging is what programmers do to beta software to make it take up more room on your hard drive if it is running too efficiently.


img259.imageshack.us/img259/3713/sigr.png
yours31f@live.com yours31f@yahoo.com