Secure High Score List
I'm trying to figure out a method for securing a high score list in Flash, but i can't think of anything.
Assuming an attacker can decompile your application and just watch headers, i cant think of a method that would stop them from reversing any type of protection.
if all you do is call highscores.php?new=1276, an attacker can just swap out numbers.
if you try to write encryption, an attacker could just grab the prog and force a value through.
im not looking for specific code/actionscript knowledge, just general idea.
thanks
I'll think about it in school today and post my ideas if I get any ^^
Here are two links that you might find interesting. Also, remember that flash game scores can be modified by using for example Cheat Engine or other RAM editors :|
http://www.informit.com/articles/article.aspx?p=377318&seqNum=3 http://ricardocabello.com/?postid=286
If the score is short enough, you can't find it with memory editor. I've tried :P And if you edit all findings it will certainly crash your browser. So if you make a game with short highscore numbers (like max 5 numbers) that one is ruled out.
I've been thinking about the same thing for my javascript games, but the visitors on my site don't have the skill to spoof the highscores if I just put all the javascript on one line so it's not so much of a problem :D
Usually it's best to just think of ways to make it more difficult to spoof. Like make the game save some variables (that affect the score) during the game and then build a hash from then and the server checks it. That would already make it pretty difficult to spoof. Just make it as obscure as possible.
EDIT: Also using variables and functions that have no name that represents their actions makes it more difficult to read the code and find where the score changes.
EDIT2: AND now that I remember it you should also make it so that if someone tries something obvious to spoof the scores (you could make a honey pot kind of thing) it bans that IP automatically. At least from making highscore entries. After all, hacking the scores will require some experimenting and if you get banned for mistakes you have to either get a new (web)proxy every time or give up. This was mentioned in that uber0n's second link too.
Yeah i suppose between short high score numbers, honey pots and encrypting the .swf as best as you can it would be fairly difficult to reverse. not impossible tho.
this is driving me crazy however. im trying to think of something that could solve this problem. maybe Macromedia will release something in future versions of Flash that can do a better job hashing it or something. not quite sure, but they should be able to make a secure tool for this.
and just with lots of random variables, functions with names that are numbers, and lots of crazy math that doesnt really do anything, im pretty confident in my code right now. at least enough to put it on the internet.
and i doubt im going to be attracting hackers anyways, its just interesting to think about.
One way I know of (have never done it personally) is:
Have your flash send scores to a checking page that would keep track of your score… So if someone was playing a game where they got 1 point per block they destroyed, and suddenly, they got 10000 points for destroying 1 block, the checking page would know they cheated.
Feralas wrote: One way I know of (have never done it personally) is:
Have your flash send scores to a checking page that would keep track of your score… So if someone was playing a game where they got 1 point per block they destroyed, and suddenly, they got 10000 points for destroying 1 block, the checking page would know they cheated.
That would require secure sessions and cause a lot of traffic ^^