| « Actionscript Basics... | Flash: another nast... » |
Flash+PHP, secure high-scores
Nov 22nd, 2006
I've been doing a couple of flash games these days, and there is always that request of having to add a high-score system on the background. Sounds simple to do, but you will get the high-scores hacked very easily if you don't do it carefully. This is the research I've done by now:
The first thing we need to know is that Flash+PHP is totally insecure, you got a program on your client requesting server information. You can always use a program like live http headers in between to check what is the flash asking to the server. Another problem is that you can decompile the .swf with a program like Sothink SWF Decompiler to check out the code and have more information. However I found out this encrypter which by now is doing the job very well.
Long time ago I did another game and my approach on that time was loading a game_loader.php (instead of the .swf itself), and then checking the referer on that .php. If the referer wasn't the one I was expecting, then the .php wasn't giving back the .swf. I thought It was a great idea, but after finding out about cURL it doesn't look any good as you can fake the referers with it.
So the next idea was to try hacking one of the famous games out there to see how do they do it. If you ask me about famous games out there, my first answer will be probably Orisinal. Orisinal have been famous for their cute games, and in the background also have been famous for having non-hacked high-scores list. So that's where I went. So yesterday I spent a couple of hours trying to hack the bugs game. That's as far as I got... to request the table of highscores you only have to access to this link. And then, if you want to submit your score you need to acces to this link. The problem was that the las link wasn't really working as expected. One guess maybe that he could have a code that if there is some IP trying to access to link and without having all the information correctly (like for example seding the Host), then the system adds the IP to a ban-list and from there you can't go anywhere (otherwise I've no idea why isn't working, feel free to push all this further, but keep it serious, please).
After my unsuccesful attemp to hack Orisinal then I moved to the Yeti game. I checked the code long time ago and seemed quite easy to hack, but checking the code this time, I've found that many things to take care of that I just didn't have time to spend that time. So I forgot about it.
So. I guess, a combination of encrypting the .SWF, using a PHP to give back the .SWF in case you're asking for it from the correct URL, then adding a security code on each action, and as the last thing adding a ban list for IPs trying to do weird stuff will do by now. Also, in this case I've a username/password system, so the game only submits the scores if the user is logged. But to be honest I don't think that helps at all.
And that's kind of it, if you have any experience with it, or any suggestion, you know that I want to hear it!! ;)
(More details about hacking Flash Games Scores here)
#permalink
Share:
Digg! ~ del.icio.us ~ Stumble ~ Furl ~ Reddit
The first thing we need to know is that Flash+PHP is totally insecure, you got a program on your client requesting server information. You can always use a program like live http headers in between to check what is the flash asking to the server. Another problem is that you can decompile the .swf with a program like Sothink SWF Decompiler to check out the code and have more information. However I found out this encrypter which by now is doing the job very well.
Long time ago I did another game and my approach on that time was loading a game_loader.php (instead of the .swf itself), and then checking the referer on that .php. If the referer wasn't the one I was expecting, then the .php wasn't giving back the .swf. I thought It was a great idea, but after finding out about cURL it doesn't look any good as you can fake the referers with it.
So the next idea was to try hacking one of the famous games out there to see how do they do it. If you ask me about famous games out there, my first answer will be probably Orisinal. Orisinal have been famous for their cute games, and in the background also have been famous for having non-hacked high-scores list. So that's where I went. So yesterday I spent a couple of hours trying to hack the bugs game. That's as far as I got... to request the table of highscores you only have to access to this link. And then, if you want to submit your score you need to acces to this link. The problem was that the las link wasn't really working as expected. One guess maybe that he could have a code that if there is some IP trying to access to link and without having all the information correctly (like for example seding the Host), then the system adds the IP to a ban-list and from there you can't go anywhere (otherwise I've no idea why isn't working, feel free to push all this further, but keep it serious, please).
After my unsuccesful attemp to hack Orisinal then I moved to the Yeti game. I checked the code long time ago and seemed quite easy to hack, but checking the code this time, I've found that many things to take care of that I just didn't have time to spend that time. So I forgot about it.
So. I guess, a combination of encrypting the .SWF, using a PHP to give back the .SWF in case you're asking for it from the correct URL, then adding a security code on each action, and as the last thing adding a ban list for IPs trying to do weird stuff will do by now. Also, in this case I've a username/password system, so the game only submits the scores if the user is logged. But to be honest I don't think that helps at all.
And that's kind of it, if you have any experience with it, or any suggestion, you know that I want to hear it!! ;)
(More details about hacking Flash Games Scores here)
#permalink
Share:
Digg! ~ del.icio.us ~ Stumble ~ Furl ~ Reddit
Webs / Print / Logos... everything I do will be listed here.
If you're looking for my Actionscript experiments, here you have:
Have you considered using https connections? Maybe it can be a bit overkill but probably that way you can't sniff the contents of the headers which are sent from the browser to the server, since the communications are encrypted.
Again it looks a bit overkill to me, since you still can decrypt the swf file so this should be just an extra security layer for the paranoids out there :)