tags:

views:

2032

answers:

10
+8  Q: 

Flash games hack, score is 49700?? How to improve flash games security?

I have 2 flash games (written in as3). Both the highscore value being hacked. The normal range of each game score is not more than 5000 (normal users, will only get 2000 - 3000 points). My current method of anti-hacking is:

After finish the game, flash will use post parameters send: username=mike&score=2000&hash=md5(secret . username . score). In php page, I did the check, if the hash != md5(secret . username . score), it will return error, and WONT insert data into database.

I believe this method is not enough, or my flash games would not be hacked. Is there anything I can do to improve my flash games security/anti-hacking??

How do the hackers hack? Using third-party software like, Cheat Engine, Tamper data(firefox ext), tamperIE etc??

Can you list the all the standard hack methods? (by knowing the hack methods/problems, means has solved 50% of the problems, at least I know where the problems are, and do certain pre-caution to that)

Well, my title has "49700" because both games highscore are 49700 (actually alots of this score value inserted into my database, different users thought), so I believe they are using same methods

Thanks

+2  A: 

You're ultimately trying to delay the time it takes for people to hack your system, or make it not worth their while. You could try adding a salt to the hash for a bit of extra complexity. This could be sent as a value to the flash game (add it as a parameter to the flash object in the HTML) and include that in the hash verification code. You could send some kind of session id or random number so it's always different. You could even generate two hashes by different methods and check them both.

Of course, don't discount the possibility that people have found a way to hack the actual game functionality. Or that they're just really good players...

Joe  2009-11-03 09:33:09
+1  A: 

If I wanted to hack your game I could decompile your game and find out the md5 "secret". Note that I put secret in quote marks, as the fact that it is provided in your flash game binary means that it is not actually a secret.

Its probably not possible to make your scores unhackable, all you can hope to do is make it harder.

frankster  2009-11-03 09:52:32
Could you please tell me, what are the ways to make it harder to hacks? =)
flash_antihacker  2009-11-03 10:36:55
Ultimately, this doesn't help the asker. The question here is how to make it more secure. Secure doesn't mean "perfectly safe". If your house is secured by a dead bolt, a security system and a dog, that doesn't mean I can't break your window, shoot your dog and steal your TV before the cops show up. But I'd just assume rob the neighbors because they leave the door open. ;)
blesh  2009-11-05 21:50:26
"How do the hackers hack? Can you list the all the standard hack methods?"I answered some of his questions. Your comment complaining that I don't help the asker doesn't help him or me as you don't answer any of his questions or provide further info about my answer.
frankster  2009-11-06 09:54:37
+8  A: 

It's not really possible to make your score validation secure if it runs entirely on the client side. You have to do at least part of it on the server side for it to be even remotely secure. I see 2 ways of doing this:

  • you send periodic score updates to the server and on the server side you check that the score didn't jump "too much" (to be defined in the context of your game). If it "jumped" you can safely assume the player is hacking.

  • you send the entire game movement sequence (along with any random spawns or whatever ai events) to the server with the score at the end and verify that the score is actually accurate. This will obviously not work for every game, but for some games it can work. You didn't say anything specific about your game so I'll leave this here.

Blindy  2009-11-03 10:03:24
The first bullet doesn't stop a hacker from getting a top score. Your second bullet is a fantastic idea!
Rook  2009-11-05 01:09:21
Yea but it's not applicable to many games, especially shooters or those jumpy games where too much happens. It could work for stuff like tetris or logic games in general.
Blindy  2009-11-05 03:07:41
Why wouldn't it be applicable to shooters or jumpy games? Is there something I'm not aware of that makes it impractical or impossible to keep a running tally of events which cause a score increase? Keep a list of enemies bounced upon, check that the list does not exceed the actual number present in the game? Depending on the individual game mechanics all sorts of things are possible. The space of possibilities in platformers and shooters is more limited than you might think.
Breton  2009-11-24 13:19:37
but there's still a really big number of events that happen in a shooter, especially a key-controlled shooter. you have to not only upload every single event to the server (or you'll lose continuity) but hold it in memory too.
Blindy  2009-11-24 16:31:14
I would think you would only keep the events that affect the score, which in the scheme of things, wouldn't be any more than the number of events that affect the score in a turn based game. I mean, unless you're applying a score to every pixel your character moves, or every single key pressed. In fact, I would estimate the maximum number of possible score increasing events to be about 467, but most of the time it'd be between about 30-40. Of course I could be off by a factor of 10 or 100. ~0.47kB of data is not that much, if you've represented each "event" with a byte.
Breton  2009-11-25 22:32:19
sorry.. 497 and ~0.5kB
Breton  2009-11-25 22:33:45
So what you're saying is for each "score point" received you keep the position and direction of your character and the enemy it hits? Could work for some games, sure.
Blindy  2009-11-25 23:13:15
A: 

As you said depending on what is being done to hack this there are different holes to fix. As you are sending the actual information in your message, and "secret" is contained in the code it becomes a much easier target. Some of the things you could do to improve security

  • Use a different hash function, MD5 has known flaws it is possible to create messages with the same signature without knowing the content, SHA1, SHA2 offer higher security, this will prevent an attack through a weakness of MD5

  • Make the 'secret' unique to each message, ie. send it from the server for each posting, this will prevent people from reusing the same hash over and over again, and make it harder to look at the code and create the hash

  • Hash the result multiple times e.g. value = hash(hash(hash(...,salt),salt),salt) this won't help if people are decompiling your program but it will help if they are just trying to recreate the hash by itself.

  • Look for software to protect your SWF against decompilation, i don't do much flash so I don't have any reliable links for that

Harald Scheirich  2009-11-03 10:35:26
You have no idea what you are taking about. His implementation of a Message Authentication Code (MAC) is immune from the prefixing hash collision attacks that affect md4,md5,sha0,sha1... Multiple uses of a message digest does not improve the secuirty of a MAC. Read "Practical Cryptography" and stop giving people insecure advice, if you don't know, don't answer.
Rook  2009-11-05 01:13:50
+3  A: 

By far the easiest method, and hardest to defeat in Flash is to use CheatEngine to simply search for the memory location that stores the score, then change the value to whatever you want. All the server-submit hashing/salting/verification in the world won't fix that because your game thinks it's valid before it packages it up in a nice valid hash for submission.

You can do 'sanity checks' on the scores if they will always fall within predefined values, but even then a determined hacker could simply suss out what the maximum allowed values is and always submit that value.

You could attempt to obfuscate your score values in memory to make them harder to find with CheatEngine, for example storing them as a multiplied value, then in your getters and setters for the score value, include a multiplication/division of the values to get/set the proper score for your views and score submission widgets. Even this is only a stall tactic though.

Unless bogus scores are costing you money, either don't worry about wasting time on the .01% of people who are cheating, or just moderate your score tables manually.

The key thing to consider in preventing cheating is: 'How much does this really matter?' If you're running some kind of high score based competition with a cash prize, then it's a pretty high priority. If you're just miffed that some random person is messing up your high scores table, it's not worth your time to stop them, just check it once a week and drop the bad scores.

JStriedl  2009-11-03 18:24:06
+1  A: 

The cryptographic system you are using is very similar to an HMAC, but yours implementation is less secure. The md5 algorithm is a broken, however your MAC is immune to the prefixing attack to generate hash collisions because the beginning of the your secret. The attacker must be able to control the beggaring of the string in order to create a hash collision.

TamperData is a very useful hacking tool to Modify/Capture/Replay traffic that comes from the browser. So you should prevent against replay attacks by authenticating the current date and time: hmac(secret,date_time.score.username).

The hackers are probably using a SWF Decompiler to find the value of your secret in the SWF file. In order to counter this you should try and bury the secret using a SWF obfuscation such as http://www.amayeta.com/.

None of this is a "silver bullet", this just makes it more difficult for the hacker. A hacker will always be able to modify his or her score because you are trusting the client to tell you the correct score. Even if you made the recommended changes you would still be in violation of CWE-602.

Rook  2009-11-04 07:48:40
+1 Intereesting answer.
blesh  2009-11-05 21:52:09
A: 

Would not simply running the game on the server side prevent score hacking? If the game is being run as a random game then you send the random values to the user's browser there wouldn't be much sense in them attempting to cheat,even de-compiling the flash file wouldn't give them an advantage.

stranger  2009-11-04 08:07:10
Flash over a web browser is client side.
blesh  2009-11-05 21:44:10
@blesh: The game *logic* would be on the server side, and the result of that logic would be sent to the client, to be displayed by the Flash application.
Casey Hope  2010-07-27 08:28:56
A: 

What I was thinking was that since the game appear's to require authentication I would assume that there are calls that require a get user name and other info.

Discussing the matter from another developer thir advice was to use Ajax components. Idk.

Most hackers will find a way to get around most security issues the best way is to prevent them from sending anything back to the server other than what is required for the game to function.

Has anyone used random based on the amount of negative memory available? instead of looking for the specific memory location with those softwares.

Why not send multiple bogus values to mem and derive the outcomes based on open memory locations? Please don't attack me for this suggestion I am a learner like most other's.....

stranger  2009-11-05 21:27:19
A: 

You could to add some sort of RSA (asynchronous) encryption to your Flash apps. You would put the public key in your Flash app, and use the private key on the server side to decrypt the score sent.

This won't necessarily prevent a hacker from hacking your Flash App, but it will make it a bit more of a pain in the butt.

Here is an AS3 library for RSA encryption.

Outside that it'll depend on what server technology you're using (PHP, .Net, or whatever) as to how you implement the RSA on the other side.

It should be noted too that this question has already been answered.

blesh  2009-11-05 21:43:16
A: 

Hi ,

is there any secure way to prevent hacking ..? we are running the monthly tournament and all time games are hacked and we loose good amount of money each month .. plsss help ..

[email protected]

aalam  2010-07-27 08:25:27

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security