AS: SCOREBOARD PROTECTION
Hmmmm. Both Inglor and NC have queried me about this stuff, so I guess it deserves and AS: Thread. I know it's long, but if you've ever had your online scoreboard hacked, I'm sure you'll appreciate that the time spent reading it is not wasted.
Relevant threads:
AS: Scoreboard by Inglor
AS: Load External Data/Cross-Domain
AS: SWF Copy Protection by JackSmack
So. Maybe some aren't aware of what happened when I released my first pure API game Throw It!... well, basically the scoreboard was hacked by all & sundry, simply because I didn't add protection against decompilers.
I learnt my lesson, and can offer you some tips on how to prevent your game having a scoreboard filled with 99999999999s. It's not 100% proof, any serious hacker or coder could probably get round it, but it would require some experience with Actionscript and more than 5 minutes' work to do so.
++++++++++++++++++++++++
HIDE THE URLs
The most obvious way to add 'cheating' scores to a scoreboard is to find the URL of the PHP or ASP file which adds scores to your database, and send those variables directly to the PHP or ASP page. With a decompiler, this is pretty easy; just search the code for 'http'. So here's a way you can prevent that happening:
Create a new fla.
Add three keyframes.
On the first:
//Change your path to php/asp file here, and test movie
ustr="http://sitename.com/folder/subfolder
/filename.asp";
On the second:
uarr=ustr.split("");
farr=new Array();
//Randomise the letters
while(uarr.length>0){
f=random(uarr.length);
farr.push(uarr.slice(f, f+1));
farr.push(f);
uarr.splice(f, 1);
}
//Add speechmarks for output
gumboot="";
for(i=0;i<farr.length;i++){
gumboot=gumboot+ '"'+farr[i]+'",'
}
//Cut off final comma
gumboot=gumboot.substr(0,gumboot.length-1)
;
trace("CHANGE CONTENTS OF ARRAY A1 TO THIS: ");
trace(gumboot);
On the third:
//This is the function to convert back to a path. You'll need
//to include it somewhere in your fla.
//Change the contents of array A1 to the ouput trace you got from frame 2
A1=new Array("paste outputted code here")
//Add this function anywhere in your fla
gtr=new Array(); ku="";
while(A1.length>0){
f=A1.length; gtr.splice(A1[f-1], 0, A1.slice(f-2, f-1)); A1.splice(f-2, 2);
}
for(i=0;i<gtr.length;i++) {ku=ku+gtr[i];}
//When calling your php/asp, use: loadVariables(ku, MCName)
trace("CONVERTED BACK:");
trace(ku);
stop();
=======================
So basically, you can use this to 'jumble' the URL to your addscores file. You then need to add the code on frame 3, plus the created array A1, somewhere in your game .fla
+++++++++++++++++++++++++
PREVENT SWF>FLA CONVERSION
Another way that a viewer can 'hack' your scoreboard is by using a swf>fla program (such as Eltima) to convert back to fla, edit the 'endgame' variables (score, name), and recompile to swf. To prevent this, I suggest using ASO Lite: simply run your finalised swf file through it. Basically, it converts function names to numbers, which will confuse and crash Eltima when it attempts to decompile.
There are other swf encrypters on the market, but I haven't tried any of them yet.
+++++++++++++++++++++++++
NO LOCAL MACHINE
Another way that people can cheat with games is to download the swf to their machine, then resize the Flash Player window so that they can see outside of the main stage area. To prevent this happening, use a simple getURL protection: AS: SWF Copy Protection by JackSmack and The liljim method. If you're releasing your game across several websites, then just check for the file: tag in the address:
/////Add this lot elsewhere in your code, doesn't matter where. It's API, because it's the code I use in my pure code games
sTF = new TextFormat();
with (sTF) {color = 0xFFFFCC; font = "Tahoma"; size = 10; bold = 1; align = "center";}
function stole() {
if (_root._url.substr(0, 7) == "file://") {
_root.gotoAndStop(1);
_root.createEmptyMovieClip("block", 900000);
with (block) {
beginFill(0xFF66FF, 100); moveTo(0, 0); lineTo(Stage.width, 0); lineTo(Stage.width, Stage.height); lineTo(0, Stage.height); endFill();
createTextField("gy", 1, 0, 170, Stage.width, Stage.height);
gy.selectable = 0; gy.text = "MAKE YOUR OWN GAME"+newline+newline+"DON'T STEAL MINE"; gy.setTextFormat(sTF);
}
}
}
/////Run the function whenever you feel like it (I usually run it on start, level up, etc)
stole();
+++++++++++++++++++++++++
Although these measures will protect against most casual 'hackers', since I got burnt with Throw It, I also tend to use a couple of other measures for protection. Normally, I use ASP, andadd four passwords in the ASP file that are checked before the code to add the score/name to the database is run. One of these uses a function that pulls data from a couple of apparently innocent arrays of hexadecimal values and then multiplies them by each other, and the other three are pulled from an online txt file full of random characters, and deviously manipulated.
With ASP, I also use a third party program called HTML Guardian to encrypt the addscores.asp file. Unfortunately it doesn't work with PHP, although I'm sure there are PHP encrypters out there.
Finally, I use (again) some strange manipulation of arrays to produce the actual ASP filenames. So they're not called 'addscores.asp', and 'getscores.asp', they're named '673298giueiw9rth23tewuir7i6324.asp' and 'bg9bsd86f7n2345n76t97wefrqwe.asp' (or something similar). They're also buried several folders deep on the domain that I host the databases on, which makes it that little bit harder to find the fuckers.
+++++++++++++++++++++++++
If you're serious about protecting your game, then I recommend using at least one of these methods to protect your scorboard.
If you have any ideas or suggestions, or questions, please feel free to post.