Be a Supporter!

AS: Scoreboard Protection

  • 3,164 Views
  • 13 Replies
New Topic Respond to this Topic
Denvish
Denvish
  • Member since: Apr. 25, 2003
  • Offline.
Forum Stats
Member
Level 46
Blank Slate
AS: Scoreboard Protection Oct. 28th, 2005 @ 06:28 PM Reply

AS: Main

AS: SCOREBOARD PROTECTION

Hmmmm. Both Inglor and NC have queried me about this stuff, so I guess it deserves and AS: Thread. I know it's long, but if you've ever had your online scoreboard hacked, I'm sure you'll appreciate that the time spent reading it is not wasted.

Relevant threads:
AS: Scoreboard by Inglor
AS: Load External Data/Cross-Domain
AS: SWF Copy Protection by JackSmack

So. Maybe some aren't aware of what happened when I released my first pure API game Throw It!... well, basically the scoreboard was hacked by all & sundry, simply because I didn't add protection against decompilers.

I learnt my lesson, and can offer you some tips on how to prevent your game having a scoreboard filled with 99999999999s. It's not 100% proof, any serious hacker or coder could probably get round it, but it would require some experience with Actionscript and more than 5 minutes' work to do so.

++++++++++++++++++++++++

HIDE THE URLs

The most obvious way to add 'cheating' scores to a scoreboard is to find the URL of the PHP or ASP file which adds scores to your database, and send those variables directly to the PHP or ASP page. With a decompiler, this is pretty easy; just search the code for 'http'. So here's a way you can prevent that happening:

Create a new fla.
Add three keyframes.
On the first:

//Change your path to php/asp file here, and test movie
ustr="http://sitename.com/folder/subfolder
/filename.asp";

On the second:
uarr=ustr.split("");

farr=new Array();
//Randomise the letters
while(uarr.length>0){
f=random(uarr.length);
farr.push(uarr.slice(f, f+1));
farr.push(f);
uarr.splice(f, 1);
}
//Add speechmarks for output
gumboot="";
for(i=0;i<farr.length;i++){
gumboot=gumboot+ '"'+farr[i]+'",'
}
//Cut off final comma
gumboot=gumboot.substr(0,gumboot.length-1)
;

trace("CHANGE CONTENTS OF ARRAY A1 TO THIS: ");
trace(gumboot);

On the third:
//This is the function to convert back to a path. You'll need
//to include it somewhere in your fla.

//Change the contents of array A1 to the ouput trace you got from frame 2
A1=new Array("paste outputted code here")

//Add this function anywhere in your fla
gtr=new Array(); ku="";
while(A1.length>0){
f=A1.length; gtr.splice(A1[f-1], 0, A1.slice(f-2, f-1)); A1.splice(f-2, 2);
}
for(i=0;i<gtr.length;i++) {ku=ku+gtr[i];}

//When calling your php/asp, use: loadVariables(ku, MCName)
trace("CONVERTED BACK:");
trace(ku);
stop();

ObscureURL.fla

=======================

So basically, you can use this to 'jumble' the URL to your addscores file. You then need to add the code on frame 3, plus the created array A1, somewhere in your game .fla

+++++++++++++++++++++++++

PREVENT SWF>FLA CONVERSION

Another way that a viewer can 'hack' your scoreboard is by using a swf>fla program (such as Eltima) to convert back to fla, edit the 'endgame' variables (score, name), and recompile to swf. To prevent this, I suggest using ASO Lite: simply run your finalised swf file through it. Basically, it converts function names to numbers, which will confuse and crash Eltima when it attempts to decompile.

There are other swf encrypters on the market, but I haven't tried any of them yet.

+++++++++++++++++++++++++

NO LOCAL MACHINE

Another way that people can cheat with games is to download the swf to their machine, then resize the Flash Player window so that they can see outside of the main stage area. To prevent this happening, use a simple getURL protection: AS: SWF Copy Protection by JackSmack and The liljim method. If you're releasing your game across several websites, then just check for the file: tag in the address:

/////Add this lot elsewhere in your code, doesn't matter where. It's API, because it's the code I use in my pure code games

sTF = new TextFormat();
with (sTF) {color = 0xFFFFCC; font = "Tahoma"; size = 10; bold = 1; align = "center";}

function stole() {
if (_root._url.substr(0, 7) == "file://") {
_root.gotoAndStop(1);
_root.createEmptyMovieClip("block", 900000);
with (block) {
beginFill(0xFF66FF, 100); moveTo(0, 0); lineTo(Stage.width, 0); lineTo(Stage.width, Stage.height); lineTo(0, Stage.height); endFill();
createTextField("gy", 1, 0, 170, Stage.width, Stage.height);
gy.selectable = 0; gy.text = "MAKE YOUR OWN GAME"+newline+newline+"DON'T STEAL MINE"; gy.setTextFormat(sTF);
}
}
}

/////Run the function whenever you feel like it (I usually run it on start, level up, etc)
stole();

+++++++++++++++++++++++++

Although these measures will protect against most casual 'hackers', since I got burnt with Throw It, I also tend to use a couple of other measures for protection. Normally, I use ASP, andadd four passwords in the ASP file that are checked before the code to add the score/name to the database is run. One of these uses a function that pulls data from a couple of apparently innocent arrays of hexadecimal values and then multiplies them by each other, and the other three are pulled from an online txt file full of random characters, and deviously manipulated.

With ASP, I also use a third party program called HTML Guardian to encrypt the addscores.asp file. Unfortunately it doesn't work with PHP, although I'm sure there are PHP encrypters out there.

Finally, I use (again) some strange manipulation of arrays to produce the actual ASP filenames. So they're not called 'addscores.asp', and 'getscores.asp', they're named '673298giueiw9rth23tewuir7i6324.asp' and 'bg9bsd86f7n2345n76t97wefrqwe.asp' (or something similar). They're also buried several folders deep on the domain that I host the databases on, which makes it that little bit harder to find the fuckers.

+++++++++++++++++++++++++

If you're serious about protecting your game, then I recommend using at least one of these methods to protect your scorboard.
If you have any ideas or suggestions, or questions, please feel free to post.


- - Flash - Music - Images - -

BBS Signature
SaintShun
SaintShun
  • Member since: Feb. 27, 2005
  • Offline.
Forum Stats
Member
Level 21
Blank Slate
Response to AS: Scoreboard Protection Oct. 28th, 2005 @ 06:33 PM Reply

wow, denvish 0-0

Iggy-Ziggy
Iggy-Ziggy
  • Member since: Oct. 26, 2005
  • Offline.
Forum Stats
Member
Level 03
Blank Slate
Response to AS: Scoreboard Protection Oct. 28th, 2005 @ 06:36 PM Reply

If you have a wish to test if your scoreboard can be hacked or to test any security reason just post a link and results will be posted here in few days after your request.

Denvish
Denvish
  • Member since: Apr. 25, 2003
  • Offline.
Forum Stats
Member
Level 46
Blank Slate
Response to AS: Scoreboard Protection Oct. 28th, 2005 @ 06:42 PM Reply

At 10/28/05 06:36 PM, Iggy_Ziggy wrote: If you have a wish to test if your scoreboard can be hacked or to test any security reason just post a link and results will be posted here in few days after your request.

Cool. Have a go with the scoreboard in Trick or Toad, you'll get a virtual cookie if you can crack it =)
Although you do have the advantage of seeing the methods I use, as posted in this thread..


- - Flash - Music - Images - -

BBS Signature
DFox
DFox
  • Member since: Aug. 9, 2003
  • Offline.
Forum Stats
Member
Level 30
Blank Slate
Response to AS: Scoreboard Protection Oct. 28th, 2005 @ 07:01 PM Reply

Wow, this is the best tuorial on here. As a game developer, I'm always trying to make the high score board as secure as possible.

Thanks Denvish!


BBS Signature
TonnFulp
TonnFulp
  • Member since: Aug. 31, 2004
  • Offline.
Forum Stats
Member
Level 02
Blank Slate
Response to AS: Scoreboard Protection Oct. 28th, 2005 @ 07:05 PM Reply

I was thinking of doing a score-board on one of my games.

I was just going to do a POST getURL to my website and update some mysql with it.

Could I do that? Is that not secure?

Claxor
Claxor
  • Member since: Oct. 21, 2005
  • Offline.
Forum Stats
Member
Level 12
Blank Slate
Response to AS: Scoreboard Protection Dec. 8th, 2005 @ 04:40 PM Reply

Great tutorial Denvish! =D


BBS Signature
Dislexsick
Dislexsick
  • Member since: Apr. 2, 2005
  • Offline.
Forum Stats
Member
Level 06
Blank Slate
Response to AS: Scoreboard Protection Jun. 11th, 2006 @ 07:17 AM Reply

At 10/28/05 07:05 PM, TonnFulp wrote: I was thinking of doing a score-board on one of my games.

I was just going to do a POST getURL to my website and update some mysql with it.

Could I do that? Is that not secure?

Thats about as secure as leaving the door to the vault at the bank wide open.....

ssjskipp
ssjskipp
  • Member since: Oct. 16, 2003
  • Offline.
Forum Stats
Member
Level 15
Programmer
Response to AS: Scoreboard Protection Jan. 15th, 2007 @ 01:59 AM Reply

Don't forget to protect your variables from memory hackers! You can do something like this:
var myRealScore:Number = 0
var myDisplayScore:String = Number(myRealScore/20)

Then, insted of myRealScore += 1, do myRealScore += 20. So, they'll be searching for 1, 2, 3, when in reality, the values are 20, 40, 60. ^^;


"Give a man a match, and he'll be warm for a minute, but set him on fire, and he'll be warm for the rest of his life."

Inglor
Inglor
  • Member since: Jan. 26, 2003
  • Offline.
Forum Stats
Member
Level 17
Blank Slate
Response to AS: Scoreboard Protection Jan. 15th, 2007 @ 03:12 AM Reply

At 1/15/07 01:59 AM, ssjskipp wrote: Don't forget to protect your variables from memory hackers! You can do something like this:
var myRealScore:Number = 0
var myDisplayScore:String = Number(myRealScore/20)

Then, insted of myRealScore += 1, do myRealScore += 20. So, they'll be searching for 1, 2, 3, when in reality, the values are 20, 40, 60. ^^;

They'll just look for variables containing the name 'score' first :P

iAnimate
iAnimate
  • Member since: Dec. 11, 2006
  • Offline.
Forum Stats
Member
Level 02
Blank Slate
Response to AS: Scoreboard Protection Jan. 15th, 2007 @ 03:47 AM Reply

would a hacker reading this topic know how to beat this system?

Gorilla-Studios
Gorilla-Studios
  • Member since: Nov. 18, 2005
  • Offline.
Forum Stats
Member
Level 28
Blank Slate
Response to AS: Scoreboard Protection Jan. 15th, 2007 @ 04:50 AM Reply

Probably, but then again it would be a little bit of hassle. Wait, why is this topic still being replied to?!


Gorilla Studios || A game is like sex, its better when its free

BBS Signature
Kenney
Kenney
  • Member since: Mar. 16, 2002
  • Offline.
Forum Stats
Member
Level 20
Game Developer
Response to AS: Scoreboard Protection Jan. 15th, 2007 @ 10:28 AM Reply

At 1/15/07 04:50 AM, Gorilla-Studios wrote: Probably, but then again it would be a little bit of hassle. Wait, why is this topic still being replied to?!

Because now I see this topic and I can try convince Gabriel into building these protections in ArmorBot to make it even more secure.

ssjskipp
ssjskipp
  • Member since: Oct. 16, 2003
  • Offline.
Forum Stats
Member
Level 15
Programmer
Response to AS: Scoreboard Protection Jan. 15th, 2007 @ 11:29 AM Reply

Yeah, but that's after you run it through ASO, so the variable 'score' won't exist =p. But if your values are the same as display, it's an easy hack. You can also use that to transfer the values into PHP or ASP, format the numbers in a special way where, Idunno', it changes the number drastically, but can be changed back. They won't know what to pass into the PHP or ASP if they find the files.


"Give a man a match, and he'll be warm for a minute, but set him on fire, and he'll be warm for the rest of his life."