dcsimg
A Flash Developer Resource Site

Page 1 of 3 123 LastLast
Results 1 to 20 of 53

Thread: Hacking Game Hiscore Tables?

  1. #1
    Senior Member
    Join Date
    Jul 2006
    Posts
    150

    Hacking Game Hiscore Tables?

    Arg! My hiscore tables keep getting hacked. I was wondering how are people doing it? Also why would they even take the time to do it, but that's a separate issue.

    I do send the hiscore data through POST but I also encode it in a string. Also the SWF is obfuscated with SWF Encrypt. So the only way I can think of is that they change the score in memory while the game is playing. Is there such a tool like that, and how can I prevent it? For those who say you can't stop it, I know, I just want to make it more troublesome for them so they think twice. It's a pain to delete hacked scores every week even if it's just one or two.

    I already deleted the offending score of 1200, but here's the table:
    http://www.gamebrew.com/game-score.php?g=3410

    Thanks!

  2. #2
    Student
    Join Date
    Apr 2001
    Location
    -
    Posts
    4,756
    I am not much into online stuff but there are tools that display you what´s been send to the server and what´s recieved from the server. Maybe your connection is just no secure enough and the transmitted data to easy to understand

  3. #3
    Senior Member X-Tender's Avatar
    Join Date
    Jun 2003
    Location
    Germany
    Posts
    507
    Its uglier then you think. Usaly the Highscore system wirks with send/load the vars with values to a php site. You can capture the sendings, change values, and then continue the sending :/ ... I will not tell the name of that tool but every skilled google user find some kind of things ... bad for us flash game developers

  4. #4
    Senior Member webgeek's Avatar
    Join Date
    Sep 2000
    Posts
    1,356
    renderhjs is correct. It's very easy to sniff all traffic between a Flash client and the server. For instance, you can download and install Ethereal from http://www.ethereal.com/ and have a very powerful packet sniffer for free. We often use it to track down protocol problems. Just tell it to monitor all HTTP traffic and then play the game. It will capture the high score messages no problem. Then you just use a tool (or even a browser) to submit a fake score.

    The easiest fix for this problem is to use SSL. It will fully encrypt everything. The SSL session is established with the server PRIOR to the URL being invoked so they wont be able to packet-sniff your message OR URL. There is a reason that SSL is considered secure enough for pretty much anything online

    You also said you used encoding for the score. Is it something obvious like XOR or Base64? If so, then you might as well leave it plain text. Any hacker interested in breaking it will have no trouble recognizing those schemes. SSL is your friend here too. You can send it "plain-text" and it's still protected.

    -=-

    So assuming the problem is NOT packet sniffing then it could be they are doing as you say with a memory tool. A good one that's again free is Art Money. It can be used to search the memory of a running process and find specific data type + value combinations.

    For instance, let's say I just played the game and am at the "submit score" screen. I then fire up the tool and search for my score in memory. I find it, then update it's value to a new number and submit the score. It's a little more complicated then that, but not much. The end result is that I just submitted a score I didn't get.

    C++ games often combat this by encrypting the score in memory. So they never save a raw number that can be retrieved and modified. Anything important and potentially secure is stored encrypted in different parts in different locations. Then they simply do an update at all locations to create the new score. To make this easier on themselves they use templates and macros to inject this functionality in the code rather then explicitly coding it themselves. This makes it VERY hard for the hacker to just update some variables and go.

    Since you are obfuscating and such, you could do a ghetto version of this in Flash. Store the score as two parts in two different variables. Each one of em contains an encrypted string or some such. The string decrypts to a part of the score. You can have an updateScore function (assuming the obfuscator renames methods and such) that retrieves the two variables, decrypts them, combines them and applys the delta before splitting em up and storing em again. You could be clever and store them in different variables every update too (that would help a LOT). Then to add a little misdirection, go ahead and scatter the score all over as normal integer variables. You just don't use them in the end. The hackers will spend forever tracking them down and updating them to no effect.

    You will want to send the data to the server encrypted if possible. So the client DOESNT decrypt it to send. Additionally, adding a lot more data into the request helps too. This makes it much harder for the hacker to determine what variables matter and what don't. If they are all encrypted in memory and you update many of them every time the score changes, they will have to tweak em all to make it work.

    Additionally, your code on the server should adobt a "no-tolerance" policy for hackers. An invalid score should get their IP address banned from submitting another score for say 20 minutes. So every time they submit a bad score, you can lock them out. This makes it almost impossible to do a real trial-and-error approach.

    I know it's a great deal of work but it is possible to make a system in Flash that's hard to hack. You just need to think it through.

    P.S. All of this assumes they are attacking the client and not the server. You should be certain your high score system itself is not vulnerable to SQL Injection and other common problems. Lazy PHP coders create more security holes then you can imagine. Sadly, most PHP coders don't even realize they are doing it. That's why PHP has such a bad rap for security.

  5. #5
    Senior Member
    Join Date
    Jul 2006
    Posts
    150
    I use plain text but I append a small code to check against the string. It rejects the score if it doesn't match. Its mainly to stop people from just calling the PHP script directly. Ok, I believe more that people are using a packet sniffer to change the scores rather than reading the memory. So I can add a little obstacle for that easily with an IP ban I already have in place. The memory thing seems too complicated for someone to use their resources on, but I guess you never know.

    I really can't believe someone would spend their time hacking the hiscores for these little games, maybe an MMOG where you can have an advantage over others but not this. Especially if they have knowledge about packets and stuff wouldn't they be doing something else?

  6. #6
    Senior Member webgeek's Avatar
    Join Date
    Sep 2000
    Posts
    1,356
    You'd be surpised. We've had people create patches for some of our SWFs in an attempt to enable server-side administration abilities before. The server catches this and blocks it but the effort involved was substantial. The memory trick isnt that hard.

    Personally, I'd just encrypt the score and POST it to the server. You can encrypt it with AES (Rijndeal) and then encode it with Base64 to ensure you don't have transmission issues. Then you can decode/decrypt it on the flip side. AES is a symetric-key cipher so both sides will have a password. If you are using a good obfuscator then the password should be very hard to locate. This is easy and probably good enough. Here is an AS2 library for all of that:

    http://www.meychi.com/archive/000031.php

    Good luck!
    http://www.meychi.com/archive/000031.php

  7. #7
    Knows where you live
    Join Date
    Oct 2004
    Posts
    944
    Just run a quick encryption. Say you need to send 3 things, the name, the score, and a "Checksum" (I have no idea what it would be called). Just have the checksum equal the score times three (probbably a more complex equation). Have the server check that the score x 3 = checksum, and if it is not true, ignore the score.
    Since the .swf is encrypted, it will be hard to find the equation, and just to make it even harder run a simple encryption over all the data before sending it, like xor.
    The greatest pleasure in life is doing what people say you cannot do.
    - Walter Bagehot
    The height of cleverness is to be able to conceal it.
    - Francois de La Rochefoucauld

  8. #8
    FK founder & general loiterer Flashkit's Avatar
    Join Date
    Feb 2000
    Location
    Sydney
    Posts
    1,149
    I use the meychi encryption on my games and dcrypt in php (I use blowfish as it was the easiest I found to implement. with my lmited php knowledge!) using the rc4crpty classes from here http://www.devhome.org

    Webgeek I like your idea about encrpting the score in memory, it makes so much sense to me now! Ive only had minor problems with hackers, but that should really help make it bombproof!

    Good luck!
    Regards Mark Fennell - Flash Kit Founder, general loiterer
    -------------------------------
    I Hate Zombies - iPhone Game | markfennell.com

  9. #9
    Script kiddie VENGEANCE MX's Avatar
    Join Date
    Jun 2004
    Location
    England
    Posts
    2,590
    691175002, never thought of checksumming. Sounds like a really easy way to increase security.

    Webgeek, I'm one such lazy (/inexperienced) PHP coder. How do I beef up my security? Here's an example, the last thing I did with PHP, except obviously with certain parts of the script changed (website address, variable names, filenames).

    Flash end, I do something like this:

    loadVariables("http://www.MYSITE.co.uk/PHPFILE.php?var1="+var1+"&var2="+var2+"&randomNumb erToMakeItWorkInInternetExplorer="+Math.random(), _root);

    Then on the server side, I use this:

    PHP Code:
    <?php
        $read 
    fopen("TEXTFILE.txt""r");
        
    $read fread($read10000);
        
    $newstring $read."Var1: ".$var1." Var2: ".$var2."\n";
        
    $write fopen("TEXTFILE.txt""w+");
        
    fwrite($write$newstring);
    ?>
    Resulting in appending this to the TEXTFILE.txt:

    Var1: var1 Var2: var2\n

    Now, a few problems I'm aware of there is that I didn't send the variables using POST (don't know how), and there's some kind of REGISTER_GLOBALS problem (my server has it set to the less secure setting by default, not sure wheter that's true or false). I know that with REGISTER_GLOBALS on this setting, people can assign values to variables that I didn't intend them to be able to, but I don't know how to edit this setting.

    Also, I've seen the fclose() function being used in PHP. Any particular reason for using that?

    [EDIT] Also, what's the best CHMOD priveleges to use on TEXTFILE.txt and PHPFILE.php?
    http://www.birchlabs.co.uk/
    You know you want to.

  10. #10
    CostomJunky Xploder's Avatar
    Join Date
    Jun 2003
    Location
    Canada
    Posts
    635
    hmm this is interesting... I've been holding back on releasing games with highscore because of that. So I put together something to test my highscore submission system. In this I encourage hacking... Lets see how quickly it will be hacked. http://www.devkiwi.com/highscore/ This can be considered a game, right...? The Hacking Score Game. Try to beat my score of 30.
    Last edited by Xploder; 03-18-2007 at 05:57 PM.

  11. #11
    Senior Member tonypa's Avatar
    Join Date
    Jul 2001
    Location
    Estonia
    Posts
    8,227
    Quote Originally Posted by Xploder
    hmm this is interesting... I've been holding back on releasing games with highscore because of that. So I put together something to test my highscore submission system. In this I encourage hacking... Lets see how quickly it will be hacked. http://www.devkiwi.com/highscore/ This can be considered a game, right...? The Hacking Score Game. Try to beat my score of 30.
    Too easy.

  12. #12
    Yes we can tomsamson's Avatar
    Join Date
    Sep 2001
    Location
    Team Titan Secret Lair
    Posts
    4,666
    good suggestions fellas, i´ve added the thread to the knowledgebase so its helpful to more people later on.
    Just wanted to drop in and add some more options you could choose:
    -not just send the score but also vars which help to validate it server side:
    You could for example send the playtime,if its very low chances are equally low the person achieved a real highscore by gaming.
    Or if its a game where you can do different tricks and gain a different amount of points for different tricktypes you could also submit the amount of each trick done and then recalculate the score with that on server side and compare it to the score variable you sumitted for example.
    -Record the gameplay: This one involves again some extra effort cause you have to write the code to record the gameplay,compress the recorded data etc etc and you also have to store more data per submit but if you record the gameplay you could then just watch the playthrough of the topscorer to go sure he didn´t cheat.
    This one is a bit over the top in effort needed for the average for fun game, in case you give out prizes for the topscorer of the week or month it may be worth checking out the replay before handing out the prize though.

    Overall, as with trying to protect game assets, protecting score submission (or any other kind of server communication) is tricky as webgeek and the others showd, for pretty much every protection method there´s a workaround or another hole to get into but the more protection attempts you combine the more you can go sure the cheating attempting guy will get too bored to go on trying it some more on your game.

  13. #13
    Member
    Join Date
    Mar 2007
    Location
    Long Beach, CA
    Posts
    38
    you can also use a simple encryption on the score itself so the value being transmitted is actually meaningless until decrypted by the highscore table. someone might hack the table and find the decryption method, but at least it's one more step that will have them confused for a while. One more chance they'll give up.

  14. #14
    Truimagz.com everfornever's Avatar
    Join Date
    Sep 2006
    Location
    St. Louis
    Posts
    1,306
    I really can't believe someone would spend their time hacking the hiscores for these little games, maybe an MMOG
    Yes, this is my biggest worry.

    My system I am thinking is pretty secure is using sharedobjects. With mysql checking. My goal once its done is for the player to have to hack his sharedobject file, the mysql database, and my php checker script about every 2-3 minutes inorder to keep up his hack. Im still figuring it all out, but using shared objects is working out good for checking info against a database so far, to see if anything has been changed, (ie, charavcter lvl is more than 1 lvl away from were it was 2 minutes agao when the shared object was loaded).

    Gear is a bit more tricky though, because I plan to have stat association with gear names. so right now I am worried that a player may create an item piece with the same name and manage to recreate my swf and thus loading his own gear and playing in my game with it. But I'm on a linux server so i am trying to hide paths with upperlowercase combos, and also only referencing file paths through vars stored in the mysql database.

    Maybie you can help me with some of my current problems Ill send you a tell.

  15. #15
    Yes we can tomsamson's Avatar
    Join Date
    Sep 2001
    Location
    Team Titan Secret Lair
    Posts
    4,666
    sorry to be bummer boy but its very easy to read and edit shared objects files.

  16. #16
    Truimagz.com everfornever's Avatar
    Join Date
    Sep 2006
    Location
    St. Louis
    Posts
    1,306
    yeah I know, but the only info stored in it is your own account info. But I was thinking of also using it to download temporary files to check against a database, like a way to see what your char really is weraing and his real level, then send the info back to check it against the db.

    I would never allow sharedobject data into a database though, thats asking to get hacked.

  17. #17
    FK'n Elitist Super Mod EVPohovich's Avatar
    Join Date
    Dec 2000
    Location
    About to BAN you!
    Posts
    3,023
    Gamebrew, just wanted to say "I hate you!!"

    Been wasting my lunch hour on that game!!

  18. #18
    CostomJunky Xploder's Avatar
    Join Date
    Jun 2003
    Location
    Canada
    Posts
    635
    Quote Originally Posted by tonypa
    Too easy.
    aww... thanks a lot tonypa . Could you explain where my fault is?

    Anyway back to the drawing board... ok so what if I make 4 different encryption algorithyms and run only one in a random order, each time the game is played. Wouldn't that make it difficult enough to hack. When it loads it would just cycle through the encription algorithms and only use the one that when decrypted, makes sense.

  19. #19
    Senior Member webgeek's Avatar
    Join Date
    Sep 2000
    Posts
    1,356
    If it's a good encryption you don't need to worry about them breaking it. Simple as that. Using a real scheme like AES and then you KNOW the encryption is safe and you just need to protect the key. Many of the good obfuscators are capable of hiding strings in code very well. Use one of those and you might be all set.

  20. #20
    Wait- what now? tidenburg's Avatar
    Join Date
    Dec 2005
    Posts
    1,472
    How I secure my games:
    Validate Sessions:
    Games launch in php pages, the flash file will recieve a random number assigned by the page which is inserted into a mySQL database. The game will check before it launches that the session is valid.

    Convert numbers to letters:
    Easy to work out but first I use a random formula to change the numbers to somthing different and then convert the to numbers :
    A= 1 b= 2

    Highscores:
    Check the session is valid again and then do a checksum. The checksum is converted to letters whilst the score stays as numerals.
    --Score is submitted--
    Check valid session again and remove this session from the MySQL database, perform reconversion from checksum letters back to numbers, and then redo the formula backward. If the checksum is the same as the score then submit it.

    I also add a cap and a max score to my MySQL pages.
    The valid session could clog up the tables on a really popular game but it makes sure people are not submitting from local desktop or using a cracked game.
    "I'd only told them the truth. Was that so selfish? Our integrity sells for so little, but it is all we really have. It is the very last inch of us, but within that inch, we are free."

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center