dcsimg
A Flash Developer Resource Site

Results 1 to 18 of 18

Thread: [CS3] Flash Game Hacks how to beat

  1. #1
    Senior Member
    Join Date
    Nov 2004
    Location
    I'm a brumie, currently in London working for the man
    Posts
    147

    [CS3] Flash Game Hacks how to beat

    I've been coding games for a while now..

    and well my latest effort with a high score table if being hacked, I've done everything to try and beat the hackers.. remote server side php calls, etc ect.

    But people keep cheating.. any help would be grand..

    I've found out about a porgramme called speed gear, is there any way of beating these cheats.

  2. #2
    Student
    Join Date
    Apr 2001
    Location
    -
    Posts
    4,756
    in the end I guess never- for now just try to come up with something they haven´t found a way around.
    Like submitting a garbish string holding a encrypted value besides the garbish and re- encode it serverside.
    Btw. did you try to encrypt values or Data?

    edit: perhaps a string that´s not easy to figure out how the string is stored in it (find some unique logic) will help already alot. As far as I understood the techniques you have a packet sniffer that shows you and lets you control the data flash recieves and sends. If you just put blatantly your values with english variables names its no wonder you get hacked that easy.
    Last edited by renderhjs; 03-14-2008 at 12:06 PM.

  3. #3
    self-portrait Kianis's Avatar
    Join Date
    Feb 2004
    Location
    Stockholm, Sweden
    Posts
    425
    As I understand it, if they decompile your swf there's really nothing you can do about it. But what you can do is make it harder for the script kiddies.
    Renderhjs pointed out some good advice. I'd also suggest you change the variable names in the flash code, put false trails etc (be creative! ) since
    there's lots of programs that change variables inside the flash VM at runtime.
    So it doesn't matter if you got this great encryption if someone changes the variable 'score' before the score is used to generate the data to send.
    // Mazapán, my portfolio

  4. #4
    Student
    Join Date
    Apr 2001
    Location
    -
    Posts
    4,756
    so its already this far,- does this count for shockwave Director with embedded Flash content as well ? or even the AS3 machine?
    perhaps port some functions into dynamicly loaded swf´s wich again could be loaded into other swf´s like a tripple hierarchy and access vital functions regarding the cheating there.

    Another idea:
    check if the highscore is impossible on the server and if so write a flash cookie on the hackers system that will disable the gameplay or better the upload the next time. Or simply dont submit his score- track his IP write it down on the server and bann him for a certain amount of time.

  5. #5
    ....he's amazing!!! lesli_felix's Avatar
    Join Date
    Nov 2000
    Location
    London UK
    Posts
    1,507
    One, getting basic user reg data before allowing them to compete on the scoreboard will deter many hackers. Let them play the game, but don't let people compete with each other until you have an email address, and a first and last name, and validate it too.

    Secondly, hackers often tend to submit ridiculous scores. So change the format of the score depending on how much is being scored. For example, anything up to 1000 is sent as a number, anything from 1001 to 10,000 is sent in hexadecimal etc etc. That will at least slow them down, and if they're just using a browser plugin to listen for the score format and url, they'll need to actually achieve a higher score before they realise the format gets changed.

    Thirdly, send some information about the gamestate, if they score a billion and didn't get past the first level, reject it. There's loads more you can do with that one, just use your imagination.

    Lastly, this is one thing I'm not sure has been implemented anywhere, but it would be pretty devastating if you got it working. Simply serve up a different high-score table to users that are suspected of cheating or fail any of the above tests. Let them think their scores have been registered, then they'd think they'd beaten the system when in fact no-one else would see their score. This would rely on either IP address checking, a user account/session or a checkup on the scoreboard nickname.

  6. #6
    self-portrait Kianis's Avatar
    Join Date
    Feb 2004
    Location
    Stockholm, Sweden
    Posts
    425
    Quote Originally Posted by renderhjs
    so its already this far,- does this count for shockwave Director with embedded Flash content as well ? or even the AS3 machine?
    I don't know this works with AS3, I'd bet there's programs that do that too.
    Yeah, that would be a great use for Director!

    Great ideas lesli! Specially number three. The more variables to fiddle with...
    // Mazapán, my portfolio

  7. #7
    Student
    Join Date
    Apr 2001
    Location
    -
    Posts
    4,756
    Lastly, this is one thing I'm not sure has been implemented anywhere, but it would be pretty devastating if you got it working. Simply serve up a different high-score table to users that are suspected of cheating or fail any of the above tests. Let them think their scores have been registered, then they'd think they'd beaten the system when in fact no-one else would see their score. This would rely on either IP address checking, a user account/session or a checkup on the scoreboard nickname.
    a really GOOD idea that way booth sides are satisfied

  8. #8
    FK founder & general loiterer Flashkit's Avatar
    Join Date
    Feb 2000
    Location
    Sydney
    Posts
    1,149
    Use as3 to start with.. I don't know of an as3 decompiler yet (though no obfuscator either)

    I recently found this little tool http://mikegrundvig.blogspot.com/200...memory-to.html

    which allows the score to be encrypted in memory as you alter it.. I then use my own encryption and checksum routine for submission and decryption.
    (based on the meychi ascrypt stuff)

    Also make sure you remove the context menu.

    More robust obtions: get a cheap ssl certificate from godaddy to stop packet sniffing, and or limit the server to only accept calls from its own domain....
    Regards Mark Fennell - Flash Kit Founder, general loiterer
    -------------------------------
    I Hate Zombies - iPhone Game | markfennell.com

  9. #9
    Custom User Title Incrue's Avatar
    Join Date
    Feb 2004
    Posts
    974
    People who want to cheat always will find a way, if you have a fake high score,the most perfect most protected stuff of the world,blablabla, they can still put their names on the top playing with those 'tool assisted' stuff

  10. #10
    Student
    Join Date
    Apr 2001
    Location
    -
    Posts
    4,756
    well you can make it at least a little bit harder for them. I can imagine that it is somewhat annoying if little kids (wich I think are most of them) hack the highscore tables.
    And assuming they are kids who just downloaded a tool that does the most work for them it´s pretty possible to fool them- you just need to know how they operate and on what they rely. Professional hackers would do this propably way different.

  11. #11
    Member
    Join Date
    Feb 2008
    Posts
    41
    But professional hackers have better things to do than hack Flash game high score tables.

  12. #12
    5+5=55 Schfifty Five's Avatar
    Join Date
    Jun 2006
    Posts
    698
    Before you go to all the trouble of making sure it can't be hacked with memory editors/SQL injection, etc... make sure there's not a simple bug in the game allowing this

    Also, if it's a reflex game or something of that sort, it might be easier for someone to just write a program to play the game for them, which would be really hard to detect. In that case, in might be best to modify the game mechanic to prevent it from being played easily by a bot.

  13. #13
    Custom User Title Incrue's Avatar
    Join Date
    Feb 2004
    Posts
    974
    Also, if it's a reflex game or something of that sort, it might be easier for someone to just write a program to play the game for them
    Thats what i was talking about, no need to even touch the high score system
    I remember a video of a guy playing sky golf this way but cant find it anymore

  14. #14
    ....he's amazing!!! lesli_felix's Avatar
    Join Date
    Nov 2000
    Location
    London UK
    Posts
    1,507
    Cheating the game is a different matter entirely.

    You can make a lot of games easier by slowing them down. Just play on an old imac . There are fixes for that as well though, just make sure your game is sensitive to its own framerate, or use frame independent animation/rendering (which is a good idea anyway)

    As for writing a piece of software to play your game for you... Seriously dudes, I'm more worried about them coming round my house, booting up my pc and hacking the fla directly.

  15. #15
    Elvis...who tha f**k is Elvis? phreax's Avatar
    Join Date
    Feb 2001
    Posts
    1,836
    Use a time based score and base it on Date().getTime. That way you really won't benefit from slowing the game down. You can also just use it to check that a score matches the time played for a level, ie. set a max of 567 points for every minute played on a specific level. Since the scores are usually ridiculous, as Lesli stated, it will weed out a lot of fake scores. You still need encryption and all the other tricks but it all helps
    Streets Of Poker - Heads-Up Texas Hold'em Poker Game

  16. #16
    Senior Member hatu's Avatar
    Join Date
    Jan 2007
    Posts
    480
    What's the program that makes your code look like it's all squares and numbers and random commands?
    I tried what some games look like with a decompiler and I think that way most people would give up already.

  17. #17
    5+5=55 Schfifty Five's Avatar
    Join Date
    Jun 2006
    Posts
    698
    Quote Originally Posted by lesli_felix
    As for writing a piece of software to play your game for you... Seriously dudes, I'm more worried about them coming round my house, booting up my pc and hacking the fla directly.
    If there's any sort of prize given out for the highest score every month or whatever, then I wouldn't be surprised if someone did that, assuming the prize was worth their time.
    If it was the right type of game, it might not even have to be a program... someone could just download a macro program, record whatever the game required and play the macro a bunch of times really quickly and get a high score.

    Quote Originally Posted by hatu
    What's the program that makes your code look like it's all squares and numbers and random commands?
    I tried what some games look like with a decompiler and I think that way most people would give up already.
    You're probably thinking of:
    http://www.flashincrypt.com/

    Or you could Google "swf obfuscator" to find a bunch of similar programs.

  18. #18
    Custom User Title Incrue's Avatar
    Join Date
    Feb 2004
    Posts
    974
    As for writing a piece of software to play your game for you... Seriously dudes, I'm more worried about them coming round my house, booting up my pc and hacking the fla directly
    Many people already does that for other things like snes games or shockwave games, so it is possible but very unlikely because flash already is too easy to hack

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center