Top 10 problems!!!

**donkei** · 02-27-2004, 09:26 PM

Pliz help me to resolve the problems of my Top 10 list. Yesterday someone hacked my top 10 n entered an impossible score with name "careless, i still can hack this"

Where's the hole n how to fix it?
Here's the address:
http://donkei.com/games/yoe/hard.htm

I got the original script from flashkit tutor article n have modified a bit.

TIA

**Rrrufusss** · 02-27-2004, 09:40 PM

check your score list.

Do you want me to post the description here or send you a private message?

-rrrufusss

**donkei** · 02-27-2004, 09:48 PM

i think pm is better coz i know i'm sooooooo amateur...really dont have any deep knowledge about flash coz have just learned how to used it...

at least, dont laugh at my mistake yah..kekkez

(but i bet so many people will, hehehe..)

**Rrrufusss** · 02-27-2004, 10:09 PM

ok, done. Check your messages.

Ihoss · 02-28-2004, 04:53 AM

first of all, put an index page in your folder, then its harder to find the files there.

**SaphuA** · 02-28-2004, 08:12 AM

Originally posted by Rrrufusss
check your score list.

Do you want me to post the description here or send you a private message?

-rrrufusss

Actualy I'm also interested in this... always wanted to know how these people do this, andhow to prevent it..

Can you pm me also plz?

SaphuA

**tonypa** · 02-28-2004, 01:37 PM

The tutorial itself explains how to add scores by typing the variables into adress.

First things you could do is to rename the scores.php and scores directory into something not so obvious. Those could still be hacked from the swf, but not without proper tools.

Next, add some control variables. That would require rewriting php too. For example you could add up all the numbers in the score and send that sum as control:
score=1234
score_sum=1+2+3+4=10
Now you have to check in the php script if it has received correct score_sum and ignore it if not.

That too can be hacked, no question about it, but it would prevent someone just typing stuff straight into address.

**X-Tender** · 02-28-2004, 02:34 PM

try use TEVAS to Decrypt your URLS ..
it currently not work for FLash MX 2004 ...

**Rrrufusss** · 02-28-2004, 02:56 PM

Regarding the score_sum method:

You have to be tricky though, because if you create your score_sum based on the score that has been directly modified within the SWF, it will still appear to be valid.

I think there's got to be a way to do real-time protection against direct manipulation of the SWF. Some kind of random variable name generation or something, then check to make sure everything matches up internally. So, if the score suddenly changes, it's detectable immediately and you can halt the game or something..

-Rufus

btw, here's my little utility in action.

**donkei** · 02-28-2004, 10:06 PM

thanks for the response, u r all soo kind

specially to Rrrufusss who is really helpful

anyway, i'm a real stupid amateur..n i dont have any idea how to fix the hole in my top score till now.
here is my php script:

http://donkei.com/games/yoe/scores-php.txt

plz help me to modify the .php n .fla file

Ihoss · 02-29-2004, 06:16 AM

if you have a database on your site, use that instead. its much safer and it sorts everything automatically. mySQL is good, and free. and use post, not get to send the variables.

**tonypa** · 02-29-2004, 07:07 AM

Originally posted by Rrrufusss
Regarding the score_sum method:

You have to be tricky though, because if you create your score_sum based on the score that has been directly modified within the SWF, it will still appear to be valid.

I dont think its possible to protect your game against direct swf manipulation. The things I pointed out earlier help you to prevent someone simply adding score by typing it to the address bar.

If however someone is capable to hack into your game directly and change the variables inside it, there is nothing you can do. The question is, why would anyone bother?

Im sure if you spend enough time, you could make the direct hacking harder, but is this worth your time? If the protecting highscores is going to take more time then making the game, I say, forget it. Just delete the impossible scores once in a week, because no matter how many clever little functions you add, the swf is still open to hackers.

**tonypa** · 02-29-2004, 08:13 AM

Anyway, if you want to try out the sum, heres the modified php file.

In the Flash, use this code:

code:



on (release) {

	function findsum (score) { 

		for(i=0;i<score.length;i++){

			sum=Number(sum)+Number(score.charAt(i));

		}

		return(sum);

	};

	scoretable.filename = "scores/demo.sco";

	scoretable.scoresize = 10;

	scoretable.action = "INSERT";

	scoretable.viewtype = "FLASH";

	scoretable.winname = _root.name;

	scoretable.winscore = _root.score;

	scoretable.winsum = findsum(winscore);

	scoretable.loadVariables("scores1.php", "POST");

}

**donkei** · 03-01-2004, 01:43 AM

Please help me!!! Is there any way to prevent the hackers write .txt files to my site? because he/she makes new .txt files in my score folder? The problem is if i close the permission for world to write + execute, my top10 will not work properly

How to fix this??

Thx a lot

**ArrowFlash** · 03-01-2004, 01:56 AM

Do you always type like as if you cant spell anything correctly?

**tonypa** · 03-01-2004, 05:31 AM

Originally posted by donkei
Is there any way to prevent the hackers write .txt files to my site? because he/she makes new .txt files in my score folder?

You could remove the new score file creation part from the php script:

// Create a Blank File if it doesn't already exist
if (!file_exists($filename))
{
$file=fopen($filename, "w");
fclose ($file);
}

**donkei** · 03-01-2004, 07:06 PM

i've tried to use what u suggested. THX a lot : )

Please check it up again just in case there is a problem :
http://donkei.com/games/yoe/hard.htm

THX

**donkei** · 03-01-2004, 08:36 PM

it doesn't work.. i've tried to use ur .php n flash action

i also use load var to hide my .php and random to make it difficult to search.

mmm....what's wrong?

**tonypa** · 03-02-2004, 04:42 AM

Cant say whats wrong without knowing what did you do

**TyroneWatt** · 03-02-2004, 11:54 AM

Just a thought, not fully thought through though

,
How about checking that getenv("HTTP_REFERER") or $HTTP_REFERER is the same as your domain/swf file. Havent got a php server handy at the mo so the code could be buggy, but something like:

<?
if ($HTTP_REFERER != "http://www.mydomain.com/mygame.swf") return;
?>

That should check the page that called your 'savescores.php' script was from your domain/ip and was from SWF file.

Another idea (if you had a Database) would be to load a 'number' from the DB and multiply all scores by this number. Then in your PHP script load the same number from the DB and check that the score is perfectly divisible by this number and then only use the divided score.
if ($score % $multiplier == 0)
$score = ($score / $multiplier);
else
return;

Every so often change this number.

These will not solve your problem completely, but will just make it harder/impossible for the lame hackers who want mess up your scores.
If its sensitive data or a prize/competition site, you will want something a lot more secure.

Cheers
Ty

Thread: Top 10 problems!!!

Thread Tools

Display

Hybrid View

Top 10 problems!!!

Headers

Posting Permissions