Hacking Game Hiscore Tables?

Like tidenburg said, first thing is to make sure it is actually your game that is trying to save highscore. Its way to easy to send something from completely different application. Flash can be used to post data on your php script, decompile original swf, take the score sending function, replace score with whatever number, build new swf and its done.

Another easy hack is to load game swf into new custom swf and change score from there. It can be surely avoided, just not many developers bother to think about it (if this != _level0).

Its also good to have random numbers. If you cant use sessions, you can still have variables inserted into html Query String which can be used as key when encrypting. Not much of course, but hackers need to figure it out so helps again .

Or you can load the encryption data as bitmaps and use pixel values for encryption. I mean strings are easy to figure out, but to understand how the data is retreved from pixels in bitmap, you really need to dig into the matter with some pretty good understanding how Flash works.

You can never completely shut away every possible hacker, but you can surely make their life much more difficult with all the little things. Every step counts toward hacker losing interest and giving up. Someone may program their own special browser with their own special Flash Player just to hack the highscore in your game if they have lots of time, patience and knowledge. But most hackers are simply kids poking around, if they cant break it quickly enough, they will find another game which they can break.

In the end I have found most "fake" highscores use game itself to get scores up. Every game has bugs, some timer might be not reset (good old right-click and play bug), some button becomes visible when you resize the game or there is one bloody enemy being hit over and over again (I bet you have not tested the game under Linux, Flash Players are not exactly same for every OS). For example time based reflex games that count frames and not real time, can be slowed down so they are extremely easy to play. No matter how much you test, someone still finds a weird bug you never expected to happen in your game.

Tonypa I dont know how you protect your games but ive never seen a suspicous score on there (except keyway). (your site has been made the new game site which we all go on in ICT.

webgeek, can you please explain a bit more about what is

Quote:

---

Then to add a little misdirection, go ahead and scatter the score all over as normal integer variables.

---

And

Quote:

---

If it's a good encryption you don't need to worry about them breaking it. Simple as that. Using a real scheme like AES and then you KNOW the encryption is safe and you just need to protect the key. Many of the good obfuscators are capable of hiding strings in code very well.

---

I am not sure i understand how the ecryption can be safe inside a swf, cant someone decompile it it see how it works?
And as for obfuscators hiding strings in code,it is something like 'the secret vars' in Zinc?I mean, once the swf is decompiled isnt easy to find those vars?
And as for PHP not being secure, it would be better to change it for ASP?
(That would be a pleasure, PHP is a very mesy and unorganized language and i am not fanatic lover of all those open source metality like 'lets all work for free and cry for donations' )

This has a lot more potential then make a highscore safe, if instead of send the highscore data you send a byteArray of the whole game

Quote:

---

webgeek, can you please explain a bit more about what is

Quote:

---

Then to add a little misdirection, go ahead and scatter the score all over as normal integer variables.

---

---

You could have one part be in a global variable, one part in the root, one part in another movie clip, etc. Just moving the variable around makes it MUCH harder for hackers to find. If you change it's location regularly, then it's even worse for them.

Quote:

---

am not sure i understand how the ecryption can be safe inside a swf, cant someone decompile it it see how it works?

---

A good encryption scheme isn't made weaker by someone knowing how it was encrypted. RSA, 3DES, AES, etc. are all fully understood and publicly available schemes. The only thing that needs to be protected is the "key" itself.

Quote:

---

And as for obfuscators hiding strings in code,it is something like 'the secret vars' in Zinc?I mean, once the swf is decompiled isnt easy to find those vars?

---

I've not used that ability in Zinc so I can't say. I do know that many of the obfuscators mangle strings so it would be very difficult to re-create it even after decompiling it (if you even could).

Quote:

---

And as for PHP not being secure, it would be better to change it for ASP?

---

PHP itself isn't insecure. The problem is that many PHP developers don't put any thought to security and so create gaping holes in their applications.

Quote:

---

(That would be a pleasure, PHP is a very mesy and unorganized language and i am not fanatic lover of all those open source metality like 'lets all work for free and cry for donations' )

---

I wouldn't call ASP much better unless you are talking about ASP.NET which is quite a bit more organized.

Hi, I just confirmed that hackers were manipulating the data stream, not going directly to my hiscore script. I put in a few checks to see what was going on. Today there were two attempts that I blocked. This really sucks, especially that making a multiplayer game is hard enough as it is. My poor little game is being abused :)

Quote:

---

Originally Posted by tomsamson

sorry to be bummer boy but its very easy to read and edit shared objects files.

---

How are SharedObjects viewed/edited?

The game I'm currently working on uses SharedObjects as it's save tool, are there any steps you can take to limit this?

the last game portal used to watch players

I mean, after the game you send the score, but the flash also send time of the game, the hour of day, so we can see who cheats and erase that score, I know this int so secure, but for that small portal worked

The use to gie prices like playstations

Also, make sure they have gained a highscore before you even let them see an input. Most games let you submit anyway, even when theres no point.

Quote:

---

I do know that many of the obfuscators mangle strings so it would be very difficult to re-create it even after decompiling it (if you even could).

---

What is mangle a string?

Basically the obfuscator "encrypts" the string in the SWF and it gets decrypted as needed on the fly. This is done via some very tricky techniques in the byte code. It's not perfect but it's pretty damn good.

You mean, they hide it inside the junk bytes?

No idea for sure. I've never really looked into it. I just know that if you decompile the SWF the string won't be in plain text.

Can you tell what obfuscators does that?

Not off the top of my head, sorry.

why would anyone want to hack a high score table anyway. I mean low of a life do you need to have to want to get a fake high score in a flash game.... Dummies... hack something effective...

Quote:

---

Dummies... hack something effective...

---

Hack something effective? How about just don't hack anything at all? Until the people that get a kick out of dominating high score boards with fake scores move on, it's up to us to protect ourselves. To that end, it's important that we avoid obvious exploits like SQL injection.

Ok, i have looked at genable actionscript obfuscator and swf encrypt 4 and could not find, in the help files,how to hide the key.Maybe i should look for it in another obfuscator?

Just obfuscate it and they should do it automatically.

Thats all???
Now i am confused

What will prevent thiefs to find the key when they get rid of the obfuscation?