[F8] Ginkei2 [beta]

[tiny_legoman]

Hey! see what you think of this...

http://www.robotnic.co.uk/ginkei2/

the ship follows the mouse, hold left button for rapid fire.

known issues - occastionally when multiple enemys are on screen the second enemy will lock - you need to ditch the movie to fix it - im working on it but its very intermitent. I would be interested in your feedback...

thanks
tiny

[artlink]

I think the ships are too big, it feels crowded with only two ships, so I don't want to imagine more. Background aint too bad but you could maybe add other stuff (clouds,...). Tons of example of similar jobs are too be found on the net, so get inspired.

[Eldiran]

Pretty cool. A way to see how many more hits you can take would be nice, though. ...at least, I didn't notice it if there was one.

[Cortana]

Nice game. I'm hating the slow movement though. If the ship were controlled with the keys that would make more sense since the keys in my mind would give you constant movement but with the mouse it'd be better if it would follow the mouse's speed as well as direction.

[webgeek]

The game played fine for me, but quite a bit slower then I like. The framerate felt quite low as well.

Also, while it looks like you are using XML.send or some such to save your high scores, the data is actually getting passed via URL parameters. Consequently, your high score board is VERY vulnerable to hackers. I posted a fake score to illustrate this.

[tiny_legoman]

The game played fine for me, but quite a bit slower then I like. The framerate felt quite low as well.

Also, while it looks like you are using XML.send or some such to save your high scores, the data is actually getting passed via URL parameters. Consequently, your high score board is VERY vulnerable to hackers. I posted a fake score to illustrate this.

its was getting late last night! - normally code php for serverside xml parsing, however, i only have iis based servers spare to host db applications so i went with classic asp, i tried to get it going but it turns out i only have the DOM object installed on my server, which im not familiar with - need to do a bit of reading up, anyway - question - im not familiar with the methods you use to see the requests from the movie, would you be able to grab the raw post data from the request if i was sending XML? if there are technical reasons why i cant parse xml server side, do you have any suggestions of methods to protect myself?? If you can grab the raw post data surely you could create a movie that made the same post, i have crossdomain.xml on this server as a legasy from previous applications...

[tiny_legoman]

cheers guys for the feedback so far, im going to make the ships smaller, i was kinda using the shield as a hit indicator, but i think eldiran is right its not obvious enough, i'll also bump up the frame rate a little, i wanted to avoid using key controls as i dont particularly like key control games, i was kinda inspired by some DS games game ive been playing with the stylus (same sort of thing maybe!?). i also thought having the ship move exactly on the mouse simplifed it a little, with a lag i felt it posed more of a challenge!?

[webgeek]

im not familiar with the methods you use to see the requests from the movie, would you be able to grab the raw post data from the request if i was sending XML?

I simply used the Etheral packet sniffer and told it to capture all TCP traffic on port 80 when I submitted the high score. It captured your post request to the server including the XML you are sending (some little blurb with <score> in it) and all the rest. Sending XML doesn't really do anything in itself to prevent hackers.

The only thing it does is make it a bit more of a hassle to fake because Flash doesn't send POSTed XML properly, it's supposed to be name/value pairs but Flash doesn't send a name for the XML, it just sends it raw. This means that you can't use an HTML page to fake the post, you'd need to use a script.

if there are technical reasons why i cant parse xml server side, do you have any suggestions of methods to protect myself??

Even if you do send XML, you need to protect yourself. The easiest/most effective approach is to use SSL (which prevents sniffing) and obfuscate your SWF (which prevents decompiling). Those two steps will stop pretty much all hackers in their tracks.

If you can grab the raw post data surely you could create a movie that made the same post, i have crossdomain.xml on this server as a legasy from previous applications...

If the data is capturable/readable then you can create a new SWF file to fake it. Crossdomain.xml files only effect the SWF, not the server and so would have no bearing on preventing the server from accepting a score. If you run a SWF locally, it doesn't use the crossdomain.xml file anyways.

[tiny_legoman]

thanks man! very useful, however, ssl inst realy practical. ive been pondering on an alternative, which i'll try and get working this evening, would you mind if i call on your expert hacking skills once again to see if you can break it,!? i'll post again when i get it working...

[webgeek]

I posted some topics on this in my blog;
Prevent High Score Board Hacks,Ensuring Data Integrity Between a Client and Server and Encrypting Variables in Memory.

I still suggest you use SSL but if that's not an option (no idea why that would be the case, it's super cheap these days) then the second article covers how to use a cryptographic hash to digitally sign the data itself. This is a good way to ensure they don't change the data itself. There are simpler ways to do it (like a checksum digit), but this is a very secure technique and variations of it are used in many commercial systems.

would you mind if i call on your expert hacking skills once again to see if you can break it,!?

Expert... being called that depresses me because I know that I have just enough knowledge to realize how vulnerable all our games really are. The real experts cut through any protection we can think of like a hot knife through butter. Anyways, I'll be glad to help in any way I can. Thanks!

[candyzn]

Nice game, seems too many animation there, the small dot moving around the ship, that will slow down the game's performance.

[tiny_legoman]

this should be considerably more secure now!! if you want to try and hack the leaderboard be my guest. Its interesting when you start to look into the security methods it does give you an understanding of how to hack things and that there isnt a great deal that can be done that cant be reversed. I havent made it hack "proof", but i reckon its gone from a 5 minute job to maybe a couple of hours...

Expert... being called that depresses me because I know that I have just enough knowledge to realize how vulnerable all our games really are.

stop being coy, i found your blog realy useful!!

[webgeek]

i found your blog realy useful

I'm glad to hear it!

if you want to try and hack the leaderboard be my guest.

Done. Took about 30 minutes due to several false starts. Check out the score "Easy", that was hacked. Here is what I did to try and breat it:

1) I played normally and then I packet-sniffed a score submission and saw you added in a checksum. I didn't even bother trying to fake a submission because I figured you would have tested your code properly. For all intents and purposes, this shuts down all of the "url" hacks which are very common and easy. From this point on, you have to attack either the SWF or the server.

2) I pulled down your SWF file and broke it open with Flasm. Then I made all of your URLs fully-qualified so I could run the SWF in the debug player off my desktop (did this by just skimming the file until I saw you were using ASP and then searching for the .asp files). I also made sure that I had the Flash player security settings set in such a way as to properly load/save the scores remotely and not be blocked even though you don't have a crossdomain.xml file in the root (I checked ). Then I set the score and enemy kills arbitrarily high and played the game till I could submit a score. This failed which led me to think you had something in there accounting for either enemies killed or time played.

3) As a quick attempt, I simply increased the number of lives I had at the begining and played till I had a nice and high score normally. This submitted properly and worked.

The next step a real hacker would do is establish the relationship between time played and score/ships destroyed if one exists. This would let them narrow down what it takes to hack the game to the smallest possible time.

Anyways, to prevent all that I did, you would need to obfuscate your SWF file so Flasm wouldn't be able to give me anything useful. A good decompiler could have been used instead of Flasm, but it's free and very powerful so it's my preference.

Another trick that would make hacking it MUCH harder would be if the checksum you generated with MD5 included the values of some important variables. Basically, the initial score (0), the initial number of lives (3), the initial number of ships destroyed (0), etc. Both the server and the client know those values so they make a good key. By doing that, you would make it dramatically harder to hack even without obfuscation. The checksum would always fail if someone increases those values from their default. Make sense?

Anyways, it's significantly harder then before but still pretty easy for anyone used to beating up Flash games. Have fun!

[tiny_legoman]

gimme one more shot - ive been reading up on public and private keys and seeding....

[webgeek]

Sorry, I don't have time to look at it right now. With that said, the problem wasn't the data going over the wire, your MD5 system works great. The problem was that I edited the SWF itself to let me get a high score. Changing to some public key/private key system will make no difference in that.