PHP Security Blog Comments

Robin: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (Robin) — Thu, 20 Dec 2007 09:22:59 +0000

As the flash can be disassembled, doesn't that effectively remove all possibilities to actually hash/encrypt on the flash side?

Keeping a state of all game actions might be a good idea, as it's harder to change/fake, but still possible I'll guess.

Norbert: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (Norbert) — Sun, 16 Dec 2007 17:48:31 +0000

When you create something real like a car there is a constant battle between the designers and the engineers.

Compared to the web, many designers also try to do the engineering and most of them fail miserably. This highscore example looks to me as if someone who can program Flash also tried his basic knowledge in PHP.

Sometimes available programs are just a little adapted to integrate them into the own website - money matters for the CEO.

Another thing you can do beside encrypting the content is to embed a hash code / token in the Flash file and use this to encrypt/decrypt data and to use cookies / user agent for identification. This way you get a constantly changing key which is different for every client. Trying to manipulate the cookie or data will result in illegal data.

sickvicar: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (sickvicar) — Sun, 16 Dec 2007 06:14:18 +0000

Instead of crypting the whole message, one might just add a checksum.. perhaps the md5(highscore+other variables+magic passphrase) to make it even slightly harder to send in just any desired highscore?

char0n: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (char0n) — Fri, 14 Dec 2007 07:22:01 +0000

Well, right now i am working on some application called banner*r. The server side of application is written in PHP and client side is written in Flash. Comunication between client (flash) and server(php) is going throught XML PRC protocol. This xml rpc protocol is fully crypted. So Flash client send a crypted xml-rpc request, I decrypt it in PHP, and send encrypted response that Flash decrypt for its self. Of course HTTP comunication is transparent..but consist of binary 256bit crypted data. The point is it's gonna be very very difficult for someone to sniff comunication and to 'cheat' it.

Ian P. Christian: Flash Game - 10000 of 900 possible points?!?!?

pookey@pookey.co.uk (Ian P. Christian) — Thu, 13 Dec 2007 11:48:13 +0000

to answer my own answer.. this system doenst' make it that much better - just a hell of a lot harder

I've disassembled a flash movie myself to do this kind of thing, and it's certainly possible to hack even if the flash client is using cryptography the keys used for signing/encrypting the data has to be available to the flash client.

IIRC, the thing I disassembled pased a param to the flash client of a 'game_id', that was used as part fo the encryption process.... I assume that a game_id coudl only be used once. This only made it slightly harder of course, as you could fake a new game, get the ID and use that to submit your crafted response.

A skilled 'hacker' wouldn't have much problem disassembling flash and reverse engineering this kind of thing.

One idea I had would be for the game to keep telling the server it's current state, and the server could employ cheat detection algorithms to detect unlikely events happening in real time - and then stop the game from continuing.

pookey: Flash Game - 10000 of 900 possible points?!?!?

pookey@pookey.co.uk (pookey) — Wed, 12 Dec 2007 17:53:59 +0000

The server hosting the flash game won't send the request - the game will - so it will come from the users browser.

You would need to use cryptography to secure the URL params. There are crypto libraries for flash.

AVARD: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (AVARD) — Wed, 12 Dec 2007 16:47:52 +0000

There is database component within flash isn't it? I haven't mess with flash lately, but if I remember correctly, you can connect to a db directly in your flash. no php needed. but again, I'm not sure 100%

fa: Flash Game - 10000 of 900 possible points?!?!?

fa@codeschmie.de (fa) — Wed, 12 Dec 2007 14:15:47 +0000

One way is to "capture" the game as a set of actions performed and save it on the server. You can replay it and verify that the player made legal moves in the game.

Evert: Flash Game - 10000 of 900 possible points?!?!?

evert@rooftopsolutions.nl (Evert) — Wed, 12 Dec 2007 13:57:05 +0000

The only secure way to protect the data, is by having the game-login also on the server and tracking the users' every move..

Curtis: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (Curtis) — Wed, 12 Dec 2007 12:14:55 +0000

Checking for the server that sent the data? If it is not sent from the server running the flash file it would not be used. Or does it use the local ip when your running a flash file in a web browser?

I guess it is always possible to get past the protection though, personally I wouldn't trust the highscores on flash games.

Robin: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (Robin) — Wed, 12 Dec 2007 09:08:21 +0000

What would be an appropriate way to protect the data? Is it even possible with flash?

Tijuan: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (Tijuan) — Wed, 12 Dec 2007 08:37:09 +0000

That's a common mistake from developpers to think that the flash communication with the server is hidden.
I've heard many times that the choice of the flash technology had for purpose this supposed security advantage, wich of course is a total mistake, and probably is misunderstanding of HTTP.

People should play with firefox plugin "livehttpHeaders" (http://livehttpheaders.mozdev.org/) , they might understand that flash requests ARE totally transparent.

Gelangweilt: Flash Game - 10000 of 900 possible points?!?!?

blog-admin@nopiracy.de (Gelangweilt) — Wed, 12 Dec 2007 08:04:40 +0000

Schnarch...

Eine wasserdichte Absicherung dürfte unmöglich sein. Workaround: Verlosung

Alex: Flash Game - 10000 of 900 possible points?!?!?

blog@bitsploit.de (Alex) — Tue, 11 Dec 2007 20:09:37 +0000

Well, the normal way to cheat in Flash games ...

F0rg3: MOPB Exploits taken down

1nj3k0rf0rg3@gmail.com (F0rg3) — Wed, 05 Dec 2007 09:02:56 +0000

I just want to say that this is not going to stop people from learning and doing great things. I would strongly advice Mr Stefan Esser to move his work to the Netherlands for safe keeping and Hosting! I want to learn from Your Work, Its Awesome! Big Up.