Flash games hack, score is 49700?? How to improve flash games security?

Question

I have 2 flash games (written in as3). Both the highscore value being hacked. The normal range of each game score is not more than 5000 (normal users, will only get 2000 - 3000

Answer 1

If I wanted to hack your game I could decompile your game and find out the md5 "secret". Note that I put secret in quote marks, as the fact that it is provided in your flash game binary means that it is not actually a secret.

Its probably not possible to make your scores unhackable, all you can hope to do is make it harder.

Answer 2

It's not really possible to make your score validation secure if it runs entirely on the client side. You have to do at least part of it on the server side for it to be even remotely secure. I see 2 ways of doing this:

• you send periodic score updates to the server and on the server side you check that the score didn't jump "too much" (to be defined in the context of your game). If it "jumped" you can safely assume the player is hacking.

• you send the entire game movement sequence (along with any random spawns or whatever ai events) to the server with the score at the end and verify that the score is actually accurate. This will obviously not work for every game, but for some games it can work. You didn't say anything specific about your game so I'll leave this here.

Answer 3

The cryptographic system you are using is very similar to an HMAC, but yours implementation is less secure. The md5 algorithm is a broken, however your MAC is immune to the prefixing attack to generate hash collisions because the beginning of the your secret. The attacker must be able to control the beggaring of the string in order to create a hash collision.

TamperData is a very useful hacking tool to Modify/Capture/Replay traffic that comes from the browser. So you should prevent against replay attacks by authenticating the current date and time: hmac(secret,date_time.score.username).

The hackers are probably using a SWF Decompiler to find the value of your secret in the SWF file. In order to counter this you should try and bury the secret using a SWF obfuscation such as http://www.amayeta.com/.

None of this is a "silver bullet", this just makes it more difficult for the hacker. A hacker will always be able to modify his or her score because you are trusting the client to tell you the correct score. Even if you made the recommended changes you would still be in violation of CWE-602.

Answer 4

You're ultimately trying to delay the time it takes for people to hack your system, or make it not worth their while. You could try adding a salt to the hash for a bit of extra complexity. This could be sent as a value to the flash game (add it as a parameter to the flash object in the HTML) and include that in the hash verification code. You could send some kind of session id or random number so it's always different. You could even generate two hashes by different methods and check them both.

Of course, don't discount the possibility that people have found a way to hack the actual game functionality. Or that they're just really good players...

Answer 5

What I was thinking was that since the game appear's to require authentication I would assume that there are calls that require a get user name and other info.

Discussing the matter from another developer thir advice was to use Ajax components. Idk.

Most hackers will find a way to get around most security issues the best way is to prevent them from sending anything back to the server other than what is required for the game to function.

Has anyone used random based on the amount of negative memory available? instead of looking for the specific memory location with those softwares.

Why not send multiple bogus values to mem and derive the outcomes based on open memory locations?

Please don't attack me for this suggestion I am a learner like most others.

Answer 6

As you said depending on what is being done to hack this there are different holes to fix. As you are sending the actual information in your message, and "secret" is contained in the code it becomes a much easier target. Some of the things you could do to improve security

• Use a different hash function, MD5 has known flaws it is possible to create messages with the same signature without knowing the content, SHA1, SHA2 offer higher security, this will prevent an attack through a weakness of MD5

• Make the 'secret' unique to each message, ie. send it from the server for each posting, this will prevent people from reusing the same hash over and over again, and make it harder to look at the code and create the hash

• Hash the result multiple times e.g. value = hash(hash(hash(...,salt),salt),salt) this won't help if people are decompiling your program but it will help if they are just trying to recreate the hash by itself.

• Look for software to protect your SWF against decompilation, i don't do much flash so I don't have any reliable links for that