Flash games hack, score is 49700?? How to improve flash games security?

Question

I have 2 flash games (written in as3). Both the highscore value being hacked. The normal range of each game score is not more than 5000 (normal users, will only get 2000 - 3000

Answer 1

If I wanted to hack your game I could decompile your game and find out the md5 "secret". Note that I put secret in quote marks, as the fact that it is provided in your flash game binary means that it is not actually a secret.

Its probably not possible to make your scores unhackable, all you can hope to do is make it harder.

Answer 2

You could to add some sort of RSA (asymmetric) encryption to your Flash apps. You would put the public key in your Flash app, and use the private key on the server side to decrypt the score sent.

This won't necessarily prevent a hacker from hacking your Flash App, but it will make it a bit more of a pain in the butt.

Here is an AS3 library for RSA encryption.

Outside that it'll depend on what server technology you're using (PHP, .Net, or whatever) as to how you implement the RSA on the other side.

It should be noted too that this question has already been answered.

Answer 3

You're ultimately trying to delay the time it takes for people to hack your system, or make it not worth their while. You could try adding a salt to the hash for a bit of extra complexity. This could be sent as a value to the flash game (add it as a parameter to the flash object in the HTML) and include that in the hash verification code. You could send some kind of session id or random number so it's always different. You could even generate two hashes by different methods and check them both.

Of course, don't discount the possibility that people have found a way to hack the actual game functionality. Or that they're just really good players...

Answer 4

Would not simply running the game on the server side prevent score hacking? If the game is being run as a random game then you send the random values to the user's browser there wouldn't be much sense in them attempting to cheat,even de-compiling the flash file wouldn't give them an advantage.

Answer 5

It's not really possible to make your score validation secure if it runs entirely on the client side. You have to do at least part of it on the server side for it to be even remotely secure. I see 2 ways of doing this:

• you send periodic score updates to the server and on the server side you check that the score didn't jump "too much" (to be defined in the context of your game). If it "jumped" you can safely assume the player is hacking.

• you send the entire game movement sequence (along with any random spawns or whatever ai events) to the server with the score at the end and verify that the score is actually accurate. This will obviously not work for every game, but for some games it can work. You didn't say anything specific about your game so I'll leave this here.

Answer 6

By far the easiest method, and hardest to defeat in Flash is to use CheatEngine to simply search for the memory location that stores the score, then change the value to whatever you want. All the server-submit hashing/salting/verification in the world won't fix that because your game thinks it's valid before it packages it up in a nice valid hash for submission.

You can do 'sanity checks' on the scores if they will always fall within predefined values, but even then a determined hacker could simply suss out what the maximum allowed values is and always submit that value.

You could attempt to obfuscate your score values in memory to make them harder to find with CheatEngine, for example storing them as a multiplied value, then in your getters and setters for the score value, include a multiplication/division of the values to get/set the proper score for your views and score submission widgets. Even this is only a stall tactic though.

Unless bogus scores are costing you money, either don't worry about wasting time on the .01% of people who are cheating, or just moderate your score tables manually.

The key thing to consider in preventing cheating is: 'How much does this really matter?' If you're running some kind of high score based competition with a cash prize, then it's a pretty high priority. If you're just miffed that some random person is messing up your high scores table, it's not worth your time to stop them, just check it once a week and drop the bad scores.