[nycphp-talk] Tamperproof URLs and PHP slides posted
Gary Mort
bz-gmort at beezifies.com
Wed Dec 12 13:38:37 EST 2007
Due to the nature of Flashs, someone will always be able to revere
engineer the code.
So how about this(if it doesn't slow things down too much):
When the game loads up, have the Flash program connect to the server and
provide it with some information(how about hashing the ipaddress,
username, and current score in some manner with a secret key)
So now you have some session information on the user. Their username,
their ipaddress, and a score. In return, the server provides the client
with a new secret key.
Every 2 minutes, connect to the server again and provide the ipaddress,
username, and current score and a hash with the new key.
When the game is over, connect to the server and post the information a
final time, ipaddress, username, and current score, the hash, and the
status code(completed).
So now you have a sequence of records:
1.1.1.1 Gary 0 Hash: xxx newkey: abc
1.1.1.1 Gary 1000 Hash: xxx newkey: bcd
1.1.1.1 Gary 50000 Hash: xxx newkey: bcd
1.1.1.1 Gary 500000 Hash: xxx - final score
So you only accept a final score that has a history behind it. To
"repeat" the attack the hacker needs to run a new sequence of inputs.
So at best, for a game you know takes at least 10 minutes, he can only
submit 1 high score every 10 minutes.
Then if someone complains of cheating, you have logs to go through and
see if something jumps out, and how to change your final score
acceptance algorythm to accomodate.
More information about the talk
mailing list