NYCPHP Meetup

NYPHP.org

[nycphp-talk] Tamperproof URLs and PHP slides posted

Gary Mort bz-gmort at beezifies.com
Wed Dec 12 13:38:37 EST 2007


Due to the nature of Flashs, someone will always be able to revere 
engineer the code.

So how about this(if it doesn't slow things down too much):
When the game loads up, have the Flash program connect to the server and 
provide it with some information(how about hashing the ipaddress, 
username, and current score in some manner with a secret key)

So now you have some session information on the user.  Their username, 
their ipaddress, and a score.  In return, the server provides the client 
with a new secret key.

Every 2 minutes, connect to the server again and provide the ipaddress, 
username, and current score and a hash with the new key.

When the game is over, connect to the server and post the information a 
final time, ipaddress, username, and current score, the hash, and the 
status code(completed).

So now you have a sequence of records:
1.1.1.1 Gary 0 Hash: xxx newkey: abc
1.1.1.1 Gary 1000 Hash: xxx newkey: bcd
1.1.1.1 Gary 50000 Hash: xxx newkey: bcd
1.1.1.1 Gary 500000 Hash: xxx - final score

So you only accept a final score that has a history behind it.  To 
"repeat" the attack the hacker needs to run a new sequence of inputs.  
So at best, for a game you know takes at least 10 minutes, he can only 
submit 1 high score every 10 minutes.

Then if someone complains of cheating, you have logs to go through and 
see if something jumps out, and how to change your final score 
acceptance algorythm to accomodate.





More information about the talk mailing list