Failed – Safe high score list for Flash games with SWFEncrypt – not safe

Thanks for guycalledseven’s help. AVE Imperator can de-compile SWFEncrypt-ed files. I’m going to say bye bye to ASV.

SWFEncrypt looks very promising. I failed to decompile it with ASV, which is my all time favorite Flash hacking tool. So, here’s my attempt of building a “safe high score list“. Please try to hack it.

The old problem of building a safe high score list for Flash games is that:

  • the user can monitor the values posted to the back end. It’s easy to change the post data and thus change the score
  • if you try to encrypt the score, the encryption method can be always hacked by decompiling the swf file and with more and more sites showing people how to get free robux hacks, things are getting a little bombarded with attempts.

Since SWFEncrypt is pretty good (so far no one has said he can decompile it), encrypting the score with an encrypted swf is quite safe. Encrypting the whole flash game is a bit risky. There’s a high chance that your game won’t run properly after encryption. Besides that, the encryption blows up the file size too. To avoid it, the encryption function is written into a small file and it is loaded into the main game at run time.

In this example, the encryption function generates a validation number based on the score. Both the score and the validation code are sent to the back end script (a php script). The back end script re-generate the validation code using the same method as in Flash and compares the two numbers. If the numbers don’t match, the score is not valid.

The encryption function is very easy but hard to figure out. There are other good encryption methods like MD5 SHA1 but I think it’s a bit over kill (MD5 is not natively supported in Flash, you need to write the encryption algorithm in Actionscript. Don’t forget to check the customized experience option that you can get

Enjoy the >>source<<.

10 responses

  1. I don’t want to break your balls (I’ve sent you an email), but swf is open format. SWF encryptors can’t do much about it, except write code that is harder to read (obfuscate it like hell).

    The only solution I’ve found so far for secure highscores is sending them trough https + remoting + encryption + multi fake calls to confuse the faker. With tools like ServiceCapture or Charles you can sniff practically anything.

    So actually… I haven’t found good solution yet. :)

  2. I feel socket can be a good way. xml socket plus https! Sigh, looks like there’s no easy way out. Stupid me…

  3. hi,
    i saw in ur code very nice, but i want full secured score posting from flash to php (i don’t want display the HTTP in validation, score, player and etc ) plz help me.


  4. Hi,

    I can’t believe I’ve missed your post- I’ve just ran into it.

    We do bypass SWFEncrypt with ASV, only after 3 months. (ASV 5.25 bypassed SWFEncrypt 4.0-4.02, ASV 4.28 bypasses 4.03-4.04).

    I hope you are at least keeping ASV.

    All the best,

  5. Maybe you could do this:

    Load from php file to the encryptor_secure.swf and there will be

    only seeable at the php file, and flash only loads them. Then nobody can’t know how they are encrypted?

    Hope this works 😉

  6. Ye, I found that too.

    What about this:

    So you load encryptor_secure.swf in your game.swf

    And what if you deny access to encryptor_secure.swf? Then nobody can’t see how they are encrypted.

    Tell me what you think 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

For spam filtering purposes, please copy the number 5905 to the field below: