Failed – Safe high score list for Flash games with SWFEncrypt – not safe
Thursday 24 May 2007 - Filed under Experimental
Thanks for guycalledseven’s help. AVE Imperator can de-compile SWFEncrypt-ed files. I’m going to say bye bye to ASV.
SWFEncrypt looks very promising. I failed to decompile it with ASV, which is my all time favorite Flash hacking tool. So, here’s my attempt of building a “safe high score list“. Please try to hack it.
The old problem of building a safe high score list for Flash games is that:
Since SWFEncrypt is pretty good (so far no one has said he can decompile it), encrypting the score with an encrypted swf is quite safe. Encrypting the whole flash game is a bit risky. There’s a high chance that your game won’t run properly after encryption. Besides that, the encryption blows up the file size too. To avoid it, the encryption function is written into a small file and it is loaded into the main game at run time.
In this example, the encryption function generates a validation number based on the score. Both the score and the validation code are sent to the back end script (a php script). The back end script re-generate the validation code using the same method as in Flash and compares the two numbers. If the numbers don’t match, the score is not valid.
The encryption function is very easy but hard to figure out. There are other good encryption methods like MD5 SHA1 but I think it’s a bit over kill (MD5 is not natively supported in Flash, you need to write the encryption algorithm in Actionscript).
Enjoy the >>source<<.
2007-05-24 » 5566
24 May 2007 @ 11:43 pm
I don’t want to break your balls (I’ve sent you an email), but swf is open format. SWF encryptors can’t do much about it, except write code that is harder to read (obfuscate it like hell).
The only solution I’ve found so far for secure highscores is sending them trough https + remoting + encryption + multi fake calls to confuse the faker. With tools like ServiceCapture or Charles you can sniff practically anything.
So actually… I haven’t found good solution yet.
24 May 2007 @ 11:48 pm
Ups, I forgot to mention xml socket servers. You can have score logic in the server part of the game so it never come to client in swf.
25 May 2007 @ 10:43 am
I feel socket can be a good way. xml socket plus https! Sigh, looks like there’s no easy way out. Stupid me…
31 May 2007 @ 1:12 pm
hi,
i saw in ur code very nice, but i want full secured score posting from flash to php (i don’t want display the HTTP in validation, score, player and etc ) plz help me.
saravana
14 August 2007 @ 4:31 am
Hi,
I can’t believe I’ve missed your post- I’ve just ran into it.
We do bypass SWFEncrypt with ASV, only after 3 months. (ASV 5.25 bypassed SWFEncrypt 4.0-4.02, ASV 4.28 bypasses 4.03-4.04).
I hope you are at least keeping ASV.
All the best,
Burak
21 December 2007 @ 12:28 pm
it allways says High score rejected and Im not trying to cheat.
12 September 2009 @ 5:08 pm
Maybe you could do this:
Load from php file to the encryptor_secure.swf and there will be
$n1=1987;
$n2=7;
$n3=15;
$n4=3;
only seeable at the php file, and flash only loads them. Then nobody can’t know how they are encrypted?
Hope this works
13 September 2009 @ 1:56 am
@solution man, when u load the numbers from php, it’s very easy to get the info what you are loading.
13 September 2009 @ 2:34 pm
Ye, I found that too.
What about this:
So you load encryptor_secure.swf in your game.swf
And what if you deny access to encryptor_secure.swf? Then nobody can’t see how they are encrypted.
Tell me what you think