NYCPHP Meetup

NYPHP.org

[nycphp-talk] Tamperproof URLs and PHP slides posted

Nick Galbreath nickg at modp.com
Wed Dec 12 11:04:54 EST 2007


Hi John,
Great question.


Your general idea is sound, but sadly there is no such thing as a "secure
client".  If there were, every game client (unreal, wow, etc), IM client,
dvd player, cable tv box, xbox, iphone, etc would use it.  But these are
routinely cracked.

The only thing they do differently is to make is it 'real hard' to find the
secret key (and other "tricks" but by careful reverse engineering these can
all be broken)


So for your application, you can a do a few things.

1) The dumbest is to make a string like 't' + 'h' + 'i' + 's' ...
2) or even better use ascii numeric values... chr(34) + chr(75) to build a
string
3) and use indirection... make an array of values of numbers , and use these
to build the string
   chr(myarray[i])  (or make myarray be a function).
4) or consider making your secret key be an integer that it is the result of
a computation or iteration
secret = highscore;
for (i = 0; i < 10; i++)  secret *=  2 + Math.cos(5 + math.sin(secret))

This way the secret depends on the score it self.  The "secret" is the
function that both the client and server must implement identically. I just
made that up to give you an idea.

This will prevent the "strings" attacks.

  more advanced stuff for flash is

1) use byte code obfuscators.
2) I know a lot of spy ware has a small shell that loads another file that
is encrypted flash, then decrypts it then runs it.  Or something like that.

I'm not an expert on flash, but I'm sure if you look around on google you
can find off-the-shelf solutions for this.

But remember these are all hacks and a very determined person _could_ fake a
high score.  Hopefully it will be such a pain in the arse, no-one will
bother.


enjoy!

--nickg


On 12/12/07, John Campbell <jcampbell1 at gmail.com> wrote:
>
> Thanks for the presentation.
>
> I have a question that is related, but along different lines.  I have
> a flash game that saves high scores to the server and I want to
> prevent high scores from being forged.
>
> Initially the scores were send as a simple post request, e.g.
> name=john&score=1000.  This is a problem because it is trivial to
> forge the request.  So my solution was to create the post request as
> follows:
>
> name=john&score=1000&checksum= . md5(md5("My secret") . name . score)
>
> on the server side, I can verify the checksum.
>
> This works well enough, but an enterprising hacker can download my swf
> file and run `strings game.swf` to extract "My secret", and then they
> can forge the request. Is there any cryptography method that
> guarantees the request is coming from my code?
>
>
> Thanks,
> John Campbell
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20071212/102c22f5/attachment.html>


More information about the talk mailing list