我说的是一款没有得分上限的动作游戏,也没有办法通过重玩动作等方式来验证服务器上的分数。
我真正需要的是在Flash/PHP中最强的加密,以及一种防止人们调用PHP页面而不是通过我的Flash文件的方法。我在过去尝试了一些简单的方法,对一个分数进行多次调用,完成一个校验和/斐波那契序列等,也用Amayeta SWF加密混淆SWF,但他们最终都被黑客入侵了。
感谢StackOverflow的响应,我现在从Adobe找到了更多的信息- http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps_12.html和https://github.com/mikechambers/as3corelib -我认为我可以使用加密。但我不确定这是否能让我绕过CheatEngine。
我需要知道AS2和AS3的最佳解决方案,如果它们是不同的。
主要的问题似乎是TamperData和LiveHTTP报头,但我知道还有更高级的黑客工具,比如CheatEngine(感谢Mark Webster)
当前回答
你可能问错了问题。你似乎专注于人们通过游戏获得高分的方法,但阻止特定的方法也仅此而已。我没有TamperData的经验,所以我不能说。
你应该问的问题是:“我如何验证提交的分数是有效和真实的?”具体方法取决于游戏。对于非常简单的益智游戏,你可能会发送分数以及特定的开始状态和导致结束状态的移动顺序,然后在服务器端使用相同的移动重新运行游戏。确认陈述的分数与计算的分数相同,只有在两者匹配时才接受分数。
其他回答
在接受的答案中,tqbf提到你可以对分数变量进行内存搜索(“我的分数是666,所以我在内存中寻找666这个数字”)。
这是有办法的。我在这里有一门课:http://divillysausages.com/blog/safenumber_and_safeint
基本上,你有一个对象来存储你的分数。在setter中,它将您传递给它的值与一个随机数(+和-)相乘,而在getter中,您将保存的值除以随机乘数以获得原始值。这很简单,但有助于停止记忆搜索。
另外,看看PushButton引擎背后的一些人的视频,他们谈论了一些对抗黑客的不同方法:http://zaa.tv/2010/12/the-art-of-hacking-flash-games/。他们是这门课背后的灵感。
一种简单的方法是提供高分值的加密散列及其本身的分数。例如,当通过HTTP GET发布结果时: http://example.com/highscores.php?score=500&checksum=0a16df3dc0301a36a34f9065c3ff8095
当计算这个校验和时,应该使用一个共享秘密;这个秘密永远不应该通过网络传输,而应该在PHP后端和flash前端中硬编码。上面的校验和是通过将字符串“secret”前置到分数“500”前,并通过md5sum运行来创建的。
Although this system will prevent a user from posting arbitrary scores, it does not prevent a "replay attack", where a user reposts a previously calculated score and hash combination. In the example above, a score of 500 would always produce the same hash string. Some of this risk can be mitigated by incorporating more information (such as a username, timestamp, or IP address) in the string which is to be hashed. Although this will not prevent the replay of data, it will insure that a set of data is only valid for a single user at a single time.
为了防止任何重放攻击的发生,必须创建某种类型的挑战-响应系统,例如:
The flash game ("the client") performs an HTTP GET of http://example.com/highscores.php with no parameters. This page returns two values: a randomly generated salt value, and a cryptographic hash of that salt value combined with the shared secret. This salt value should be stored in a local database of pending queries, and should have a timestamp associated with it so that it can "expire" after perhaps one minute. The flash game combines the salt value with the shared secret and calculates a hash to verify that this matches the one provided by the server. This step is necessary to prevent tampering with salt values by users, as it verifies that the salt value was actually generated by the server. The flash game combines the salt value with the shared secret, high score value, and any other relevant information (nickname, ip, timestamp), and calculates a hash. It then sends this information back to the PHP backend via HTTP GET or POST, along with the salt value, high score, and other information. The server combines the information received in the same way as on the client, and calculates a hash to verify that this matches the one provided by the client. It then also verifies that the salt value is still valid as listed in the pending query list. If both these conditions are true, it writes the high score to the high score table and returns a signed "success" message to the client. It also removes the salt value from the pending query list.
请记住,如果用户可以访问共享秘密,则上述任何技术的安全性都会受到损害
作为一种替代方法,可以通过强制客户端通过HTTPS与服务器通信,并确保客户端预先配置为只信任由您单独有权访问的特定证书颁发机构签署的证书来避免这种来回。
想要得到你想要的是不可能的。Flash应用程序的内部总是部分可访问的,特别是当你知道如何使用像CheatEngine这样的东西时,这意味着无论你的网站和浏览器<->服务器通信有多安全,它仍然会相对简单地克服。
我喜欢tpqf所说的,但是当作弊被发现时,与其禁用一个帐户,不如实施一个蜜罐,这样每当他们登录时,他们都会看到他们被黑客攻击的分数,并且永远不会怀疑他们已经被标记为喷子。谷歌为“phpBB MOD Troll”,你会看到一个巧妙的方法。
I made kind of workaround... I had a gave where scores incremented ( you always get +1 score ). First, I started to count from random num (let's say 14 ) and when I display the scores, just showed the scores var minus 14. This was so if the crackers are looking for example for 20, they won't find it ( it will be 34 in the memory ). Second, since I know what the next point should be... I used adobe crypto library, to create the hash of what the next point should be. When I have to increment the scores, I check if the hash of the incremented scores is equal to the hash is should be. If the cracker have changed the points in the memory, the hashes are not equal. I perform some server-side verification and when I got different points from game and from the PHP, I know that cheating were involved. Here is snippet ot my code ( I'm using Adobe Crypto libraty MD5 class and random cryptography salt. callPhp() is my server side validation )
private function addPoint(event:Event = null):void{
trace("expectedHash: " + expectedHash + " || new hash: " + MD5.hash( Number(SCORES + POINT).toString() + expectedHashSalt) );
if(expectedHash == MD5.hash( Number(SCORES + POINT).toString() + expectedHashSalt)){
SCORES +=POINT;
callPhp();
expectedHash = MD5.hash( Number(SCORES + POINT).toString() + expectedHashSalt);
} else {
//trace("cheat engine usage");
}
}
使用这种技术+ SWF混淆,我能够阻止饼干。此外,当我将分数发送到服务器端时,我使用自己的小型加密/解密功能。类似这样的代码(服务器端代码不包括在内,但你可以看到算法并用PHP编写):
package {
import bassta.utils.Hash;
public class ScoresEncoder {
private static var ranChars:Array;
private static var charsTable:Hash;
public function ScoresEncoder() {
}
public static function init():void{
ranChars = String("qwertyuiopasdfghjklzxcvbnm").split("")
charsTable = new Hash({
"0": "x",
"1": "f",
"2": "q",
"3": "z",
"4": "a",
"5": "o",
"6": "n",
"7": "p",
"8": "w",
"9": "y"
});
}
public static function encodeScore(_s:Number):String{
var _fin:String = "";
var scores:String = addLeadingZeros(_s);
for(var i:uint = 0; i< scores.length; i++){
//trace( scores.charAt(i) + " - > " + charsTable[ scores.charAt(i) ] );
_fin += charsTable[ scores.charAt(i) ];
}
return _fin;
}
public static function decodeScore(_s:String):String{
var _fin:String = "";
var decoded:String = _s;
for(var i:uint = 0; i< decoded.length; i++){
//trace( decoded.charAt(i) + " - > " + charsTable.getKey( decoded.charAt(i) ) );
_fin += charsTable.getKey( decoded.charAt(i) );
}
return _fin;
}
public static function encodeScoreRand(_s:Number):String{
var _fin:String = "";
_fin += generateRandomChars(10) + encodeScore(_s) + generateRandomChars(3)
return _fin;
}
public static function decodeScoreRand(_s:String):Number{
var decodedString:String = _s;
var decoded:Number;
decodedString = decodedString.substring(10,13);
decodedString = decodeScore(decodedString);
decoded = Number(decodedString);
return decoded;
}
public static function generateRandomChars(_length:Number):String{
var newRandChars:String = "";
for(var i:uint = 0; i< _length; i++){
newRandChars+= ranChars[ Math.ceil( Math.random()*ranChars.length-1 )];
}
return newRandChars;
}
private static function addLeadingZeros(_s:Number):String{
var _fin:String;
if(_s < 10 ){
_fin = "00" + _s.toString();
}
if(_s >= 10 && _s < 99 ) {
_fin = "0" + _s.toString();
}
if(_s >= 100 ) {
_fin = _s.toString();
}
return _fin;
}
}//end
}
然后我把这个变量和其他的假变量一起发送,它就会迷失在其中…对于小型flash游戏来说,这是一项艰巨的任务,但当涉及到奖品时,有些人就会变得贪婪。如果你需要任何帮助,给我写个便条。
欢呼,图标
