How hackable is ActionScript Code - actionscript-3

I'm working on a little networked flash game. I have my own server built in C/Linux and I connect to the server via a flash socket. I'm debating whether to put the heavy load of game logic on the client or on the server. The main concern is someone hacking the code and ruining the game for others.
Even if I put as much logic on the server as I can, if someone can hack the code and figure out my messages that are sent to the server it seems impossible to stop all intrusions.
How should I handle this and how worried should I be about AS3 hackers?

I gave a talk on a conference 2 years ago about protecting flash games. Check out the slides.

Yes, it is pretty easy to decompile a swf and modify it as desired. The risk is fairly low, but if there is some large possible monetary reward, then yes I would be careful.
So, my advice is:
Don't put high risk logic on the client
But do put high cost algorithms on the client.
Edit: I would like to add one more point. If the server is relying on the client to it some state of the game, you can also proxy, inspect, and then modify the requests with a tool like Charles. Someone can use this tool to setup breakpoints on requests, and then modify the results before forwarding them to the server. It is even easier than decompiling and modifying a swf.
The lesson is, you should never rely on having an honest client.

Flash code is incredibly easy to hack. I may be wrong, but I think that when you decompile a swf, it's a full decompile - it gives you the original names of the variables and everything. It's also fairly easy to use tools like Cheat Engine to modify memory while the game is running. Unless you intentionally obfuscate your code and your data structures, I'd recommend putting most computation on the server.

Related

Protecting Flash AS3 code + secure communication with server

I need my Flash client to communicate with a server securely (through binary sockets). For this, I was thinking of embedding a pre-shared key inside the AS3 code and exchanging XORed data through a custom protocol.
I am told that SWF decompilers do a good job at making all embedded code clearly apparent and readable. Does this mean that I can't really hide my key?
If this method is impractical, what other options are there? I have tried as3crypto, only to find that it's full of shortcomings and lacks serious documentation.
You cannot hide your key at all - SWF is totally untrusted, can be easily decompiled. It's pretty difficult to deal with security with SWF's because they run on the client and are not trusted.
It might depend specifically on what you are trying to accomplish with secure communication. For instance, if you are trying to secure a high-score system that is pretty much impossible because the game runs on the client (the SWF) and they can manipulate it to spit out any score they want to the server. Here is a good read on this: What is the best way to stop people hacking the PHP-based highscore table of a Flash game
If you can use the SWF only as a front-end UI and all logic takes place on the back-end, then you can secure your application (using the above highscore example, if the game was not an AS3 game but actually ran on the server itself, it would be a lot easier to secure, because the backend is trusted and cannot be modified or viewed by a user), but if the logic takes place on the SWF then you are pretty much out of luck.

How can I use Flash to remember user data?

I am making a Flash game that stores user's statistics from previous sessions. I would also like to maintain some sort of leader board as well.
After I posted, I realized I was asking the wrong question. I feel that shared objects are the proper solution to this problem rather than using a database. Any further feedback for implementing shared objects is welcome.
Thanks for any feedback.
You can not directly query MySQL database table from Flash game, you must have some server-side technology backing you up for the job.
I would suggest using some PHP or Ruby - or whatever is easily available to you for the job.
Flash is going to be rendered on Client browser (as swf) and won't be in touch with server as it will be served as a static resource by the web browser.
I hope this reply will help you moving towards right direction.
As Dharmavir mentioned, you cannot process MySQL queries through Flash (AS*).
That said, its pretty easy to setup Flash to communicate with remote scripts, as it has the ability to POST/GET data through requests.
There are many tutorials on this.
First, write a simple script to input the data into the DB. I recommend using PHP (I think its the easiest to learn tbh).
If this is your first time performing queries with PHP, I also recommend using Prepared Statements instead of mysql_*.
Once you have your script setup, you can then move onto processing a request from your flash app to your script (which is also pretty easy).
I found a tutorial series on making a chat app with flash and PHP. The tutorial includes making requests to PHP scripts and inputting data to SQL DBs, so it should help you:
http://www.youtube.com/watch?v=XeWKauwFUEQ < This tutorial is split into many different videos. take a look at the suggestions to find the others.

HTML5 copy protection

I am building an online game, similar to a flash online game, but using HTML only. (HTML5)
I would like to prevent people from copying it and putting the game on their site.
With flash, I used to do this by adding the URL check to make sure it was running on my site, but this seems useless if i can only put the check in Javascript.
Is there anything that can prevent someone from simply copying the game?
as a followup..
Can I protect the source at all? (aside from obfuscation with javascript.)
Thanks!
Unfortunately if the game engine is 100% JavaScript, the most practical way to do this would be with obfuscating your code. Here's a link to a site that does just that.
However, by using Ajax which allows your client side script to communicate with your server, you can store the majority of your game's logic and functionality on your server in any type of server-side scripting such as PHP.
Basically your PHP (or some other language) files on your site would get requests from the user's machine to make decisions about logic in the game whenever logic is needed for the game to function, and your server would respond, all through using Ajax. Then someone could only really copy half of your game - that part stored in JavaScript.
The one downside with this method is that it may slow down the user's game drastically due to having to communicate with the server constantly.
Hope this helped and made sense!
No way to do this, it's the nature of the web. Your best bet is obfuscating your code.

Would AJAX, PHP and MySQL make a good socket for a online poker game?

I haven't yet determined what the UI would use (flash, HTML, etc.) but I'm curious if you guys think mysql could make for an acceptable socket for a multiplayer poker game? The reason I'm considering using a DB is because that is the only way I know how to accomplish this and I know nothing about XML sockets or anything like that. Would performance be an issue for dialup and slower mobile connections? Could I potentially run into problems with trying to sync user turns and flops? Should I just bite the bullet and go with a different type of socket? If so, what would you suggest and where would be a good place to start educating myself? Thanks.
To make an inline poker game the technology you will use will certainly be the less important problem. The main problem will be in the way you get all subsystems connected between each others and how you ensure security at all levels (from the humans ensuring physical health of you server to the OS envirronment of your players, with maybe some jurists and gunmens -- and that makes a LoooOOot of levels :-) )
But if you want technical considerations I would personnaly use Zend Framework as a PHP library/framework and PostgreSQL as the database. And a really big part of the application would rather be coded in the database, via pl-pgsql things, than in PHP. PHP would be there to provide some ui in different levels (humans, web services, etc), and some of the security levels checks. Ajax interactions would be made with jQuery. No doubt I would prefer PostgreSQl to MySQL for an application with a lot of data, fine security levels, a lot of replications, and a lot of data checks and automatic updates.
PHP / MySQL isn't as fast as some systems (e.g. as ASP.NET) but in slow connections like dialup/mobile that won't be a problem.
The advantage of PHP from my standpoint (which isn't what everyone needs) is that it is very transparent, i.e. you easily control the HTTP transmission and the response. That may be an advantage for you.

How to prevent ActionScript code decompilaton

Is there a reliable way of preventing my actionscript code (as2 or as3) from being copied (e.g. if there's some IP in it)?
I know there are tools that can decompile flash code so it's easily reverse-engineered and I've also seen a few tools that claim to be able to obfuscate actionscript code in such a way that it's not steal-able, but I wonder how reliable they are...
Do you know? Thanks!
It is by definition imposible to prevent it.
The reason is simple, the code needs to run on the client, so the client needs to be able to read it.
The best you can do is to make so hard (time demanding) to do that it's not profitble.
Flash has a built in feature to protect againt decompiling with a password. I'm not sure exactly how it works, I guess some form of encryption.
You can try and spil sensetive data up and join it at runtime, og encrypt it and get the descryption key from the server.
But in the end there's nothing you can really do. Unless you wan't the users to input the encryption key (password or a file).
There is no build in encryption in Flash but there is a couple of free librarys like crypto lib http://code.google.com/p/as3crypto/.
I've found no reliable and sustainable way to obfuscate the code. If there's a way to obfuscate the code, I'd bet that:
it would affect the performance of your code
it would be just a matter of time before someone makes/finds a decompiler for that obfuscation method
I wouldn't consider a good practice to rely on the security of your client code. Even if the code couldn't be decompiled, the swf is run on the client and communicates with the Internet via a network connection the user has access to. The packets can be sniffed and all the data that's being transfered can be easily analyzed.
I think you should find a way to develop a secure application, even considering that the client knows everything you do. You should try to use server-side constraints and filter all inputs before using them. Also, requesting all the sensitive data from a server-side script, instead of embedding it in your AS code could be a good start.