6/21/2008

Avoiding .sol hacking

Some of you may know (and may use) the famous 'Flash cookies'.
I'm talking about a Shared Object that is used by the developer to store data to the users' computers. It can be used to store a highscore, the last level and even password information.
You may think 'Why would somebody hack a .sol file?' well, nevermind, but people were thinking the same about hacking a .swf file.

Ok, I'll make a example:
On Kongregate, all game saves are made using Shared Objects.
Games use this method to store a highscore, a level score, the last level reached, the cash the player has and other stuff.
Now, with a simple program called SOL Editor I could easily hack a game save data and win a badge for it.
Now, if someone also had this brilliant idea, (s)he would hack it to.
It would be a catastrophe if everybody think the same thing.

How to solve this?
Well, unlike .swf, you cannot encrypt a .sol object via Flash, but you can use some nasty tricks to obfuscate the .sol object:

1: Using fake data:
Store a variable called 'MONEY' (yes, with caps) in the .sol object and give it a unique value.
like: 18948
In the .swf, load this value, and test if it still 18948. If not, someone hacked it! If someone did hacked it, just reset the data on it.

2: Using encrypted data:
In the case some smart user found that there's no money in your pinball game, you can use obfuscated data to avoid malicious changes.
Like:

currentl = "adskGrh";

As the variable shown up there does not follow a logic (not explicit), the user will not know what do do.

3: Using swapped vars:
As the name says, you just need to swap two variables values and save it.
Like:

score = 13245;
currLevel = 12;

Swapping on the SharedObject, it would sound like this:

score = 12;
currLevel = 13245

4: Using japanese chars to crash the editor:
the saved .sol!This is my favorite way to do the job, but I must warn you that doing this you run the risk of lose the .sol!
But anyway, it's as simple as 123:
Save the normal data, and when finished, save a random variable with a japanese/other strange language char:

貘 = 譞

When the editor try to load , it will crash.
But some .sol editors skip these vars.


Well, that's all for today! You can stude more using our favorite tutorial finder!

Bye!
Posted by Luiz Fernanado at 4:09 PM

1 comment:

Anonymous said...

Great, but some more info on how to make everything obfuscated? Store everything in a string, which you obfuscate and then reverse maybe? All the other tips are really great! Thanks! :)

October 7, 2008 at 12:26 PM

Post a Comment

Subscribe to: Post Comments (Atom)