Encryption

**lajkonik86** · 09-03-2004, 02:22 PM

Heey

I'm looking for a way to encrypt variables send in flash.
The variable i would like to encrypt is $score.
This variable would contain something like this $score = 25700

I send this variable via the post method to my php,mysql highscore list.
Now i cant stop people from seeing the variables i send.
So i need to find a way to let the data be invalid if they change it.

I dont know much about data encryption. Just know that it involves prime numbers.

Hope you can help me
Greetz
Thierry

**Republikin** · 09-03-2004, 04:27 PM

http://www.onlamp.com/pub/a/php/2001/07/26/encrypt.html

**lajkonik86** · 09-03-2004, 04:56 PM

That doesn't really help me

The problem is that i'm sending the variables from flash to a php page.
So i need to encrypt my variables before they leave they leave flash.

.....

**Rufo** · 09-04-2004, 06:42 AM

Don't encrypt the score. Instead, create a checksum that will confirm the validity of the data, then use your PHP script to check the received checksum against the expected one.

Rufo.

**spudge** · 09-04-2004, 07:15 AM

I recommend a download of the good ole' xICE SDK http://www.xice.net/sdkreg.asp

It has simple text encryption examples in JScript/ASP/VB6... It comes highly recommended.

**Rufo** · 09-04-2004, 06:56 PM

Here's an example of how it could be done using a simple checksum.

In your flash file (I think this should work but I haven't done ActionScript in a while):

Code:

function makechecksum(s) {
  var c, t;
  for(c=0;c<s.length;c++) {
    t+=s.subst(c,1)*c;
  }
  return t;
}

In your PHP file:

Code:

function makechecksum($s) {
  for($c=0;$c<strlen($s);$c++) {
    $t+=$s{$c}*$c;
  }
  return $t;
}

Send score and makechecksum(score) to the PHP script, then use PHP to check validity of data:

Code:

if($_GET['scorechecksum'] == makechecksum($_GET['score'])) {
  // good
}
else {
  // bad
}

Rufo.

**lajkonik86** · 09-05-2004, 05:06 AM

whow

that's sort of going to fast for me
can you please explain a bit?

Greets
Thierry

**Rufo** · 09-05-2004, 08:00 PM

When your Flash program sends off the score to the PHP script, make it send off another number too:

I'll assume the score is stored in 'score' - change it to whatever it actually is.

for(c=0;c<score.length;c++) {
scorecheck+=score.subst(c,1)*c;
}

You now have another number stored in 'scorecheck' - send this to the PHP script along with 'score'.

In your PHP script, check that the score has not been tampered with, by examining the 'scorecheck'.
I've made some assumptions about variable names, etc. - change as applicable.

$score=$_GET['score'];
$scorecheck=$_GET['scorecheck'];

for($c=0;$c<strlen($score);$c++) {
$realscorecheck+=$score{$c}*$c;
}

if($scorecheck==$realscorecheck) {
// 'good' section here, ie. for when the score has not been tampered with...
}
else {
// 'bad' section here, ie. for when the score has been tampered with...
}

I hope this is a little clearer.

Rufo.

**Rufo** · 09-05-2004, 08:02 PM

Quote:

Originally Posted by lajkonik86

I send this variable via the post method to my php

Whoops. Change $_GET to $_POST in my previous reply.

**lajkonik86** · 09-06-2004, 05:24 AM

i'm not sure what you r doing with the subst stuffie.
could you explain a little more?

Sorry for being so noob
Thanks for you help

**Rufo** · 09-06-2004, 08:51 AM

The substr function is just a method of taking each digit of the score in turn. It is an easy way to create a checksum that is hard enough to not be guessed.
You don't actually need to know how the routine works in order to use it, but here is an explanation anyway.

The for() loop takes each digit of the score in turn, and multiplies it by the digit's position (shown in bold).
Say score contains 25700.

2 x 0 = 0
5 x 1 = 5
7 x 2 = 14
0 x 3 = 0
0 x 4 = 0

It then adds up the results, yielding 19.
Your Flash program then sends off the score, 25700, and the checksum, 19, to the PHP script.

The PHP script receives these values using the POST method, storing then in $score and $scorecheck, respectively:

$score=$_POST['score'];
$scorecheck=$_POST['scorecheck'];

It must now calculate the expected checksum for the score it received.
This is done using the following code, which is basically a translation of the similar looking code in your Flash program:

for($c=0;$c<strlen($score);$c++) {
$realscorecheck+=$score{$c}*$c;
}

This takes the score, and carries out the same process of multiplying and adding mentioned earlier.

There are now three variables defined: $score, $scorecheck, and $realscorecheck.

If the score had been tampered with during transit, the $realscorecheck calculated would be different to the one sent by the Flash program.

To see whether the score is genuine, an if() statement is used to check the expected checksum, $realscorecheck, against the received checksum, $scorecheck:

if($scorecheck==$realscorecheck) {

// the checkums match, so the score is genuine
// enter the score into the high score table or whatever

}
else {

// the checksums do not match, indicating that the data has been tampered with
// display a message to this effect or whatever

}

Rufo.

**lajkonik86** · 09-07-2004, 05:52 AM

thanks understand it now.

i wasnt able to find anything about flash encryption at all on the net.
Thanks so much for posting

Greetz
Thierry

**andrews_john** · 09-07-2004, 06:47 AM

hmmm... how can i see a POST vars if i'm just a simple user??? if it was GET then i may see it as a part of url... but post... am i wrong???

**lajkonik86** · 09-07-2004, 10:08 AM

well thats what i thought
before people started hacking my score list.

I don't know what ways there are to do it but it seems to be rather easy.
One way which i do know is to let the submit thingie(form/flash whatever).
Submit while you r offline. The post variable is then visible as a get variable.

Thats all I know about this.
Greetz
Thierry

**Rufo** · 09-07-2004, 11:52 AM

It could be done by:

1. sniffing the traffic destined for the server, then examining the logs
2. re-routing all the requests to a web server running on your own machine through the HOSTS file, then examining the logs
3. (still affects the checksum method) decompiling the Flash program and reading the source code

Rufo.

**lajkonik86** · 09-07-2004, 02:37 PM

That last option is quite hard aint it.

I dont think it's that easy getting the scripts from a .swf file.

Greetz
Thierry

**Rufo** · 09-07-2004, 06:06 PM

Not particularly.

http://www.sothink.com/flashdecompiler/index.htm

**lajkonik86** · 09-08-2004, 04:42 AM

lol
There's absolutely no way to protect yourself from hackers

**webwoRRks** · 09-08-2004, 05:43 AM

Theres no way to protect yourself from a serious cracker, but chances are you'll only ever have trouble from what people in the biz call "script kiddies". These are people who use premade tools and well documented flaws to exploit vulnaribilities in your security. Your best bet is to just make sure you keep your software updated, your copyrights updated, and back stuff up regularly. Don't be afraid to report people to the FBI or MET, or whatever country you're in.

**lajkonik86** · 09-11-2004, 01:35 PM

Well rufo i had some spare time and tried to do the checksum you suggested.
It didn't work immidiatly... had some little flaws.
This is how the actionscript should look.

onFrame (1) {
score = "5237221";
scorecheck = 0;
for (c=0; c<length(score); c++) {
scorecheck+=score.substr(c,1)*c;
}
}
onFrame (2) {
trace(scorecheck);
}

Well atleast in a test setting:P
I'm still going to make it a little bit more complicated.
Think i'm going to display the checksum as letters instead of numbers.
That should scare away those script kiddies.

Thanks for the help
Greetz
Thierry