Hashing, good enough?
But there are others that try to protect the score that is transmit back to the server using hashing. They hash the score with a secret key or "Salt". It look safe to many by protecting the data transmission. But they did not protect the Flash itself. It can be easily decompiled to extract the key (shown below) or change the code. Flash code should be obfuscated so that decompiling could not be easily done.
Below is the example of the unsecured Flash game that i came across recently. I had inform their administrator about the possible hacking on their game but they never reply to find out more. So i decided to share some of my finding and show how easy it can be reverse engineered.
Below is function that calls the hashing and submit the user's info and score.
Below shows the "key" or "Salt" that is use for the hashing.
-Update on 19 Jul
After the programmer of the game (that i previously mentioned) tried to secure their code, they were hacked again. This time it looks like an Indonesian hacker, which uses the name "Rank 1 to 10 all cheated" in Bahasa Indonesia, put himself on the top of the score table (with obvious reason).
Looks like the programmer don't understand malay language at all as the name was listed for a few days and was not removed. Time for me to send them a note again.
2 comments:
If you would discover it earlier, I'd include this in the confidence presentation ;)
good blog btw.
Hi Wheelq, thanks for your compliment. What you mean by "confidence presentation"?
Post a Comment