Thread: High Scores - A Dilemma

  1. #1
    Amazingly beautiful user.
    Join Date
    Jul 2005
    Location
    If you knew I'd have to kill you
    Posts
    254

    High Scores - A Dilemma

    I've almost got a complete rewrite of UberTube working (http://ubertube.tevlog.com, for those who missed the original), but am facing a dilemma. Using a simple "add_score.php?name=Bob&score=1023", allows anyone with a packet tracer to hack the scoreboard in five minutes. To solve this, I added a simple encryption system, where the compiled client contained an embedded private key, stored as a constant, used to encode scores. This number was removed from the source code when released.

    Of course, this means that I need to compile the code (or send it to trusted others) for every platform I want to have high scores, and modify it slightly before releasing the code. So, my question is: Can anyone think of a scheme that would stop most script kiddies from hacking the scoreboard, even while they have full access the full source code? I would like to be able to release ALL of the code this time around, but I still cannot think of a way which does not result in a highly vulnerable score board.
    Programming Your Mom. http://www.dandongs.com/

  2. #2
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    Save the scoreboard on a central server and password it. The client app will send the password or an accepted ID to the server and allow access to it.

    It could be a simple binary C file and not PHP-based at all. The server would read the high score file and send the appropriate data to the client needing it.

    There is a way to encode passwords into a file without people knowing about it but it is highly dependent on the fact that the file will never change.

    Much like early copy protections schemes generated passwords by jumping around in the exe via a set table of offsets, you could do the same with the passwords. But if you provide the source code for the high score module you will never be able to keep someone from hacking it...much less you prob still wont be able to if you don't let them have it.

    Give out everything except the high score module/reader and you should be ok.
    Last edited by VirtualAce; 12-21-2006 at 01:05 AM.

  3. #3
    Amazingly beautiful user.
    Join Date
    Jul 2005
    Location
    If you knew I'd have to kill you
    Posts
    254
    Thanks for your answer. I already have high score system from the last version in PHP, so I'll stick with it, and a system similar to what you described. Releasing everything except the high score module was my solution last time, and I'll probably just stick with it, because you're right, its pretty much impossible to keep it safe and open in this case.
    Programming Your Mom. http://www.dandongs.com/

  4. #4
    Crazy Fool Perspective's Avatar
    Join Date
    Jan 2003
    Location
    Canada
    Posts
    2,640
    I don't think you can release any type of key/password without it being crackable. Just encrypt the data string and remove the key before release like you described.

  5. #5
    Registered User IdioticCreation's Avatar
    Join Date
    Nov 2006
    Location
    Lurking about
    Posts
    229
    Quote Originally Posted by CrazyNorman
    Using a simple "add_score.php?name=Bob&score=1023", allows anyone with a packet tracer to hack the scoreboard in five minutes.
    I had actually tried that a few days ago, just to see if I could. You had added two other variables in your query string. I don't remember them exactly, I think they were session and verification. Is that what you meant by encryption system? It seems to me that its protected fairly well, but what do I know.

  6. #6
    Amazingly beautiful user.
    Join Date
    Jul 2005
    Location
    If you knew I'd have to kill you
    Posts
    254
    It still has an exploit available I believe, but thats fixed for the next release I push out, and as is, it deters most people.
    Programming Your Mom. http://www.dandongs.com/

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Keeping high scores for pong
    By trev456 in forum C++ Programming
    Replies: 6
    Last Post: 04-16-2007, 04:44 AM
  2. Store high scores in exe file
    By Nutshell in forum Game Programming
    Replies: 12
    Last Post: 04-27-2003, 04:09 PM
  3. Help on high scores
    By Gnoober in forum C++ Programming
    Replies: 0
    Last Post: 02-17-2003, 07:28 PM
  4. Working on High Scores...
    By Gnoober in forum C++ Programming
    Replies: 4
    Last Post: 02-16-2003, 12:50 PM
  5. High Scores
    By Gnoober in forum C++ Programming
    Replies: 2
    Last Post: 02-13-2003, 01:08 PM