Flash game hacking

I usually organise tournaments on my site (flash based) and this time I have added a tournament in which users have to complete a jigsaw puzzle and the one who completes it in the least time wins some prize. As the jigsaw puzzle always produces random location, it is difficult for them to hack. They can't even directly download the game as it can't be downloaded using flash saver etc. But I want to know if they can make a program which completes the jigsaw puzzle automatically.

Please tell me. Even time can't be hacked as I use time also tick on my server side s开发者_如何学运维o I match the time submitted by the game and the time stored in my server.

So how does the flash app tell the server that the puzzle has been solved? Using TamperData an attacker can intercept/modify/replay this request, even if it is over HTTPS. If you try and embed a secret it can be obtained by decompiling the flash app or even debugging flash while your app is running and finding the secret in memory.

Normally I would say what you are trying to do is impossible. But lets have fun with this meta security puzzle. Its a jigsaw puzzle right? So that means there is only 1 solution to this puzzle. So you can use some crypto to solve this problem the solution is very similar to a Message Authentication Code, but this is a bit different.

When the puzzle starts the flash app will request the puzzle pieces. Assign a random number to each puzzle piece along with a random location which is transmitted to the flash side. When it is solved you concatenate each number based on where the pieces are in the puzzle. So on the flash side always concatenate the numbers from left to right and then down. When the flash client gets the puzzle the numbers will be out of order, the only way they will be in the correct order is if the puzzle has been solved. When its solved then take a hash of the concatenated numbers. Ideally you should use sha256, although md5 would work because the attacker doesn't know the hash value so collisions don't come into play

The server knows when the puzzle started because the flash side requested the numbers corresponding to the puzzle pieces. The server knows when the puzzle completed because flash side transmitted the solution hash. The server knows what the solution hash is ahead of time because it assigns the numbers. This is a lot like a mac but the difference is that the secret is the order in which the puzzle pieces are in.

Yes, it can be hacked. First off, don't trust your protection from 'flash saver' too much. A determined adversary will be able to retrieve the code - after all, the code is on the user's computer, it cant run otherwise.

Second, 'random location' doesn't necessarily mean much. If there's any kind of unique ID on the pieces, or if the randomization is done on the client side, it's easy to put them into their rightful places. You have to at a minimum randomize the shapes of the cuts. And even then, it wouldn't be too hard to write a fast solver, given the original image.

Oh, and this all assumes your server's doing more verification than just being told when the user's done. You need to ensure that they actually did solve the image - but I'm far from convinced that this is an AI-hard problem; it seems that even if your flash code was uncrackable, if the set of images is small, it would be simple enough to figure out the proper orientation and position of each piece.

Sorry comment option was not there actually i have used xml file to describe the location of puzzle(each). and for time it is hidden and using tampered daya he can only see random no. which is u can say like s.no of mysql. Its like verify time and gametime each with different strings so my question is if some can use my xm file to detect the location of puzzle and create an application to fit each piece of puzzle in right place in just a clikc

imho the only way to avoid cheats in client-server games is making client side just a GUI and confirm every user action on server. if so ideal client-side app shouldn't even know how to answer a user (until server sends something like 'play animation 5 in direction 7 on tile 21-17')

Packet editing, they could use something like wireshark to capture packets, if the time is written in their browser, they will get a packet that tells them the time used and they could use a proxy to do a man in the middle attack, where they edit the packet saying u have used less time, or just creating a simple UDP packet sender in Python. and even tho u don't install the game, they are still running it, they can just download the flash game by finding the swf in HTML source code. a link to the page that stores this game.