当前位置: 文江博客话题详情

防止向记分板提交欺诈性内容

发布于 2024-07-15 10:22:27 字数 727 浏览 3 评论 0原文

我正在开发 Flash 游戏的后端,我需要保护进入记分板的数据。

该游戏将在许多网站上以横幅广告形式托管,用户将在广告中玩游戏,然后点击进入主网站以保存其详细信息。

目前我正在思考这个

  1. 用户玩游戏并点击提交他们的分数
  2. 在后台,横幅将分数和原始域发送到主站点上的脚本。
  3. 该脚本检查域是否是托管广告的有效域之一。
  4. 如果一切正常,脚本会创建此分数和域的哈希值,并将其与分数一起存储在数据库中。
  5. 该脚本将哈希值返回给 Flash,Flash 将其拼凑到打开主记分板的 getURL 的查询字符串中。
  6. 记分板页面检查引用以确保它是有效域之一。
  7. 如果是,则检查数据库中的哈希值,如果它是有效令牌,
  8. 则用户填写其详细信息,并根据哈希值更新记录

上次我检查 FLash 时没有发送引用信息,这有点麻烦进入我的计划。 那么,这种 Flash/数据库交互是否已经建立了模式?

在步骤 4 中我应该使用哪种哈希/校验和? 这种操作的正确名称是什么,是哈希、校验和还是其他什么?

我知道,作为一种客户端技术,Flash 实际上永远不会那么安全,但在我看来,类似上述的事情与破解此类应用程序一样困难。

更新:我的主要目标是让人们更难找到将分数添加到数据库的脚本的 URL,并简单地向其发送虚假分数。

谢谢, 格雷格

原文

I'm working on the backend for a Flash game and I need to secure the data going into the scoreboard.

The game is going to be hosted on many sites in a banner ad, the user will play the game in the advert then click through to the main site to save their details.

At the moment I am thinking along the lines of this

  1. User plays the game and clicks to submit their score
  2. In the background, the banner sends the score and the originating domain to a script on the main site.
  3. The script check the domain is one of the valid domains the ad is being hosted on.
  4. If everything is right, the script creates a hash of this score and domain and stores it in the database along side the score.
  5. The script returns the hash to Flash which cobbles it onto the querystring of a getURL which opens the main scoreboard
  6. The scoreboard page checks the referer to make sure it is one of the valid domains.
  7. If it is it then checks the database for the hash to if it's a valid token
  8. the user then fills in their details and the record is updated based on the hash

Last time I checked FLash doesn't send referer info, which kinda throws a spanner into my plan. So, is there an already established pattern for this kind of Flash/Database interaction?

What sort of Hashing/Checksuming should I use in step 4? What is the correct name for this kind of operation, is it a hash, a checksum or something else?

I understand that being a clientside technology, Flash will never actually be THAT secure, but in my mind, something like the above is about as dificult as you're going to make it to hack this kind of application.

UPDATE: My main objective is to make it harder for people to find the URL of the script that adds the score to the database and simply spam it with fake scores.

Thanks,
Greg

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

遥远的她 2024-07-22 10:22:27

本质上,您不想验证分数是否来自合法客户端,您想验证客户端是否确实玩过游戏以获得分数。 从本质上讲,你所能期望的最好的结果就是人们被要求创建一个人工智能来玩游戏。

您可以尝试以下几项操作:

  • 将输入记录到游戏中并将其与分数一起发送。 然后服务器可以验证分数是否对应于可能的游戏。 您还可以通过这种方式检测重复提交。
  • 应用速率限制来阻止客户以明显不人道的速度提交分数。 根据实际可能达到的分数应用允许分数的上限,并根据每秒操作数等设置下限。
  • 使用之前的输入来部分播种伪随机数生成器(假设您使用一个)。 这使得客户不太可能稍微改变提交并仍然获得有效的游戏/得分组合。

Essentially you don't want to verify the score is coming from a legit client, you want to verify the client actually played the game to achieve the score. Essentially the best you can hope for is people being required to create an AI to play the game.

Here are a couple things you can try:

  • Log the inputs into the game and send those along with the score. The server can then validate that the score corresponds to a possible game. You can also detect duplicate submissions this way.
  • Apply rate limiting to stop clients from submitting scores at an obviously inhuman pace. Apply upper limits on the allowable scores based on what is actually possible to achieve and lower limits on things like actions per second.
  • Use previous inputs to partially seed the pseudo random number generator (assuming you use one). This makes it less likely that clients can alter a submission slightly and still get a valid game/score combo.
回复 原文
分开我的手 2024-07-22 10:22:27

我之前在游戏行业工作过,也做过类似的事情。 据我所知,没有人费心去破解分数提交部分。

完成的方式是:

  1. 生成一个随机数作为盐(来自闪存)
  2. 基于盐(来自闪存)使用数学运算对分数进行编码
  3. 添加校验和以确保分数上没有回火(来自闪存)
  4. 将分数和任何所需数据发送到分数提交页面
  5. 在服务器上,使用校验和验证分数是否未经过修改
  6. 如果分数有效,则将其插入数据库,否则,拒绝它
  7. 如果需要,您可以记录违反校验和的分数提交者的 IP 地址(也许是三个错误校验和的策略,你就出局了)并添加一个脚本来禁止他们在 1 小时内访问服务器,但这可能不是必需的,除非有人想要破解你的代码太糟糕了。

笔记 :
散列/校验和是使用自定义函数进行的。 不需要非常安全的东西。 它是通过对盐和分数的计算而得出的。 一些简单的数学运算,如求和、乘法和减法。

编辑:校验和的简单算法/数学

假设您的用户得分为5885
您生成一个随机数作为 134789 的盐(恒定长度,用 0 填充)

cryptedScore = Score * Salt (您应该在这里使用更复杂的东西,但这只是一个例子)

在我们的示例中,加密分数将是: 793233265

现在对于校验和,假设您想要一个值253 作为校验和。
您将加密分数的所有数字相加 7+9+3+2+3+3+2+6+5 = 40

现在,您计算该分数的校验和值
253 - (加密分数总和 % 253

现在,我们有以下数字:
盐 = 134789
加密分数 = 793233265
校验和 = 40

您向服务器发出请求,发送 134789793233265040 作为分数。

在分数服务器上,您可以将 793233265 除以 134789,得到 5885 并使用与之前相同的函数验证校验和。

如果校验和失败,则数字已被篡改。

你可能最终会得到更安全的东西,但它应该可以解决问题。

I have previously worked in the game industry, and did something along these lines. To my knowledge, no one ever bothered cracking the score submitting part.

The way it was done was :

  1. Generate a random number as a salt (from flash)
  2. Encode the score using math operations, based on the salt (from flash)
  3. Add a checksum to make sure there was no tempering on the score (from flash)
  4. Send the score and any required data to the score submitting page
  5. On the server, validate that the score has not been tempered using the checksum
  6. If the score is valid, then insert it into the database, else, reject it
  7. If you want, you might log ip adresses of the submitters of scores violating the checksums (maybe a policy of three bad checksums, you're out) and add a script to ban them from accessing the server for 1h, but this will probably not be required unless someone wants to crack your code that bad.

Note :
The hashing / checksuming was made using a custom function. Did not need something very secure. It was made using a computation on the salt and the score. Some simple math operations like sums, multiplications and subtractions.

Edit: a simple algorithm / maths for the checksum

Lets say your user has a score of 5885.
You generate a random number as a salt of 134789 (constant length, pad with 0)

cryptedScore = Score * Salt (you should use something a bit more complex here, but it is just an exemple)

In our example, the crypted score would be : 793233265

Now for the checksum, lets say you want to have a value of 253 as a checksum.
You add all the numbers of your crypted score 7+9+3+2+3+3+2+6+5 = 40

Now, you calculate the value of your checksum for this score
253 - (Sum of crypted score numbers % 253)

Now, we have the following numbers:
the salt = 134789
the crypted score = 793233265
the checksum = 40

You make a request to the server, sending 134789793233265040 as a score.

On score server, you can divide 793233265 by 134789 giving 5885 and validate the checksum using the same function as before.

If the checksum fails, then numbers have been tampered.

you could probably end up with something much more secure, but it should do the trick.

回复 原文
~没有更多了~

关于作者

誰認得朕

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

yangzhenyu123

文章 0 评论 0

lvzun

文章 0 评论 0

执笔绘流年

文章 0 评论 0

芯好空

文章 0 评论 0

始于初秋

文章 0 评论 0

谁与争疯

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文