So I’ve been trying to come up with a way to stop people from using hacked versions of an swf application, either by creating a new one, by decompiling, hacking and recompiling the whole thing or simply by stealing the swf and hosting it somewhere else.
This would only be useful for interactive applications, such as games with high-score tables or multiplayer games.
Yesterday I figured something that could work but has some flaws. Here’s what I got:
The original flash file is hosted on domain A.
The user made it to the high-scores and the score is ready to be submitted.
The client makes an HTTP request to the scores server and the server returns a link for an swf file containing a private key for a symmetric encryptation algorithm.
After this, the client loads the swf file and tries to retrieve the key. The loaded swf file would only allow swf’s from domain A, meaning that if you can access the private key, your client has not been compromised.
After getting the key, the client is ready to comunicate with the server and the server may trust any information sent by the client.
This method holds if the following conditions are met:
1- The client is not running a hacked version of flash player. This could completely rape the domain security system
2- The application is Cheat Engine-proof.
3- The hacker cannot read the key from the loaded byte-steam.
The third condition seems to be the easiest one to break, since it would be easy to just get the loaded bytes, decompress the file and get the key. It would be hard but its obviously possible.
If anyone knows a way to deal with this issue, either by suggesting a completely different method or by adding something to this one, it would be apreciated.