A cryptographical conundrum

Calin Leafshade · Sat 15/01/2011 09:58:50

Let's assume i wanted to send something secret over the internet via a plugin (not the tcp/ip plugin, but a custom one)

Obviously the plugin can hash this secret password perfectly fine but the game exe stores strings as plain text so all anyone would need to do is just open the exe in a text editor and they have the secret code.

Any ideas how i could prevent this?

EDIT: I should note that this password is not user generated, it is a hash or something to identify the game from which the request comes.

SSH · Sat 15/01/2011 10:35:50

Store the key encrypted in the game and then decrypt at runtime? Any secret key that you give to the user in any form will ultimately be hackable (which is why DRM will always be hackable). All you can do is make it harder than just loading in a text editor.

If what you're trying to achieve is proof that highscores are real, what you should send is a log of the whole game that allows it to be recreated and show that the game was won. The effort involved in faking this is the same as actually winning the game (or buying off someone who has) and you can always then check for duplicates. This is why when I get 500000+ on Bejewelled Blitz I always post the video replay

Calin Leafshade · Sat 15/01/2011 11:43:57

the problem with storing the key encrypted is that the plugin could simply be added to a blank ags game and you could feed it the encrypted key.

Having an encrypted key that can be decrypted by anyone with the plugin dll is not really a step forward.

SSH · Sat 15/01/2011 11:55:14

Make the plugin pull out various variables from the game like total number of characters, guis, sprites, etc. that would make it harder to fake.

Wyz · Sat 15/01/2011 13:01:53

All ciphers can be broken.
That said it really depends on what you're trying to achieve. If you want to store something locally but not enable the user to gain access to this information, well that is going to be a challenge. If you want to do communication without eavesdropping, there exist protocols for that. If you also want to prohibit the user from seeing the data sent, well again that will be challenging. But now we're talking about hax, most users wouldn't even try to crack it, unless there's some money in it.

If you want to send high-scores, I'd go for a SSL connection. Although the user can still crack this, it will not be easy. It also protects user data from eavesdropping to some extent.

If you want to store game data so that a user can not interfere with it in any way, you could store it server side and use again a SSL connection. It would mean users are unable to play offline though.

Atelier · Mon 07/02/2011 17:54:56

Quote from: Wyz on Sat 15/01/2011 13:01:53
All ciphers can be broken.

Break this:

Code: ags


MD2: dd68ffc1371dc5e84ff799a0ba6522e8
MD4: ed09b3d9afdc400fcd4c7bbce0f8ae23
MD5: 54407ff89e2610ddff53c9469fc9d65b
CRC 8, ccitt, 16, 32 : 

CRYPT (form: $ MD5? $ SALT $ CRYPT):
$1$0x982skG$5F/cqq3X2bnGqtPvuj8890
      (form: SALT[2] CRYPT[11]):
psQA5EqHYQgxA

SHA1: 1b4a7078613eb121b5cd0a6e30f93eb4ba055250
RIPEMD-160: 
  66e131b2f07a9325956f3658a0c4c4bb766ed6df

But as we're all aware my codes aren't reliable.

Calin Leafshade · Mon 07/02/2011 18:11:35

Wait.. i think i've got it!

Spoiler

Atelier can kiss my... whats this last word? Asp?

[close]

Atelier · Mon 07/02/2011 18:20:06

Simply lol

Wyz · Tue 08/02/2011 00:00:33

Quote from: Atelier on Mon 07/02/2011 17:54:56
Quote from: Wyz on Sat 15/01/2011 13:01:53
All ciphers can be broken.

Break this:
Code: ags
MD2: dd68ffc1371dc5e84ff799a0ba6522e8
MD4: ed09b3d9afdc400fcd4c7bbce0f8ae23
MD5: 54407ff89e2610ddff53c9469fc9d65b
CRC 8, ccitt, 16, 32 : 

CRYPT (form: $ MD5? $ SALT $ CRYPT):
$1$0x982skG$5F/cqq3X2bnGqtPvuj8890
      (form: SALT[2] CRYPT[11]):
psQA5EqHYQgxA

SHA1: 1b4a7078613eb121b5cd0a6e30f93eb4ba055250
RIPEMD-160: 
  66e131b2f07a9325956f3658a0c4c4bb766ed6df
But as we're all aware my codes aren't reliable.

Way