gumshoe2029's Forum Posts

  • I am not sure this is possible, nor do I know of any already existing plugins for it.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads

  • You can get cheap servers in the cloud from places like Amazon Web Services. Their cheapest servers run around 5USD/month, and when you first sign up, you can get a free server for a year.

  • I used JSON for our game. You can use PHP JSON to create JSON strings and ship those to your client via AJAX.

  • You can use an instance variable with context ids. Then you can just do a "Pick by instance variable" on that given object and select all of the objects associated with a given context id.

  • You use the drag and drop behavior for objects, and when A is over position 2, on mouse release you can set A.x and A.y to position 2. Visa versa for B.

  • The FileChooser should be your tool of choice. I am not sure how it works on mobile though.

  • I am going to throw out there what I did so far, since I just got swamped with work for my primary project.

    capx to test:

    https://drive.google.com/open?id=0B-xiq ... 0VPbHA5WHM

    the unminified c2runtime.js is here:

    https://drive.google.com/open?id=0B-xiq ... DFXekRQYjg

    The key encode function is here:

    (function() {
    function c() {}
    var l = null,
        g = cc.prototype;
    g.Ya = function(c) {
        this.aa = c;
        this.b = c.b
    };
    g.Ya.prototype.Z = function() {};
    g.Ga = function(c) {
        this.type = c;
        this.b = c.b
    };
    var n = g.Ga.prototype;
    n.Z = function() {};
    n.Zd = function() {};
    g.e = new function() {};
    g.Qa = new function() {};
    c.prototype.jm = function(c, b, a, g) {
        b = t.encode(b);
        for (var l = 0, l = 0; l < a; l++) b = b.charAt(Math.floor(Math.random() * (b.length - 1))) + b;
        for (l = 0; l < g; l++) b += b.charAt(Math.floor(Math.random() * (b.length - 1)));
        c.ca(b)
    };
    c.prototype.fm = function(c, b) {
        null === l &&
            (l = new SHA1);
        c.ca(l.hash(b))
    };
    g.ga = new c;
    var t = {
        vc: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
        encode: function(c) {
            var b = "",
                a, g, l, d, e, k, f = 0;
            for (c = t.lm(c); f < c.length;) a = c.charCodeAt(f++), g = c.charCodeAt(f++), l = c.charCodeAt(f++), d = a >> 2, a = (a & 3) << 4 | g >> 4, e = (g & 15) << 2 | l >> 6, k = l & 63, isNaN(g) ? e = k = 64 : isNaN(l) && (k = 64), b = b + this.vc.charAt(d) + this.vc.charAt(a) + this.vc.charAt(e) + this.vc.charAt(k);
            return b
        },
        decode: function(c) {
            var b = "",
                a, g, l, d, e, k = 0;
            for (c = c.replace(/[^A-Za-z0-9\+\/\=]/g, ""); k <
                c.length;) a = this.vc.indexOf(c.charAt(k++)), g = this.vc.indexOf(c.charAt(k++)), d = this.vc.indexOf(c.charAt(k++)), e = this.vc.indexOf(c.charAt(k++)), a = a << 2 | g >> 4, g = (g & 15) << 4 | d >> 2, l = (d & 3) << 6 | e, b += String.fromCharCode(a), 64 != d && (b += String.fromCharCode(g)), 64 != e && (b += String.fromCharCode(l));
            return b = t.km(b)
        },
        lm: function(c) {
            c = c.replace(/\r\n/g, "\n");
            for (var b = "", a = 0; a < c.length; a++) {
                var g = c.charCodeAt(a);
                128 > g ? b += String.fromCharCode(g) : (127 < g && 2048 > g ? b += String.fromCharCode(g >> 6 | 192) : (b += String.fromCharCode(g >>
                    12 | 224), b += String.fromCharCode(g >> 6 & 63 | 128)), b += String.fromCharCode(g & 63 | 128))
            }
            return b
        },
        km: function(c) {
            for (var b = "", a = 0, g = 0, l = 0, d = 0; a < c.length;) g = c.charCodeAt(a), 128 > g ? (b += String.fromCharCode(g), a++) : 191 < g && 224 > g ? (l = c.charCodeAt(a + 1), b += String.fromCharCode((g & 31) << 6 | l & 63), a += 2) : (l = c.charCodeAt(a + 1), d = c.charCodeAt(a + 2), b += String.fromCharCode((g & 15) << 12 | (l & 63) << 6 | d & 63), a += 3);
            return b
        }
    }
})();
[/code:cfu0wb6o]

The basic encoding scheme seems to be looping through the initial input length and choosing pseudorandom characters from this set:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=

I pulled the encode function straight out of the JS, but the length varies and I am not versed enough in JS (or really I don't have the right tools in hand) to trace the input variables back to the HTML.

The key function to trace back out is:
[code:cfu0wb6o]c.prototype.jm = function(c, b, a, g)[/code:cfu0wb6o]
and tracing c, b, a and g back out to the HTML inputs, from there you can just fabricate inputs and retrace the steps back down to the encode function.

  • Hey all,

    Courtesy of malinga91 's post regarding non-repudiation of scores, and I have decided to test this out.

    Toby created a basic AJAX client that will make requests back to his server and it is secured using only API keys.

    We are opening this up to anyone who wants to try and crack Toby's security on this test project.

    The compiled, hosted, minified project is here:

    http://tobyr.wtfgamesgroup.com/securitychallenge/

    It is the HTML5 export from Construct2, and just makes a secured request back to one of Toby's API servers.

    The goal is to submit false data to his server and have the server accept it.

    Anyone is welcome to try, please post any successes you have in this thread.

  • gumshoe2029 i choice 96 kbps on import sound game

    Yea, that should not be too bad then... you can try enabling gzip on your webserver, that will automatically compress all outgoing files, which will shorten your load time.

  • BTW: It might be easier to talk on Discord or Skype, so PM me after you read it

    Yea, let's discuss on PM, then post a project definition, then we can post results, etc.

  • then i want to do what you are doing also, but how?

    First, learn PHP. That is the easiest server language that I know of (Google's new Go is supposedly easier, but I haven't learned it yet).

    Then build your game logic inside of PHP and then build your API to communicate with your game client. Then build your client on top of all of that.

    how can you export your game via C2 so that there is a server-side (with all the data, logic, code) and a dumb client-side (with the art and audio)? how were you able to do this? also, is it scaleable? in another words, if your game is hosted on amazon and 10,000 people want to pay and purchase it, does it require any manual involvement on your part for selling/distributing the authentic client to the verified buyer or can they click and download the client on their device without any additional involvement by you.

    You have an API. And it is far more scalable than purely publishing an HTML5 game. PHP is the easiest server-side language to learn. Start simple and stupid, just build a simple API and play with it. Only then can you begin expanding it out.

    http://stackoverflow.com/questions/5298 ... p-and-ajax

    http://blog.teamtreehouse.com/beginners ... t-with-php

    From there, you make AJAX (using the AJAX object in C2) calls to your API, like: http : // yourdomain/doStuff.php?param0=stuff&param1=moreStuff

    as you have pointed out, this is important but unfortunately very difficult (at least it appears to be so, to me). thanks for your continued help on this.

    The central data source is the most sticky issue, but a basic database will suffice for most of your needs. PHP and MySQL play nicely together.

    They even have this bundled for Windows: https://bitnami.com/stack/wamp/installer will install PHP/MySQL and Apache Webserver on your computer.

    W - Windows

    A -- Apache (webserver)

    M - MySQL

    P -- PHP

    Subscribe to Construct videos now

  • No there is no library of keys.

    You build it on the fly as you generate keys.

    No he can't. The same API key will not work for different score value.

    You are assuming you know the value of the score ahead of time.

    Guess the algorithm? That's close to impossible.

    Hardly, there is an entire avenue of science dedicated to exactly this. It is called cryptanalysis. I have dabbled in it, but I am not an expert in this field, sadly. But when your algorithm is as simple as SHA256(score + salt), it is very easy to guess.

    We can make a test for fun if you want. I can make a simple service with API secured with API key and you may take your time to "crack it" (send false data). I'll provide you the JS code so you could try to figure out the algorithm. It will be possible (obviously) as the answer will be in the JS code, I'm just curious how long would it takefor a developer to "break it".

    I actually do want to do this. It would be instructive for both of us. Let me know when your API is active. You're not allowed to have any server-side checks though, since that is what the OP was about. This needs to be a pure JS solution. You don't need to provide me with any code, just send me the URLs/API. I want you to minify it too, just for fun. :-p

    We can even keep the discussion and results in this thread.

  • I think you don't fully understand what mechanics is behind the API key trick. There is no such thing as temproary API key that lasts for a minute or even a second. That would not be secure at all. The API key is unique for every call.

    Even better then! But regardless, you still have to have a library of keys to match it against. And ultimately, these kinds of things are not secure (granted, even servers are not fully secure, even with layers upon layers of proxying/IPS/firewalls), but they are more secure than a permanent API key. The user can still retrieve the key from the source, and use it to submit a false score, prior to your program submitting the score. Breakpoints are a wonderful thing sometimes.

    It's not always a variable, you can make a complex trick to confuse the source. But even if there's a pure variable, it's not just about to change the value. You must know how to generate a proper API key because it is validated on the server side. So you must understand the key generation algorithm first.

    Yes, I am aware. But any half-clever user will be able to guess at your algorithm after a few tries, even if they cannot reverse engineer it out of your code. If there is one thing that I have learned, it is never underestimate the cleverness of determined players. Just look at the modding community for Skyrim. That game has not been supported by Bethesda for years, yet determined players are releasing patches and mods for it almost continuously.

  • i dont think it is possible with C2 to create such a game.

    It is. I have my development client running right now, and it works. Unless our server is down, then it just displays the background image and nothing else. Because our game client is worthless without the server application behind it, because all of the game logic is on the server. The client simply displays information and submits change requests.

    I have to laugh some at all the people who think they can secure their HTML games without a server.

    This post asks more or less the same question: and I have the same answer there.

    Minifying helps, but it will not guarantee that your game will not be pirated.

  • gumshoe2029 exactly.

    Just to make it more clear, I'd split it to three simple levels of security here.

    1. No SSL, No API KEY

    Any kid who fetch the URL, is able to send fake data.

    2. No SSL, with API KEY

    You need a solid JS knowledge and have a lot of patience to - let's call it - decrypt the minified JS code and understand the API KEY generation algorythm (which by the way might be way more complex than standard sha1(salt+data)) in order to send fake data. So 99.9% of kids are already filtered here.

    3. SSL

    The right way for securing the data transfer.

    Kind of...

    You have to think of security from a domain perspective, not an application perspective. In security there are five domains: confidentiality, integrity, availability, accountability and assurance of services.

    A. SSL

    Protects data from being accessed by anyone except you and your customer. (Except maybe the NSA who has internet trunk access and possibly SSL zero day vulnerabilities in hand). SSL falls under the confidentiality section.

    B. API Key (HTTP sessions and cookies fall under this category also)

    Ensures that the person who owns the account is actually the one who is talking to your server. (A form of authentication) API keys fall under the accountability section.

    ---------------------------------------------------------------------------------

    So when you start combining things:

    1. SSL + No API Key

    You have a secure connection between you and each of your players, but you have no way to know which player is asking for which information in any given request.

    2. No SSL + API Key

    Assuming that your API key is very temporary (like a lifetime of only a minute or less) and regenerated frequently, you are likely to know which of your players is asking for information from your server at any given time, but without using SSL anyone who can get close to either your server or your user's local network can simply scrape the API key from the wire and submit as theirs.

    3. SSL and API keys

    The data between you and each of your players is secure and cannot be snooped, and you know which player is asking for information.

    --------------------------------------------

    However, none of this addresses the problem that the OP has, which is legit players who have both SSL and API keys submitting false data. All of the above only prevent OTHER players or hackers from pretending to be that player.

    Like Ashley said, in raw JavaScript there is no way to prevent that, because your registered users have all of the SSL certificates and API keys necessary to submit data to your server, there is nothing stopping them from simply changing the data and submitting it to your server.

    I know I probably sound like a broken record constantly saying, "You have to have a server side application," but it is not wrong. That is the ONLY way you can keep players from submitting false data (that I have found thus far).

    For example, our API call: https://www.ravenheart.ca/dev0engine?op=moveFleet&fid={fleet_id}&pid={to_planet_id}&oid={to_orbital_id}

    Let's say player 2, who is the owner of fleet #3 on planet ID 22 and in orbital 0 wants to move his fleet. All of this information is stored on our databases (which cannot be tampered with by anyone except my developers and the server).

    If he submits a call like:

    https://www.ravenheart.ca/dev0engine?op ... d=68&oid=2

    The call will reply with an error, because I run all of the data through a series of checks on the server to ensure that the player actually owns the fleet, that the fleet exists, that the planet and orbital exist, etc. If any one of these checks fails, the user gets an error message and nothing changes on the server. They get the reply:[quote:26jx7d1m]{"2041":["Error: This fleet does not exist","You do not have this fleet in this planet's orbitals."]}

    JS Minifying helps, but it does not take a lot of skill to see the debugger output all of the variables and simply identify which one is being submitted to your AJAX API and simply changing the value of that variable in the source at execution time.