Toby R's Forum Posts

  • Version 1.3 available now.

    v1.3 update (2017-01-09)

    • GetTimerTimeLeft(tag) expression added: Return the remaining time before timer triggers (in milliseconds)
    • Fixed a bug when timer condition was checked before the particular timer tag was started

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads

  • Thank you guys! Glad you found it useful .

    I just updated plugin to v1.2. Added encryption expressions.

    v1.2 update (2017-01-05)

    • Hashing/encoding functions added: Base64, MD5, SHA1, SHA256, SHA512, Super64

  • If you want to keep it a bit more elegant you can use the "If is true" condition from TR_System plugin.

    You can do advanced logical operations there.

  • Just for the record: The request sends an email, password and API key token (like a user registration call). Once you manage to make a fake call (try to register another user) you shall see a server response like this one:

    Please post a call URL and the screen shot once you manage to break the security.

    This is basically a test of C2 (JS) trick-security without using SSL.

    Good Luck!

  • You build it on the fly as you generate keys.

    Uhm... no you don't. There is simply an API key generated on the fly for this specific call. How can a one API key with a lifetime of milliseconds be called a library?

    You are assuming you know the value of the score ahead of time.

    No you don't. I'm not sure what you meant here exactly but there are no assumptions.

    And when your algorithm is as simple as SHA256(score + salt), it is very easy to guess.

    In such a trivial example it might be, but the point is to make it more complex.

    You're not allowed to have any server-side checks though, since that is what the OP was about. This needs to be a pure JS solution.

    Uhm.. what? The point with API key is to validate it on the server side. The OP even provided a sample of PHP script. So it is all about to make a server check and authorise the request or not.

    You don't need to provide me with any code, just send me the URLs/API. I want you to minify it too, just for fun. :-p

    What you want me to minify if you don't want any code? If I'll provide you just a sample URL and and API URL, you will depend purely on luck. The point is to crack it, not to guess it as I am sure you will not guess it.

    So the test would be as following:

    • I will prepare a minified JS code which will make an AJAX call to my server API. This call will make some action on the server - let's say - create an account. So there will be an email and password send over from JS to the server secured in my way without using SSL.
    • Your goal will be to send another request to the server to create new user. So you will have to figure out my security (algorithm) trick and based on it create a request which will cheat my server and allow you to create a new account.

    So the overall test would show how much a non SSL request, covered with hashing tricks is secure. I will send you an HTML5 app which sends the request (like if you had my game locally) and the rest you have to deal yourself. Is that ok for you?

    BTW: It might be easier to talk on Discord or Skype, so PM me after you read it

  • Professional C2 debug tool — Now for sale in the Scirra Store!

    https://www.scirra.com/store/construct2 ... -tool-3121

    What is it about?

    "Debugging is the process of finding and resolving of defects that prevent correct operation of computer software or a system." - Wikipedia

    There are tons of posts, articles and even books about the importance of good debugging tool. Such tool allows you to make your app faster, make it better and more secure.

    MM_Debugger is a tool for developers who think seriously about game development. It has a lot of features that allow you to implement watchers for each section of the project and assertions which immediately alert you about the unexpected behavior in your app workflow.

    Features

    • Enable/Disable debugging (logs, assertions, stack trace) by toggling one property of the plugin,
    • Implement assertions and say "farewell" to unexpected bugs,
    • Assertion report provides detailed information about the place in event sheet of the issue including event sheet name, group name and event number,
    • Implemet Stack Trace logs and save detailed bug reports in files or send them to your server via AJAX,
    • Implement distinct logs for development process and for reports on production,
    • Use multi-tag log system and decide which section of your app you want to debug at the moment by simple tag filtering,
    • Use Spotlight System to override tag filters for quick debug look-ups,
    • Create unit tests to be sure your code is bulletproof

    Use this topic to leave comments, ask questions and talk about Professional C2 debug tool

  • Added a direct c2addon download link as I received PM's that some people have problems with downloading it via Plugin Manager.

  • Various general actions, conditions and expressions. A kind of extension to the native C2 System.

    [Download this plugin with Armaldio's Plugin Manager] - just two clicks.

    or download TR_System.c2addon directly

    FEATURES

    • Non dt affected Timers
    • Convertions between decimal, binary and hexadecimal numeral systems
    • Timestamp (both in seconds and milliseconds format)
    • Date with custom format (ex. "yy-mm-dd hh-ii-ss.u") and timezone offset
    • In-condition and in-action comments (if you need a standalone comment plugin, check

      rexrainbow rex_comment plugin)

    Open logical condition (equivalent of clean if statement from programming languages)

    On Timestamp condition - allows to set an action for a particular time in future

    Get current group name

    Hashing functions: Base64, MD5, SHA1, SHA256, SHA512, Super64 (if you need more/different hashing functions or simply a stand alone dedicated plugin, check CB Hash plugin by Kyatric

    Get screen aspect ratio, screen width, screen height (not the canvas, but screen)

    Is in set (equivalent to in_array from programming

    ... and more

    v1.5 update (2017-02-09)

    • Is value in set (Value, {item1, item2, item...}) condition added: Is true when Value is equal to at least one of elements in set.

    v1.4 update (2017-01-11)

    • ScreenWidth expression added: Return the width of currently set screen resolution.
    • ScreenHeight expression added: Return the height of currently set screen resolution.
    • GetScreenRatio expression added: Return the (string) aspect ratio of the screen (ex. "16:9") or 0 (integer) if could not detect.
    • IsScreenRatio expression added: Check if screen aspect ratio is equal to "WidthRatio":"HeightRatio". Return 1 if true and 0 if false.
    • GCD expression added: Return the Greatest Common Divisor for a and b parameters or 0 if wasn't found.
    • Is screen aspect ratio(Width ratio, Height ratio) condition added: True when screen aspect ratio is equal to "Width ratio":"Height ratio".

    v1.3 update (2017-01-09)

    • GetTimerTimeLeft(tag) expression added: Return the remaining time before timer triggers (in milliseconds)
    • Fixed a bug when timer condition was checked before the particular timer tag was started

    v1.2 update (2017-01-05)

    • Hashing/encoding functions added: Base64, MD5, SHA1, SHA256, SHA512, Super64

    v1.1 update (2017-01-02)

    • Comment action fix

    Full ACE table: http://tobyr.wtfgamesgroup.com/c2-plugins/tr_system-construct-2-common-additional-aces/

  • But regardless, you still have to have a library of keys to match it against.

    No there is no library of keys.

    The user can still retrieve the key from the source, and use it to submit a false score, prior to your program submitting the score.

    No he can't. The same API key will not work for different score value.

    But any half-clever user will be able to guess at your algorithm after a few tries, even if they cannot reverse engineer it out of your code.

    Guess the algorithm? That's close to impossible.

    We can make a test for fun if you want. I can make a simple service with API secured with API key and you may take your time to "crack it" (send false data). I'll provide you the JS code so you could try to figure out the algorithm. It will be possible (obviously) as the answer will be in the JS code, I'm just curious how long would it takefor a developer to "break it".

  • Assuming that your API key is very temporary (like a lifetime of only a minute or less) and regenerated frequently, you are likely to know which of your players is asking for information from your server at any given time, but without using SSL anyone who can get close to either your server or your user's local network can simply scrape the API key from the wire and submit as theirs.

    I think you don't fully understand what mechanics is behind the API key trick. There is no such thing as temproary API key that lasts for a minute or even a second. That would not be secure at all. The API key is unique for every call.

    JS Minifying helps, but it does not take a lot of skill to see the debugger output all of the variables and simply identify which one is being submitted to your AJAX API and simply changing the value of that variable in the source at execution time.

    It's not always a variable, you can make a complex trick to confuse the source. But even if there's a pure variable, it's not just about to change the value. You must know how to generate a proper API key because it is validated on the server side. So you must understand the key generation algorithm first.

  • gumshoe2029 exactly.

    Just to make it more clear, I'd split it to three simple levels of security here.

    1. No SSL, No API KEY

    Any kid who fetch the URL, is able to send fake data.

    2. No SSL, with API KEY

    You need a solid JS knowledge and have a lot of patience to - let's call it - decrypt the minified JS code and understand the API KEY generation algorythm (which by the way might be way more complex than standard sha1(salt+data)) in order to send fake data. So 99.9% of kids are already filtered here.

    3. SSL

    The right way for securing the data transfer.

  • > But SSL certificates are not free

    >

    They are now:

    https://letsencrypt.org/

    Oh... I'll take a look on that - thanks for sharing!

    The problem with all of these schemes is that the protections can simply be removed on the client side.

    What do you mean? Yes you can edit client side code and remove all hashing and encoding but it would lose the functionality then because backend expects to receive hashed/encoded data. So the only way to cheat is to dive into client side JS, read and understand the algorythm of how the security is generated and then the "hacky" is able to generate false requests. But if you use salted hashing + salted encoding + JS minifying, then you really make their life harder.

  • As I wrote in the tutorial [quote:291i6235]... after all if security is a serious point in your project you obviously would like to use SSL.

    SSL is the proper way to secure your data. But SSL certificates are not free and if you can't afford it for now or simply security is not that crucial in your case, then adding this kind of hash token is better than nothing as

    [quote:291i6235]Digging in minified JS to crack it is much harder then

    This protects you from low-skilled hackers who sniffed the data. So all the kids who just installed some sniffer... and from those who are not familiar with JS or lazy enough to dig in minified JS to find the algorythm to reproduce the token.

    I personally use it in several apps where security is not my big concern and it works pretty well.

    Up to that, I have figured out another non-ssl security trick for sending data which contains not only the hashing API key but also the encryption. I called this method a Super64encode (/decode) as it is based on Base64 algorythm but salted with two keys. I will be releasing it to public soon with TR_System plugin which is an extention to the native System. Not sure if I'll remember to post it here, but you may want to follow me on Twitter or just check my blog from time to time. I should post it within two weeks or so.

  • So your friend suggested you to send SQL to the database with JavaScript instead of PHP?

    PHP is a server side language, HTML5 JS is on client side. So if it was possible (but it's not) to send data to the database server directly with JS, then imagine how insecure would it be. You would have to log in to the database and what goes after, store credentials on client side.

    So in short words you must have a bridge (like PHP) in order to send data to the database from the browser.

  • Hey blackhornet, I'm not sure you're aware of that and I thought you might want to know.

    There is a problem with Thai language. They have some kind of "half letters" and when GYFM filters the input to remove duplicates it changes Thai letters and the sprite font can't be used properly. I'm not sure how Thai letters work and if you'd be interested in investigating that (I belive it would take some time), but I think the quick workaround would be to give an option for automated filtering (duplicates removal) or manual. So we could just paste the letters we use and export them without filtering.

    I think other Asian languages with "combined characters" might have the same issue.