Toby R's Recent Forum Activity

  • Added a direct c2addon download link as I received PM's that some people have problems with downloading it via Plugin Manager.

  • Various general actions, conditions and expressions. A kind of extension to the native C2 System.

    [Download this plugin with Armaldio's Plugin Manager] - just two clicks.

    or download TR_System.c2addon directly

    FEATURES

    • Non dt affected Timers
    • Convertions between decimal, binary and hexadecimal numeral systems
    • Timestamp (both in seconds and milliseconds format)
    • Date with custom format (ex. "yy-mm-dd hh-ii-ss.u") and timezone offset
    • In-condition and in-action comments (if you need a standalone comment plugin, check

      rexrainbow rex_comment plugin)

    Open logical condition (equivalent of clean if statement from programming languages)

    On Timestamp condition - allows to set an action for a particular time in future

    Get current group name

    Hashing functions: Base64, MD5, SHA1, SHA256, SHA512, Super64 (if you need more/different hashing functions or simply a stand alone dedicated plugin, check CB Hash plugin by Kyatric

    Get screen aspect ratio, screen width, screen height (not the canvas, but screen)

    Is in set (equivalent to in_array from programming

    ... and more

    v1.5 update (2017-02-09)

    • Is value in set (Value, {item1, item2, item...}) condition added: Is true when Value is equal to at least one of elements in set.

    v1.4 update (2017-01-11)

    • ScreenWidth expression added: Return the width of currently set screen resolution.
    • ScreenHeight expression added: Return the height of currently set screen resolution.
    • GetScreenRatio expression added: Return the (string) aspect ratio of the screen (ex. "16:9") or 0 (integer) if could not detect.
    • IsScreenRatio expression added: Check if screen aspect ratio is equal to "WidthRatio":"HeightRatio". Return 1 if true and 0 if false.
    • GCD expression added: Return the Greatest Common Divisor for a and b parameters or 0 if wasn't found.
    • Is screen aspect ratio(Width ratio, Height ratio) condition added: True when screen aspect ratio is equal to "Width ratio":"Height ratio".

    v1.3 update (2017-01-09)

    • GetTimerTimeLeft(tag) expression added: Return the remaining time before timer triggers (in milliseconds)
    • Fixed a bug when timer condition was checked before the particular timer tag was started

    v1.2 update (2017-01-05)

    • Hashing/encoding functions added: Base64, MD5, SHA1, SHA256, SHA512, Super64

    v1.1 update (2017-01-02)

    • Comment action fix

    Full ACE table: http://tobyr.wtfgamesgroup.com/c2-plugins/tr_system-construct-2-common-additional-aces/

  • But regardless, you still have to have a library of keys to match it against.

    No there is no library of keys.

    The user can still retrieve the key from the source, and use it to submit a false score, prior to your program submitting the score.

    No he can't. The same API key will not work for different score value.

    But any half-clever user will be able to guess at your algorithm after a few tries, even if they cannot reverse engineer it out of your code.

    Guess the algorithm? That's close to impossible.

    We can make a test for fun if you want. I can make a simple service with API secured with API key and you may take your time to "crack it" (send false data). I'll provide you the JS code so you could try to figure out the algorithm. It will be possible (obviously) as the answer will be in the JS code, I'm just curious how long would it takefor a developer to "break it".

  • Assuming that your API key is very temporary (like a lifetime of only a minute or less) and regenerated frequently, you are likely to know which of your players is asking for information from your server at any given time, but without using SSL anyone who can get close to either your server or your user's local network can simply scrape the API key from the wire and submit as theirs.

    I think you don't fully understand what mechanics is behind the API key trick. There is no such thing as temproary API key that lasts for a minute or even a second. That would not be secure at all. The API key is unique for every call.

    JS Minifying helps, but it does not take a lot of skill to see the debugger output all of the variables and simply identify which one is being submitted to your AJAX API and simply changing the value of that variable in the source at execution time.

    It's not always a variable, you can make a complex trick to confuse the source. But even if there's a pure variable, it's not just about to change the value. You must know how to generate a proper API key because it is validated on the server side. So you must understand the key generation algorithm first.

  • gumshoe2029 exactly.

    Just to make it more clear, I'd split it to three simple levels of security here.

    1. No SSL, No API KEY

    Any kid who fetch the URL, is able to send fake data.

    2. No SSL, with API KEY

    You need a solid JS knowledge and have a lot of patience to - let's call it - decrypt the minified JS code and understand the API KEY generation algorythm (which by the way might be way more complex than standard sha1(salt+data)) in order to send fake data. So 99.9% of kids are already filtered here.

    3. SSL

    The right way for securing the data transfer.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • > But SSL certificates are not free

    >

    They are now:

    https://letsencrypt.org/

    Oh... I'll take a look on that - thanks for sharing!

    The problem with all of these schemes is that the protections can simply be removed on the client side.

    What do you mean? Yes you can edit client side code and remove all hashing and encoding but it would lose the functionality then because backend expects to receive hashed/encoded data. So the only way to cheat is to dive into client side JS, read and understand the algorythm of how the security is generated and then the "hacky" is able to generate false requests. But if you use salted hashing + salted encoding + JS minifying, then you really make their life harder.

  • As I wrote in the tutorial [quote:291i6235]... after all if security is a serious point in your project you obviously would like to use SSL.

    SSL is the proper way to secure your data. But SSL certificates are not free and if you can't afford it for now or simply security is not that crucial in your case, then adding this kind of hash token is better than nothing as

    [quote:291i6235]Digging in minified JS to crack it is much harder then

    This protects you from low-skilled hackers who sniffed the data. So all the kids who just installed some sniffer... and from those who are not familiar with JS or lazy enough to dig in minified JS to find the algorythm to reproduce the token.

    I personally use it in several apps where security is not my big concern and it works pretty well.

    Up to that, I have figured out another non-ssl security trick for sending data which contains not only the hashing API key but also the encryption. I called this method a Super64encode (/decode) as it is based on Base64 algorythm but salted with two keys. I will be releasing it to public soon with TR_System plugin which is an extention to the native System. Not sure if I'll remember to post it here, but you may want to follow me on Twitter or just check my blog from time to time. I should post it within two weeks or so.

  • So your friend suggested you to send SQL to the database with JavaScript instead of PHP?

    PHP is a server side language, HTML5 JS is on client side. So if it was possible (but it's not) to send data to the database server directly with JS, then imagine how insecure would it be. You would have to log in to the database and what goes after, store credentials on client side.

    So in short words you must have a bridge (like PHP) in order to send data to the database from the browser.

  • Hey blackhornet, I'm not sure you're aware of that and I thought you might want to know.

    There is a problem with Thai language. They have some kind of "half letters" and when GYFM filters the input to remove duplicates it changes Thai letters and the sprite font can't be used properly. I'm not sure how Thai letters work and if you'd be interested in investigating that (I belive it would take some time), but I think the quick workaround would be to give an option for automated filtering (duplicates removal) or manual. So we could just paste the letters we use and export them without filtering.

    I think other Asian languages with "combined characters" might have the same issue.

  • Thanks cjbruce! Glad you like it

  • Hi there. Just sent you a PM.

  • Thank you mallorcaredes!

Toby R's avatar

Toby R

Member since 23 Mar, 2015

Twitter
Toby R has 18 followers

Connect with Toby R

Trophy Case

  • 9-Year Club
  • Forum Contributor Made 100 posts in the forums
  • Forum Patron Made 500 posts in the forums
  • Forum Hero Made 1,000 posts in the forums
  • Popular Game One of your games has over 1,000 players
  • x6
    Coach One of your tutorials has over 1,000 readers
  • Email Verified

Progress

15/44
How to earn trophies