Score List Hacking: Lessons Learned by Cheating Your Way to Number One, Part 1 of 2
Most score lists are so easy to manipulate that bragging about it simply highlights the hacker's lack of skill. This two-part series of articles is not meant to promote score list hacking; instead, the purpose of this series is to address the dangers created by insecure score lists. As you will learn, an honest player's pride is not the only thing that can be harmed when a programmer fails to secure a game.
The Internet has many uses, one of which is gaming. As a result, hundreds or perhaps even thousands of online games have popped up. These free games are often simple time-wasters that can provide a player with several minutes of amusement. But some programmers who understand human nature include a score list with their games. Now, instead of a simple game, you have a competitive challenge that keeps people coming back for more.
Unfortunately, such games have properties that can make them a target for hackers:
- Flash games and Java games actually reside on the player's computer. The web browser downloads the game file to local cache, from which the game file is executed. For a hacker, this means that he or she owns the code. In other words, all the hacker has to do is locate the game file and decompile it to find out how it works (or doesn't work, in some cases).
- Because the game is played on the local system, the program has to provide some sort of channel to upload the player's score. This is almost always accomplished in plain text, using HTTP requests that look and operate much like a web-based form. As a result, a hacker can set up a program to monitor all HTTP traffic, from which he can draw important information. Some of these tools also allow the attacker to change posted score values on the fly, giving him the power to post manipulated information.
These types of attacks are not new. Online game programmers know that people try to intercept and alter the scoring data; therefore, the code often includes some sort of encryption algorithm to provide protection. In theory, this feature should keep score list hackers from causing problems. However, because the game files reside on the local system, all the attacker has to do is decompile the game file, locate the obfuscation routine, and reverse-engineer it. While this requirement increases the difficulty of the "hack" a bit, games that rely on this type of protection will eventually fall prey to a hacker.
To fight back against this problem, online game coders also use other forms of validation, such as HTTP referrer checks, IP/browser monitoring, and more. Unfortunately, these techniques often fail; in fact, of the 50+ games tested for this article, only two were unbreakable. We'll spend some time in the rest of this article analyzing several of these examples and demonstrating why their protections failed.
More importantly, a dangerous side-effect of a hackable score list can lead to more than just damaged pride: If an attacker can post his own score, he can post other forms of data as well. Fortunately, most score list hackers seem to think only about becoming number one, but they could post pretty much anything—code, secret messages, illegal or sensitive data, and more.