The Arcive of Official vBulletin Modifications Site.

Users can hack arcade scores · **Released**: 08-21-2008

This was brought to my attention on my forum: A member discovered this video on how to hack the arcade scores: http://www.youtube.com/watch?v=ySkTfDjoF9k

They tested it out on another forum and have confirmed that it works. The video was created on August 5th. Any hope for a fix?

Somesite · #12 09-02-2008, 01:27 PM

He needs to step back and rethink the system. I'd suggest a php proxy. Although, that would mean all the games would be un-useable. darn $_GET function.

Stifmeister2 · #13 09-02-2008, 03:40 PM

Quote:

Originally Posted by Somesite

He needs to step back and rethink the system. I'd suggest a php proxy. Although, that would mean all the games would be un-useable. darn $_GET function.

Well games can be converted, I think getting rid of cheaters is the most important thing for now..

gmatrix · #14 09-02-2008, 03:48 PM

This is widely known and nobody has been able to come with a solution other than saying 'use v32 games'. Unfortunately if you have several hundred games chances are there are many v2 games amongst them as these are easier to convert and these are the ones prone to being tampered.

I have caught a couple of members this past month only because they logged really short times against the games. I strongly suspect other players who are being more coy and playing a full game (so the time looks normal) and tampering the data to get scores just above the current highscore and these are next to impossible to prove.

This really needs to be seriously addressed as it makes the whole scoring system completely pointless.

Did you get a response from Mr Z regarding the info you sent him Stifmeister?

Somesite · #15 09-02-2008, 11:49 PM

there's a simple solution. recompile games to send multiple variables to be check server side.

For instance. Sending time played and the score. Then adding the two together, then hashing it. Then checking server side all those 3 variables to see if they are altered or not.

Stifmeister2 · #16 09-03-2008, 01:15 PM

Quote:

Originally Posted by gmatrix

Did you get a response from Mr Z regarding the info you sent him Stifmeister?

Not yet.

Quote:

Originally Posted by Somesite

there's a simple solution. recompile games to send multiple variables to be check server side.

For instance. Sending time played and the score. Then adding the two together, then hashing it. Then checking server side all those 3 variables to see if they are altered or not.

Well I hope that's easy to make.

:up:

MrZeropage · #17 09-03-2008, 06:36 PM

latest v2.6.7+ also has something iomplemented to make the use of this "tamper data" more difficult, as the arcade also checks the time the game needs to submit the score.

-> this only works for all secured v32/v33 games ! (those with the yellow "!" in the AdminCP Gamelist)

So it is much more difficult as you need to be VERY quick using tamper-data or the session times out

skhms · #18 09-03-2008, 07:45 PM

This is something I have been wondered about for some time.

Is it not so that as long as the $FIXIE variable in the beginning of arcade.php is set to 1 (as it seems to be as default) this whole v32 security thing is pretty much ignored?
Which makes it just as simple to cheat on v32 games as the old games?

Thats how I understand it anyway. Please correct me if I am wrong.
I also understand that it's probably a reason for this variable being there in the first place. Even though I haven't experienced any problem myself when having it set to zero (only on a test board with no traffic)

/SK

gmatrix · #19 09-03-2008, 08:37 PM

Quote:

latest v2.6.7+ also has something iomplemented to make the use of this "tamper data" more difficult, as the arcade also checks the time the game needs to submit the score.

-> this only works for all secured v32/v33 games ! (those with the yellow "!" in the AdminCP Gamelist)

So it is much more difficult as you need to be VERY quick using tamper-data or the session times out

What about the 1000's of v2 games that most sites still use? Are you saying those are no good?
What about the info Stifmeister sent you about a new way to cheat that his members found?

Stifmeister2 · #20 09-04-2008, 01:26 PM

Quote:

Originally Posted by gmatrix

What about the 1000's of v2 games that most sites still use? Are you saying those are no good?
What about the info Stifmeister sent you about a new way to cheat that his members found?

Btw if I didn't mention this before, the new way works for both v2 and v32/v33 games.

I'll try to get more info how it exactly works, I know the program but I haven't tested it myself yet.

xXTheOneRavenXx · #21 10-13-2008, 11:44 AM

Good morning all,

I know I don't post much on the site. Work, kids, and running my own site and home business will do that, lol. Yes, when I read this article I became a concern for me as well. The only thing we can do is monitor the time logged on a specific game for the high-scoring player. I announced that game cheating IS being monitored, and if cheating is discovered that the person caught will be perminately banned from the site. This seems to work as I have not had any cheating since. Now it is to be also noted that the game Ghost Rider does glitch a high-score that is not the fault of the player. That has happened on my site once.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.04475 seconds Memory Usage 2,305KB Queries Executed 25 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (5)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)modsystem_post (1)navbar (6)navbar_link (120)option (1)pagenav (1)pagenav_curpage (2)pagenav_pagelink (11)post_thanks_box (11)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (11)post_thanks_postbit_info (10)postbit (11)postbit_onlinestatus (11)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!