Securely provide a unique secret code to winner of flash game?

Question

Here's what I want to do: when a player wins a game (coded in flash/actionscript), they are given a personalized secret key, which they can email to me in exchange for a prize. I can then validate the key on my end using a private algorithm.

I need to design it so that it is practically impossible for hackers to generate a valid prize key without winning the game. Is this even possible?

I assume that any SWF file is basically vulnerable to decompilation, but I don't know exactly how vulnerable they are. Perhaps any algorithm for generating a valid key will be accessible to hackers?

I have at my disposal all the methods in actionscript 3, as well as a PHP/MySQL server, and I control the server where the game will be hosted.

Answer 1

What you really want to do is to securely determine the winner of the game.

That's hard, but, depending on the game, you can try to:

• continuously validate the state of the game with the server (doors opened, rooms entered, coordinates on the map, etc), especially with regard to the timing (how long it should take to move between coordinates);

• determine whether the game will be won or lost in advance (e.g., scratch cards);

• ask the winner questions about the game ("what colour was the cow?").

Answer 2

^{Disclaimer: I don't work with flash.}

When starting the game I would obtain a unique token from the server. After they win the game I would generate a code using that unique token and display that to the user. Then you can validate the unique code against tokens from the server.

Another thing you could do is incrementally "build" the unique code as they play the game. If they don't play it through they will at the very least have to backtrack through the entire game to generate a code.

I would say most games are vulnerable in some form to decompiling, the goal is to minimize loss. If you're giving away high value prizes then of course you will be targeted by unscrupulous people.