Anybody know what URL the stats API posts its parameters to?
I don't see anything at all happening in Tamper Data; does the API open a socket connection instead of firing off normal one-off HTTP requests? If so, what URL and port, and what's the format of the request?

It is, evidently. Such an intelligently posed and difficult question that some "1337 h4x0r" was intimidated into reducing my karma out of spite (broken image removed) Ah well, I suppose we don't have intelligent and skilled individuals around here, just a bunch of one-trick-ponies posting what amounts to glorified GameShark codes. The Google cloaking of forum pages conceals the fact that this is a community seriously lacking in respect for knowledge for knowledge's sake (a principle greatly respected in real hacking circles). I don't know why you bother to protect your secret information when frankly you don't have any.

As a game developer, I initially thought that any Kongregate game should be fundamentally insecure as the names of variables are embedded in the source code. Can't you just bypass all this trouble with memory editing, or even with Tamper Data, and spoof a server request directly using the variable name? But when you actually try it out and packet sniff stats requests, you find that they don't appear to send HTTP/HTTPS at all. My guess is that they're sending it along the same connection as Jabber chat. Seeing the total lack of competence here (the only one among you with the modicum of skill to exploit this previously was the KBH guy, and even he's a failure as his program seems indefinitely broken) I feel much better about the security of scores if you employ this combination of techniques altogether:

- obfuscation of score
- mochi encryption of source
- memory randomization (a method like Mochi Digits employs)
- encrypt score submissions, send them to a third party server (your own)
- use the Kong server API to bounce it to their backend after validating the submission and rejecting fake scores

The Achille's Heel of this technique is direct spoofing of requests, bypassing all of the above, but if this community is any indication then nobody is good enough to do that. "Hacking" is limited to barely competent muddling with memory addresses and decompiled variables

Since this community has nothing at all to offer in the way of unique information or talented contributors, I won't be back. Enjoy your hormonal highschool antics, and continue to wallow in mediocrity.

No one dropped your karma till now.  That post, other than being tl;dr, was probably the most worthless thing you could post.  Why?  Because you will be back.  Why?  Because you are a completely narcissistic asshole.  Why? Because you are, now quit asking me you sleech.

Anyway, back to the task at hand.  WTF are you asking?  If you can't manage to see the AJAX requests bouncing around like mad, then you have no skills what-so-ever.  I mean, comon, the Kong API is javascript!  Have you even taken a look at the API code?  It's available online for free ON KONGREGATE'S WEBSITE!!!  Look under developer tools you prick.

Not to brag, but I did have a hand in developing the newest incarnation of the Konduit API for MMO games.  Some of the enhancements are being added to the AS libraries, specifically involving additional check sums and IP traces.

Well, I best get moving on. You should take the time to read my tutorial on the basics.  Have fun!
http://forum.kongregatehack.com/viewtopic.php?p=31044#p31044
~TIM