Hi ^_^ I am currently developing a game system for my website and found out how easy it is to reverde engineer a flash game back into .fla format with all it's action script still there. I am curios as to how to prevent people from using a modified version of my game to cheat on my site when I release it.

Also note that I am not using load variable for my php file I am using sendAndLoad(); with method post.

There is a way to stop people from getting your code using a decompiler.

To do this you need an obfuscator, you can buy a good one at http://www.amayeta.com/.

There are other ways to stop people even getting your files in the first place, use have look at http://www.flashkit.com/board/showthread.php?p=3590754#post3590754 for a little help, even if you don't acctually use this.

You could also have a look at the attachment: a file that can only be played properly on your website, not another website or a users home computer.

Hope this helps =)

Holy cow thanks a million! I already secured the file from people downloading but it ends up in the temporary files so they could just search for it :/ The attached file helps out a lot.

I was wondering... what is the method that is used from loadMovie()? O_o....

Also, how can you prevent people from using programs like ArtMoney to cheat in your games (since ArtMoney now has a Flash listener)?

Umm... name your variables funny names or long random things instead of something obvios O_o that is what I did... My score var is PzSfwadsiOHSAEOIGFGhsaiohfoiH ROFL

Hehe well I don't know if that will stop ArtMoney. In that program you search for values. Say you have 547 pts. The user will search for 547 and ArtMoney will find all the addresses containing 547. The user can then filter when the score changes, narrowing his results until finally he has one single address which is the score value. Then he can change that value with ArtMoney and then submit a ridiculous score.

hmm.... Interesting that must suck for programmers :/

I've never heard of 'ARtMoney' before... but I don't like the sound of it =(

Just to make life hard for people with ArtMoney (and such programs) you can always complicate things. Use an array to hold the score; each digit is held as a separate value, so the score 547 would be something like var PzSfwadsiOHSAEOIGFGhsaiohfoiH = array("0", "0", "5", "4", "7"); or something, then update the array with splice. You could also use numbers that add together to get the score, so you would have two score values: 291 and 256, for example. When a user gets points just add on to one variable randomly and create a textbox dynamicaly to display both numbers added to gether in.

This kind of thing only makes it harder for people trying to get into your code, unfortunatly you can never fully protect your swf files.

Well, I don't know how cheating programs behave, but you should try filtering incoming requests for your score script in PHP.

In PHP the $_SERVER variable is an array containing useful data, such as the remote IP address, the referrer (the webpage that took the user to the script, which *should* in our case give the Flash file URL, but I haven't tested it).

If what I said above is true, you can choke the script if the request is not coming from the Flash file on your server, and output a string that tells the lamer to go cheat somewhere else...

Give me a minute and I'll check it out..

Ok, I've made a few tests and found out that:

1) The PHP script retrieves an empty referer when Flash uses the sendAndLoad() method;
2) The PHP script retrieves a referer equal to the Flash URL when Flash uses the send() method;
3) Checking the remote headers, when Flash is fired from within a browser (either directly or embedded in an HTML document), the PHP script recieved the browser headers, while if fired from test player (within the Flash authoring environment) the PHP script recieves the Flash player headers. I wasn't able to get the connection working from the standalone player.


In conclusion: it might be possible to build a dispatcher by mixing together conditionals on the referer and on the remote headers, but I don't know how easy it may be to fake the headers (I think they can be customized with ActionScript).
So probably my idea is impossible to make.

Too bad..


p.s.
Well you could actually use the send() method, targetting a hidden frame in your page. And print a response that will display another flash movie that will send the response back to the first one via localConnection. Or you could do it with JavaScript and the ExternalInterface API. But all these solutions require great compatibility and support, which the Flash player does NOT have.
If you access such type of content on non-standard systems, it will simply not work.

But this is Flash..

Here is the most security you can get with php.... It took me days to finally figure I can't add anything else for security :/ I rewrote this to load in the source that ninjakannon posted (which I modified to get a var from the linked loader file ^_^) . If you want to just load your swf file on the page with out a loader change
if (!$gamefile || !$username || $final_ref || !$udata[id] || $udata[id] == "0"){

to

if (!$gamefile || !$username || $final_ref != $siteref || !$udata[id] || $udata[id] == "0"){

this will pretty much stop people from directly downloading the file but if the person can play the file directly from the site in any way if they are using IE they can just got search for it in their temp folders :/ this is why I needed a loader


<?php
$referer=parse_url($_SERVER[HTTP_REFERER]);
$refcheck = $referer['host'];
$final_ref = str_replace("www.", "", $refcheck);
$siteref = "127.0.0.1"; // Do not add http:// or www.

$method = $_SERVER['REQUEST_METHOD'];
$gamefile = $_GET['gamefile'];
$username = $udata['username'];
// The udata is making sure user is logged in :/
if (!$gamefile || !$username || $final_ref || !$udata[id] || $udata[id] == "0"){
header("location: index.php");
die;
}

//$sql = "INSERT INTO `z_method` (`method`) VALUES ('$final_ref');";
//mysql_query("$sql");


Header ("Content-type: application/x-shockwave-flash");
Header( "Expires: Wed, 11 Nov 1998 11:11:11 GMT");
Header( "Cache-Control: no-cache");
Header( "Cache-Control: must-revalidate");
$file=fopen("flashfiles/$gamefile","rb");
// ^^^^^^^^^^^^
$source=fread($file,filesize("flashfiles/$gamefile"));
fclose($file);
print $source;
?>

why did you choose fopen/fread over readfile?
readfile will read the file stream in binary mode automatically :).

I will check the code as soon as I have time, thanks for sharing!

;)

I favor fopen(); because I already memorized it xD I mostly stick with the php I remember off hand and if I don't know a code then I just go to php.net and look up what I need or daydreamgraphics.com ^_^ I been doing php for 3 years I only know a small portion of all the commands and functions ... probly because I am self taught T_T (I just learned by modifying scripts and stuff just like I am learning flash right now ^^;) O_o oddly I figured out how functions worked with out even messing with them a couple of days ago it just clicked in my head one morning when I woke up how they worked.

I gave it a shot and your code doesn't appear to work either.

When the PHP script is called by Flash with a sendAndLoad() function, no referer is specified.. so the user get's blocked.

If your loading it in flash leave the
|| $final_ref ||
Note: Some php version might not support this :/ so you might just need to delete $final_ref ||


as it is. As stated by you earlier there is no reffer xD and to get the link I recomend something like this in your flash code for misc reasons.


var aVars = [[g, ""]];
game_filename = aVars[0][0];

_root.loadMovie("file.php?gamefile="+game_filename+".swf");


The embeded flash loader would be linked like filename.swf?g=X

What I see happening on my server is that I get no referer if a new page is not being phisically loaded. Which is partially understandable. It is weird though that there is no way to retrieve the URL of the calling document.

Obviously you shouldn't be able to read the document path if it's not under the same sandbox, but at least within it...

Ohh yeah that reminds me O-o your flash files need to be in a folder called flashfiles/ ROFL I think you might have noticed that tho XD... hmmm :/ sorta odd. You did take out the user data stuff right (IE: username and all the $udata[])? X_x .... lol I originally set this up as a file to hide the real location of the swf files and prevent direct downloading which the || $finalref helps prevent that. hmmm If you can't get this to work Imma go back to the drawing board and make it up to the latest php standards.

Thanks I don't need help on the PHP side, but I've never heard of the "flashfiles/" directory... what about that? I have to place them in /var/www/html/flashfiles/?

flashfiles folder should be in the same folder as the php file. You can easily change it xD


$file=fopen("flashfiles/$gamefile","rb");
// ^^^^^^^^^^^^
$source=fread($file,filesize("flashfiles/$gamefile"));



I plan to make a full security system for php and flash that submit score when I finish the site that I am working on which I plan to include every possible safety feature possible and then release it to a few communities.

you are getting confused between the script I'm talking about in THIS thread and the script I posted in another thread.

The whole part that loads the Flash movie via PHP is not what I am looking at.
What I'm trying to do is to prevent a Flash movie that is loaded outside of my website to communicate with my PHP script.

That's the part I'm figuring now. My problem is that I can't manage to get a consistent datum I can build a conditional on, because sendAndLoad() commands don't produce any referer or other reference...

Well, I've been looking around until now and I've found no solution on that front.


I'm sorry, I really can't think of a solution to your problem... I think you will have to deal with cheaters for now.. I will look further into it though..

Cheers

hmm As far as I can tell there is not a way to stop the loading of a page with flash. But I figure if you can prevent them from ever getting the flash file then cheating will not be a issue.

I have accually acheived that and I thank you and everyone else for the help ^_^.

Hi,

comment on referer - some browsers send a referer (possibly pointing at the embedding html page) - even with sendandload. Internet exploder definately does not.
comment on php delivering the movie non-cachable: it stops people from poking around in their cache files, but you can still get the swf right from the server and analyze it.
comment on obfuscation: it does not stop dedicated people (just those who only know how to click "decompile" in their favorite tool) from reverse engineering your movie, and it does not stop people from watching the dataflow between the movie and the server.

Here is yet another attempt at the cheat problem (http://www.fontimages.org.uk/flash/hiscore/) - every one copy of the game movie is different, so reverse engineering gets rather pointless. I developed this one when decompiling games with ASV was quite popular

Musicman

Musicman, I've read that if you want to deliver Flash (as any other ActiveX) on Internet Explorer for Windows, you MUST NEVER user nocache, because the browser will fail to show the content (because it is mandatory that the browser saves a local copy of the medium prior to execution).

So in any case (being IE for Win by far the most popular configuration) it is not possible to prevent the Flash movie from saving itself on the client.....



What do you mean by "every one copy of the game movie is different"?

Hi,

consider data transmission from the aspect of crypt technology:
- you could have simple transfer (sendandload), or you could have simple transfer of crypted data. In that case the key and algorithm are obviously to be found in the movie. This approach is useful for sending confidential data - crypt with the recipient's public key
- you could have some challenge/response system: the swf talks to the server and gets a crypt key. Then it crypts the data and sends to the server in a second connection. There can be a time limit between receiving the key and sending the message back. Of course the algorithm is in the swf, so reverse engineering the swf still results in a cheat engine
In my experiment there is a key and a time limit, too. But rather than sending an actual key and implementing the algorithm in the swf, the server combines the key and the generic crypt algorithm into a specific algo and implants that one into the swf before delivery. If hackers decide to reverse engineer the swf, they had better do it fast - before the matching crypt key on the server expires

IE caching: I believe this toy works with IE ... at least it did when I made it. Also I believe that loadmovie should be able to load a non-cachable movie on all systems.

Musicman