dcsimg
A Flash Developer Resource Site

Page 2 of 3 FirstFirst 123 LastLast
Results 21 to 40 of 41

Thread: [disc] Flash Game Portection

  1. #21
    Senior Member
    Join Date
    Mar 2002
    Posts
    249

    Re: Re: Re: [disc] Flash Game Portection

    Originally posted by jtnw
    The only thing that'd make a difference is adding the useless code. Comments don't exist in swfs, neither does formatting.

    jtnw
    doh! you're right about the comments and formatting. however, changing variable names can be pretty effective. for example, if you start with,

    profit = revenue - costs;

    and change that to,

    $T66Y$ = $NNNNNNN00c$ - a;

    ya gotta admit that the second statement is a lot harder to understand!

  2. #22
    jtnw's Avatar
    Join Date
    May 2002
    Posts
    1,328
    Yes the Obfuscated code is much harder to understand, but the problem with that is unless you do it by hand, it's not very reliable. What I mean by that is trying to access variables or functions dynamically may fail. (ie with a string and eval() )

    jtnw

  3. #23
    Senior Member youmex's Avatar
    Join Date
    Apr 2004
    Location
    Dortmund, Germany
    Posts
    176
    Kirill M.

    Yes, I saw your script does this

    But what I meant was the combination at whole for exmaple also the "call home" function. If the thief is only prevented from playing the game at his first try he will surely go to one of these boards name in this forum and let the swf crack or does so by himself.

    By having a timedelay and a call home function you know at least who uses your game. With your script you won't if you don't see if via searching in google, if at at all. And that's the point I think is most important. Not only preventing people to steal your game, but also to know who they are!
    Be a worm and catch fruits in a parallax scenario:

    http://www.nibbly.com/flug.html

  4. #24
    Senior Member
    Join Date
    Mar 2002
    Posts
    249
    Originally posted by jtnw
    Yes the Obfuscated code is much harder to understand, but the problem with that is unless you do it by hand, it's not very reliable. What I mean by that is trying to access variables or functions dynamically may fail. (ie with a string and eval() )

    jtnw
    so, what's your point? these techniques are not worth doing? if so, I'd respectfully disagree. anything that makes it harder for your code to be understood and used is a step forward. obviously you would only use the techniques that allowed your code to run properly!

  5. #25
    Senior Member youmex's Avatar
    Join Date
    Apr 2004
    Location
    Dortmund, Germany
    Posts
    176
    I tried another approach which does not try to fool decompilers but goes another way.

    How about this:

    Define all the functions in a seperate file. Encode the file with an MD5-key. The SWF loads the encoded txt decodes it and then defines the functions.

    This does of course not prevent a thief from stealing pictures and things like this (I guess there is no really way to prevent this), but I think this gives a lot extra security.

    It can be increased by having timebased encoding and decoding files supplied by the server. This means a MD5 key in conjunction with a time/date stamp is only valid during a short period of time. MD5 Key and files can be preprocessed, so no strong server is needed.

    I plan to start the development of this system in the next few days, since I think it is very promising. Anyone did this before?
    Be a worm and catch fruits in a parallax scenario:

    http://www.nibbly.com/flug.html

  6. #26
    Hype over content... Squize's Avatar
    Join Date
    Apr 2001
    Location
    Lost forever in a happy crowd...
    Posts
    5,928
    Writing a var name obfuscator isn't too tricky at all, with FLASM and something like Screenweaver you could knock something out in no time ( There is actually something like that which uses FLASM but it's not the most flexible thing in the world... link escapes me atm but it is linked to from the FLASM site ).

    I still can't see the point though, but I know I'm in the minority with that.

    Squize.

  7. #27
    jtnw's Avatar
    Join Date
    May 2002
    Posts
    1,328
    XcVbSdRw, I suggest you only obfuscate your important functions that you don't want other people to see, not the whole file. The reason why you shouldn't use auto-obfuscators is it causes variable confusion, ie:
    code:
    //before
    obj1 = {x:5};
    trace(this["obj"+1].x);

    code:
    //after
    -1 = {7:5};
    trace(this["obj"+1].7);
    //Object "obj1" doesn't exist!!

    For this reason, I'd suggest only doing obfuscation by hand.

    youmex, since ActionScript has to be compiled, this wouldn't work unless you somehow scripted the routine at byte-code level, but even then I don't know if it's possible.

    jtnw

  8. #28
    Senior Member youmex's Avatar
    Join Date
    Apr 2004
    Location
    Dortmund, Germany
    Posts
    176
    @Squize

    Well, for varible renaming I would suggest something like ASO. I does a good job as long as Flash 5 is used.

    The approach I take is to decode the functions at runtime. Which means until the functions are loaded into memory and decoded they do not exist. After that they only exist in memory, not in the SWF. Therefore it takes a lot more effort to see what actually is done, since ASV only shows the function calls, not the functions itself (since they do not exist at that moment).

    @jtnw
    I think I found a way to work around, but I'll have to do some more tests. That's why I asked if anybody did anything which might be similar to this.
    Be a worm and catch fruits in a parallax scenario:

    http://www.nibbly.com/flug.html

  9. #29
    Hype over content... Squize's Avatar
    Join Date
    Apr 2001
    Location
    Lost forever in a happy crowd...
    Posts
    5,928
    Yeah I've played with ASO ( And did a little front-end for it with screenweaver ) but like jtnw has highlighted, it screws up with dynamic vars.
    The best way as I figure it would to be code something use FLASM & sW and let the user select which vars to mess around with ( And then save that as a pref file so you wouldn't have to go through the painful experience everytime ).

    As to your other idea, I agree with jtnw that I can't see how it would work. Perhaps having the server decrypt and create a swf at run-time and then have the game load that and call the functions within that may work. You would only need to put something like the score function in it, or scroller code etc. for the game to fail.

    Squize.

  10. #30
    Senior Member
    Join Date
    Mar 2002
    Posts
    249
    Originally posted by jtnw
    XcVbSdRw, I suggest you only obfuscate your important functions that you don't want other people to see, not the whole file. The reason why you shouldn't use auto-obfuscators is it causes variable confusion
    although I did include automated obfuscators as one of my suggestions, what I'm suggesting here, INSTEAD OF USING AN AUTOMATED OBFUSCATOR, is that you change your variable names from your normal, intuitive standards into something weird and non-intuitive. for example, if you have a variable name "Revenue" (because it contains a value that represents, what else, revenue!), you would change it to something obscure like XXCBNQ. now, if you replace all instances of "Revenue" with "XXCBNQ" in your AS, you have made your code a little harder to understand. and, you have NOT, as far as I can see, affected how it runs regardless of whether you are using eval or any other legitimate function!

    to be even sneakier you might want to change your code so that a variable named "Revenue" became "SalesLost" so your naming convention appears to contain intelligence but really does not.

    is this secure and guaranteed to protect your code? absolutely not! but, will it slow down a would-be thief and potentially cause him to steal something easier to decode? very possibly!

    bottom line, there is so much Flash out there, both open source and not, that a would-be thief can easily find what they want fairly easily. if you take just a few extra steps as described in this thread, you can probably keep your code relatively safe.

  11. #31
    jtnw's Avatar
    Join Date
    May 2002
    Posts
    1,328
    XcVbSdRw, that what I meant by this quote:
    Originally posted by jtnw
    For this reason, I'd suggest only doing obfuscation by hand.
    I agree completly that this should be done if you want to slow down theives, but it can take a while to do by hand which is why I suggested only doing it to important functions.

    jtnw

  12. #32
    Cubed Member Soccr743's Avatar
    Join Date
    Mar 2004
    Location
    Maryland
    Posts
    163
    Originally posted by youmex
    I tried another approach which does not try to fool decompilers but goes another way.

    How about this:

    Define all the functions in a seperate file. Encode the file with an MD5-key. The SWF loads the encoded txt decodes it and then defines the functions.

    This does of course not prevent a thief from stealing pictures and things like this (I guess there is no really way to prevent this), but I think this gives a lot extra security.

    It can be increased by having timebased encoding and decoding files supplied by the server. This means a MD5 key in conjunction with a time/date stamp is only valid during a short period of time. MD5 Key and files can be preprocessed, so no strong server is needed.

    I plan to start the development of this system in the next few days, since I think it is very promising. Anyone did this before?

    Well this could definately not work because an MD5 encryption is what is known as a hash function, or one way encryption, so it can not be decrypted.

    I dont think that flash could load an encrypted file and just say it is actionscript even after decrypting it in flash.

    I have thought about this before and it seems to me that the only way you could achieve that is if you got the encrypted text file, decrypted it in flash, and then using a server side script uploaded it and save it as an AS document depending on the day and year and minute and hour and second and millisecond so that it would be nearly impossible for anybody to get this. Also that the name would change...

    Then it would get the new textfile with the file name that it sent to the php and load in the text file with a possible name of Functions503200484955832 file with the numbers being the month day year hour minute second millisecond...

    Then once it loaded it it would tell the php script to delete that file so that it can no longer be accessed...

    I think that could work but i have not worked with AS files before....


    EDIT: I am going to try and make an example that I could turn into a component if this can work out... I will try and get it out by next weekend if all goes well and not to much homework...

    -----Soccr743-----
    Last edited by Soccr743; 05-03-2004 at 09:01 PM.

  13. #33
    jtnw's Avatar
    Join Date
    May 2002
    Posts
    1,328
    Like I said before, ActionScript needs to be compiled. The only way I see this to be possible is to either use a custom built flash player, or run an exe on the client's machine that 'injects' bytecode into the swf for execution, but surely this would be considered a virus. Also, you're handing the code on a plate to people with packet sniffers.

    jtnw

  14. #34
    Cubed Member Soccr743's Avatar
    Join Date
    Mar 2004
    Location
    Maryland
    Posts
    163
    Now even if they did they could not access the as file in time to view it because it would be only a matter of less then a second to call the php to load the text document, decrypt it, print the output, and then delete it...

    They cant call it up that fast, can they because I have never tried to use a packet sniffer...

  15. #35
    jtnw's Avatar
    Join Date
    May 2002
    Posts
    1,328
    Well, at some point, the actual data is going to be sent to the client machine, so the packet sniffer will intercept it with no need to access anything on the server. Also, this is just all basic knowledge I have, I don't have any real knowledge of backend. I'd be great if someone could give a better explination.

    As of now, I'm learning about the structure of swfs and byte code, so if I get any ideas, I'll be sure to share them. Now, back to reading a 200 page macromedia document...

    jtnw

  16. #36
    Senior Member youmex's Avatar
    Join Date
    Apr 2004
    Location
    Dortmund, Germany
    Posts
    176
    I tried a few things and one of the most promising things is to use a combination of flash and javascript. Since the eval() function in javascript is much more powerful than the subset of eval used in flash it can in opposit to flash dynamically generate code ie. via a string supplied by flash.

    Does anyone have an idea how many users have activated javascript? If it's below 95% i think this approach might be useless. Otherwise it seems what I was looking for although I ever try to avoid using javascript of compability reasons

    A packet sniffer can record every single bit transfered between a server and client. A useful tool is also a transparent proxy if you want to manipulate datas transfered. What makes things more complicated is using SSL as far as I know.
    Last edited by youmex; 05-04-2004 at 03:40 AM.
    Be a worm and catch fruits in a parallax scenario:

    http://www.nibbly.com/flug.html

  17. #37
    Senior Member tonypa's Avatar
    Join Date
    Jul 2001
    Location
    Estonia
    Posts
    8,227
    Originally posted by youmex
    Does anyone have an idea how many users have activated javascript? If it's below 95% i think this approach might be useless. Otherwise it seems what I was looking for although I ever try to avoid using javascript of compability reasons
    Not only have some users javascript turned off, but it works differently on different browsers. Im sure you could build the system for WIN IE>5 users, but I doubt you can make it work for all players.

    I think jtnw has a point, you cant dynamically load actionscript into running swf file. AS files are used only while developing moving in the Flash, but once the swf is compiled, all the code is placed inside swf.

    However, you can dynamically load other swf files and use code in those, like Squize said


    As to your other idea, I agree with jtnw that I can't see how it would work. Perhaps having the server decrypt and create a swf at run-time and then have the game load that and call the functions within that may work. You would only need to put something like the score function in it, or scroller code etc. for the game to fail.
    Like with every security thread so far, I think the problems we face are getting mixed up, so please point out the problem you are fixing:
    *taking swf an placing it on other site illegally
    *linking to the game swf from other site, wasting your bandwidth
    *stealing the actionscript from your game
    *changing variables (score) inside the game real time

  18. #38
    Senior Member youmex's Avatar
    Join Date
    Apr 2004
    Location
    Dortmund, Germany
    Posts
    176
    ok, things seem to get mixed up

    The thing I plan is:

    a) have an encrypted set of important functions on the server
    b) decrypt them with a dynamically generated key in flash
    c) use the decrypted datas and convert them to function in javascript
    d) use flash to call these functions and push/pop parameters to/from them

    And this is easily possible using the power of JavaScripts eval() function with which you can dynamically generate code out of strings.

    What these functions are used for is secondary to me at this point. I guess this system can be used to all points of protection which tonypa named. Although protection of your actionscript is limited.
    Be a worm and catch fruits in a parallax scenario:

    http://www.nibbly.com/flug.html

  19. #39
    Hype over content... Squize's Avatar
    Join Date
    Apr 2001
    Location
    Lost forever in a happy crowd...
    Posts
    5,928
    I think Tonypa's point is that threads like these always seem to blur into all encompasing protection, but it shouldn't and can't be thought of that way.

    There are so many inherent weaknesses in Flash ( I'm working on a protection scheme atm and it's just frightening how easy it is to hack Flash, without even thinking about ASV and the like ) that each approach ( Again as Tonypa listed ) should be treated seperately.

    As to javascript, why not just get a server side script to do it for you ? You only need one person to try your game with JS turned off and you've lost them forever. If it was performed on the server you would have no compatability issues etc. Plus Flash talking to JS can't be the quickest thing in the world, so I guess you mean just get the functions dynamically created once when the game first runs.

    Squize.

  20. #40
    Junior Member
    Join Date
    Apr 2003
    Posts
    28
    Take a look on www.as-protect.com - this site may helps you
    Ilya Shlyakhovoy
    www.as-protect.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center