hm... wierd.. anyway... maybe you can share the method via pm?
tnx
Printable View
hm... wierd.. anyway... maybe you can share the method via pm?
tnx
I would also like to add a note here and direct you to MediaProtect.org, a service designed to help you protect your flash work. You register your games there (called artifacts on that site) and each time you do a release you register that as well. This creates an index of flash files for you. Then, when people want to know who made a flash file they can search that site and you will always come up as the author.
Additionally, when our web crawler finds your game on the web it will let you know. All searches, both crawler and web form based, are able to find flash files based on similarity as well as exact matches. So if somebody decompiles your .swf and removes protection you try to put in the file it will still get found and you will still be notified when that game is used on other sites.
Go to http://mediaprotect.org to learn more and register to take advantage of this great new service.
-Lee
Has anyone tested "SWF Protect" right now? It seems to be very promising
http://www.softpedia.com/get/Interne...-Protect.shtml
Has anybody found a good way to protect Action Skript yet? Flash Encrypt seems to be not effective since there are several tools out there which can delete the junk bytes and even restore the original variable names. Also, ASO Lite just renames local variables etc. but not global ones and others parts of Flash, so that it's only a limited protection. Any tool I missed? :(
There is also secureSWF from http://www.kindisoft.net/
But I believe they all (SWF Protect, SWF Encrypt, secureSWF) do basically same thing.
Thanks, didn't heart of secureSWF before. secureSWF Lite does so, but only partially as ASO Lite does. Unfortunately there's no test version of the Personal or Professional Edition to see it's full potential before buying :(
I agree, inserting junk bytes and doing other tricks isn't very helpful. I found tools which just strip them out. And if I found them very fast others will also, so I don't think this is a helpful protection. And for other tricks which work right now, I guess at the next release versions from Burak the protection is no more up to date.
So, I am "just" in need of an Obfuscator / Renamer of local and global Variables, aswell as function names etc. Code pollution and junk byte tricks are not needed. Does anybody know of a tool like this?
I tried the SWF Encrypt from www.amayeta.com and it worked!
I couldn't decompile the .swf with SWF Decompiler 2005...
I heard someone talking about URL checking and stuff...
It would be nice if we started a knowledgebase about how to protect your .swf and make it more difficult to crackers to steal your code... from url checking to encrypting programs...
Yes, you are right. SWF Encrypt works, as long as you don't use tools. There are tools out there which can strip the junk bytes from the protected SWF. After doing this you can see the code again, at least in ASV. Haven't tried it in SWF Decompiler yet.
I also don't think URL check really does the job. You can just edit the code in ASV or other tools. I think the only way to make it really complicated for an attacker is to rename varibales, identifiers etc. All which can give a hint what this function does or is intended to do. This way you can still see the code, but it's really hard to understand. That way you can get rid of all script kiddies and 95% of all attackers. The 5% who understand what they are doing are at least so good, that they could have written the code by there own. ;)
What tools are you talking about?Quote:
Originally Posted by jebrael
I have a question about .exe files
I work with educational games and I'll sell my games to schools...
It'll be played offline...
Is it possible to run the .swf inside some application created with C++ or something like that?
I wanted to develop my games with Flash and then get a programmer to "publish" my .swf game inside a secure .exe and create an installer with serial checking...
Is that possible?
There are commercial applications for that or you could use screenweaver which has been released as open source:Quote:
Originally Posted by Vector Media
http://osflash.org/doku.php?id=screenweaver
So you get nice exe file from your swf (plus it has more options).
As for installer, there are several free options, use google to find which you like best.
Well, there is no secure use or capsulation of SWF files. Even if you use projectors there are several tools out there to extract the SWF from them.
We use here SWFKIT ( www.swfkit.com ), a very cool tool including handling of serial numbers etc. and a superb support
There are also several other tools like Zinc, one from Northcode, Jugglor etc. Just have a look at the projectors forum here at Flashkit.
However, there is now secure way to run SWF files. Only a nearly secure way of installation. In this way we use SWFKIT to produce EXE-files, then the Nullsoft-Installer with LZMA compression and after that another exe-Compressior like cexe or mew. UPX is the most common one. You can also produce installation skripts, that first the serial numbers is verified and then the real exe is decrypted. Depends on what you want.
Hope that helps a bit.
If I publish my game generating an .exe with Zinc... is it possible to extract actionscript with decompilers as easy as any .swf ??
If I put my .swf inside a Director file? Is it possible to use SWF Decompilers?
what is better: SWFKit, Zinc or Screenweaver?
Yes, it is possible to extract ActionScript from an Exe, not in every case, but it can be done. Mostly the extension tools extract the SWF to a temporary directory. If the attacker finds this directory he has also access to your SWF.
If you put your SWF in a Director file this is up to now pretty safe, but the speed decreases. All traditional SWF decompilers fail at this. I don't know of any tool which can extract or decompile a SWF in a Director file. Maybe someone else does?
It depends an what you are looking for and which features you need, how much file size matters etc. For our needs, SWFKIT does the job best, but it doesn't mean it's also the best tool for you. I guess you have to test your favorites and make test-builds.
Security for all should be nearly the same.
I think that the common problem of all game developers, that they tried to protect simple (tetris like) games. In case when the game engine is simple, no matter which protection is used - they can be decompiled/ cracked/ disabled if the game thief have enough qualification to do it.
But lets say you are going to protect some really big project. For example you've made RPG game. In this case, the AS code is really huge and complicated, so if you use even simple Obfuscator to protect your code, it will take a big amount of time to attacker to understand it in order to remove your protection when you made simple URL location check.
Then, this is a simple appearence. Now let's say all game quests, maps and other useful data is separated from flash engine and located in DB. Each time user finish some map, game engine goes to DB in order to load new map, each time user comes up to quest game engine goes to DB to load texts, images other staff.
In this case, simple decompiling isn't enough. The attacker must to play all the game in order to get all data pieces and then he must simulate server side logic by writing his own script and build his own DB and make other things :) It isn't so simple :).
Now, when SWF will be copied in other place, it will go to our server to load data and we can make server check where request comes from.
Now, the more important question for protection is how hard it can be cracked. I can realize that any protection can be removed, it's only the matter of time. But the paradox that there is no need to make perfect lock for your SWF. You can ask why? The answer is simple. Every piece of code you write, will be obsolete sometime. Any piece of software developed now will be obsolete tomorrow. The only improtant thing is the life cycle of your code.
Let me give you example. In the gaming world, the game when it comes out to market lives 2 or 3 month, when it's popular and brings money (traffic).
If it is not cracked during this period of time - you 're lucky and made your job good. Then, there can be two options for some dirty AD agencies or companies that copies flash games and use them illegally on theirs web site to increase traffic.
One way for them to steal it and run it as is on the site. Other way to develop there own copy of the same software. That what was happened to beJeweled game for example.
I totally agree. And that's the reason why I think that for our bigger projects a Obfuscator is enough of protection. ;)
If you calculate a lot of collisions and physiques it's damn hard to understand if you don't get a hint by the name of the variable. Therefore it takes a lot of time to rebuild the code. If this takes long enough I am pleased. So, the only thing that is missing is a strong Obfuscator :(
I hope ASO Standard will do the job when it's out soon.
When a swf talks to a DB, the data have to be passed through a php or asp program for the swf will be able to read the variables, and this php file ends up in the cache too, and can easily be found tooQuote:
Originally Posted by The Helmsman
I was talking about this before,about how to hide this php, but nobody seems to understand me
------------
I dont understand the point on big projects, the thief doesnt have to understand to whole code to make the game work, all he haves to do is to throuw out the junk bites and find the url check
Besides, its more realistic not to think on big projects, who needs a big team
-----------
Flash inside director doesnt works fine with classes, and i think flash 8 files will need a Xtra to run inside director
----------
Now what?Now nothing.I just want one more line.
nobody is protected!
all big companies have their software cracked someday!
anything public can be hacked by an expert!
all you gotta do is to make it difficult to "normal people" decompile and/or steal your project.
and I still think we should create a knowledgebase for "protecting" flash stuff.
No need to hide this php.
It don't need to be protected.
The first time you come to some PHP file contains Flash game, we're opening session and write session number in cookie on client side.
Then any time i need to load something from DB, first thing my Flash engine does is read client side cookie to get session number and then pass it with request to DB through some other php file wich checks the session id and then, if it's ok goes to DB in order to get requested data.
So, every time user plays the game, game engine uses session id stored in cookies as an identifier that the Flash played on the right side.
Let me see if i get it
The php only outputs if the request cames with the rigth cokie
But, AFTER he outputs, he still can be found in cache, doenst it?
Yes, the cookie can be found in cash, but the trick is - if attacker copy this cookie it will be useless next time he want to play game.
This cookie represents session number the server opens when user gets connected to the website. Next time he wants to use the same cookie the server will give him a error, cause it wasn't be found in his current sessions opened.
Thats is the trick. The session number is a unique key, valid only during session server has. In case when session will be closed by a timeout or customer will close his browser, the session number stored in coockie will be expired. So each time you opens the flash engine outside from the website, he will be unable to get server data, cause the server will never validate his session number opposite to the sessions he currently holds. That's all.
Not talking about the cookie, talking about the php who outputs the data for the swf to make a game
1.The php receives the cookie
2.The php outputs the data
3.Swf reads the data and make the game
4.The php with the data is in cache
5.The thief reads the data in cache and put the same data in another file
6.the thief makes his own swf read the same data in this another file
You're right - so, a game thief now needs to play whole game, complete all quests and simulate all situation in order to get data comes from server.
After this he must analyze every piece of data he got, and organize it in sequences and save in his DB.
Next thing must be done is write php script similar that we have on our webserver, in order to transfer data he has on his DB to Flash w/o session check.
After all he must analize AS code inside stolen Flash engine in order to understand which format he must use in order that php script he wrote will return data same format Flash engine awaits to get.
And last thing he must do - is to change address of the webserver Flash goes to get data to the new one he have.
Looks hard... isn't it? It's a really time consuming procedure to do all of above and be sure that thief didn't miss something, cause any part of data missed will lead to situation when the customer stuck somewhere in the game.
Besides this, the code in Flash as i said before is obfuscated and not so user friendly to thief as it appearse inside Flash :)
That's why i think it's a good enough to use this kind of protection for a big projects. You can be sure that all the time when other's will try to simulate something you did you'll be 10 steps forward and making your money ;)
The Helmsman...
I like your strategy!
Could you post some working example with this PHP stuff?
Or, is there any good tutorial around about this?
We have good programmers here at Flashkit (not including myself at all)...
We should create a secure/protected application in flash with opensource .fla so anyone could learn how to protect a game and if the experts wanted to help improving the code/security it would be nice!
What do you people think? :grouphug:
I don't have any working example of this applied to Flash games, but i can make one. All i described here was only on the level of idea, how the Flash games can be protected. I've came to this when we discussed the problem with some of my friends here in the gaming company where i'm working now.
But, anyway it is a working conception - we use such appearence in some other projects required such type of authentication. So, the last thing to do is to write some code to make it working with flash games. ;)
He can make his swf look for the same data from a txtQuote:
Originally Posted by The Helmsman
Never underestimated your enemies.If there is a way, he will do it.Quote:
Originally Posted by The Helmsman
I think a better solution is make those data came from a XmlSockets or from a director file.
IF those things dont let the data to be seem in cache.
Hi, sorry to jump in without reading the entire thread, but I was wondering if the new F8 security measures would address any of the "file protection" issues we've had to deal with?
I recently read the MM Security whitepaper, and it SOUNDS like there can be protections put in place now that the PLAYER itself will respect. (But I got a little lost--it's a long document)
Anyone looked into this?
Can you give a link to this doc, please?Quote:
Originally Posted by Ray Beez
good newz!
an article about protecting AS code!
http://www.kirupa.com/reviews/swf_encrypt_review.htm
I've tried SWF Encrypt myself and when I tried to extract the code with SWF Decompiler 2005... it crashed!!
that's good!
news?Quote:
Originally Posted by Vector Media
This thread is going backward or what?
And it took me only 15 minutes to find program that removes junk code inserted by SWF Encrypt. You should realise that all the actionscript is still in the swf even after "encryption" or else the Flash player couldnt play the movie. It adds extra code which makes decompiler think code is incorrect and ignore it, but that piece of extra code can also be removed.Quote:
Originally Posted by Vector Media
Which prgm you've found to remove this junky code? Flasm?Quote:
Originally Posted by tonypa
A tutorial about 'how to steal games beyond junk bite code' would be welcome, too.
For the thief should be one step MORE, not less. :devil: :devil:
yea, what program?Quote:
Originally Posted by The Helmsman
Flasm didn't work for me.
You can't get the original clean code, just a messy useless code.
I doubt he is going to say it, atleast on a public forum.
For obvious reasons.
Hi,
Can somebody tell me, how to stop people playing in direct SWF files not in HTML or PHP.
I know that's possible, i've seen that before, i think it was in StarRunner by tonypa
Is there a tutorial for a code. I'm not good at AS ;)
You cant.
Read the whole thread before ask next time.
Remember, this is not 100% secure, but it stops people without knowledge of Flash:Quote:
Originally Posted by Krika
Read about "Appended on a query string in HTML tags" here:
http://www.macromedia.com/cfusion/kn...53#querystring
*add variable in the end of sfw tag (both in embed and object tags)
movie.swf?myvar=hello
*in the swf file add this code to check if variable is set
if(myvar!="hello"){
_root.gotoAndStop("end");
}
thx, i'll try this. i just thought maybe there are some script what can check the last letters in URL. If SWF then unload etc. etc.
And i know everything is hackable, i just need some kind of protection, so noobs can't hack that.
Anyway, thanks again, i'll try this myvar tutorial :)
what is this program tony?Quote:
And it took me only 15 minutes to find program that removes junk code inserted by SWF Encrypt. You should realise that all the actionscript is still in the swf even after "encryption" or else the Flash player couldnt play the movie.