Stop being curious 3 post guy :) Anyway, it won't matter much even though tony won't tell, 'cause someone on the net will come up with it anyway.Quote:
Originally Posted by dai_of
Printable View
Stop being curious 3 post guy :) Anyway, it won't matter much even though tony won't tell, 'cause someone on the net will come up with it anyway.Quote:
Originally Posted by dai_of
here is some easy flash code to help keep stuff protected
Article & code is linked here:
http://www.flashtreasures.com/Forum/viewtopic.php?t=2
The key is to make a couple small movies and burry them in your game. Then add the simple code. Its not 100% but you can make it a real pain in the butt for people to decomple and use your stuff.
Just the old,well know urlCheck inside a lot of movieClips
To anyone who has read the whole threads urlcheck in nothing new(and nothing usefull too)
So why post a help who has already been told to everyone before?
Your post sounds more like a spam
The new trick is to burry it and have it goto frame 1, so it makes it harder to disable. But again its just a simple trick, for people who are looking for easier ways to protect their work.Quote:
Originally Posted by Incrue
fact is there is no real way to protect the game against decompiling it, I coded a thing in C that makes it invisible and the script exists on EVERY SINGLE MOVIECLIP, it checks for a script in the _root (one) directly and if it's not there, it makes it invisible, that script is a URL check, it makes leechers have a rough life.
too bad it took me around 2 hours to write a script in C that reverse engineers it :(
Still, it's only a small minority of hackers who're willing to go beyond using a decompiler to steal something.
Inglor, what happens if you run the swf through an obfuscator before/after using your C program?
Let's say I don't want my work to appear on a certain website.
Using mpalma's code, I get:
// URL Checker
checkIt = this._url;
checkIt =checkIt.substring(0,29);
// Enforcer
if (checkIt = "(website we want to block content for)") {
//insert code to unload movie here;
}
I know that it'd probably be good to stick a getURL function in there to open up a page which states that the flash has been stolen, but I have no clue how to program it to unload the movie (...or if there's a better way, could someone point that out to me?)
I also saw this code on the first page:
hyperText = _url.substr(0, _url.indexOf(":"));
if (hyperText == "http") {
slash = _url.indexOf("//");
webSite = _url.substr(slash+2, _url.indexOf("/", slash+2)-slash-2);
webSite = webSite.toLowerCase();
if (webSite.indexOf("www.website.com") != -1) {
webSite = webSite.substr(webSite.indexOf("www.website.com")+ 4, webSite.length);
}
if (webSite.indexOf("(website I want to block)") != -1) {
stop();
myMessage = "Copyright Infringement! This movie has be disabled. "+"The following web address has been logged and the authorities will be notified: \n\n "+_url;
}
}
Where would I stick that? Could I slap it on a movie clip and hide it somewhere inside?
New code protection Idea!
Use really bad coding to really confuse the hell out of anyone trying to rip your stuff.
:D
hehe
Yup. That's what they call "obfuscation". ;-)Quote:
Originally Posted by mpalma
Thor: (I know his message is old) To disable a game once you've figured out it's not on a permitted site, use this: _level0.unloadMovie()
heh, thanks much
Actually, I'm not too sure if this has been brought up by anyone yet, but I did discover that you can decompile some Flash with a Mac and Flash MX alone. I discovered this as part accident and part curiosity. I kinda wanted to see under the hood of how a particular Flash worked (I wasn't planning on ripping someone off or anything, I was just curious.) So when I fired up the Mac, I double clicked on the swf to just look at it and try and figure it out by looking. Instead, it opened up in MX completely and it half-decompiled it. I can't see the code, but I can modify the graphics and things if I wanted to. So I closed everything up and moved to PC. It was really strange but I think you might want to be a little careful of this. (And if anyone knows the answer, why did Flash do this on a Mac and not on my PC? It was really weird! )
~Kamui.EXE
Ok, I've thought about this a lot, but I just can't see how it can work. What if the hacker FIRST visits the 'entrance' page where the cookie will be created and then goes about his/her usually hacking activities? That way the hacker has a valid session number and can go about.Quote:
Originally Posted by The Helmsman
Create a flash movie which acts as a preloader for your real game.
that movie could be decompiled, but the name of the movie it loads is not in it and the person would have no way to find it
Here's the trick
to do it, you would need to use a url rewriting capability on your server.
Let's say the loader flash file is located at "http://www.games.com/x/y/asd/game1.swf" (or something that could not be easily guessed)...
now let's say the page for this file is in:
http://www.games.com/x/y/asd/game1.html
you give that page a new (fake, rewritten) address like http://www.games.com/games/game1.html
(everyone will only see the fake address and won't even know that its fake)
viewing the source for that page would only reveal 'game1.swf' with no real info. on where it is on the server
so... here's the big thing
inside the flash movie, you will use the _url property to find out where the flash file is located. This property will give you the real address on the server from where the movie came -- you send that value to a php page which returns to you the name and location of the real game file...but only if the address you sent it is "http://www.games.com/x/y/asd/" (or wherever the real file may be.
So now, in order to find out what you called the game file, a person would have to find out where you really placed the loader swf file
which i don't think is possible if you rewrite the url
tell me what you think
please excuse the double post...
...my finger is faster than my browser
Can decompilers steal class files?
Is there any way to protect .as files?
class files and .as files only exist while developing . When creating swf they are all compiled into swf like normal actionscript code.Quote:
Originally Posted by 691175002
sure the files are imported and then the code gets merged into the swf´s other code but just to clear things up,class files are restored by most decompilers
As far as I see there is still a big interest in this thread. Therefore I decided to explain my idea a little bit better and give people here some direction on how to protect SWF files from copying to another websites and execution them offline. I don’t pretender to teach anyone here, cause there are plenty coders all around which code better then me :)Quote:
Originally Posted by PattyvD
On picture no.1 we can see typical SWF protection of our days:
http://ss55.shared.server-system.net.../tmp/pic_1.gif
Now let’s describe all elements. First of all the content on client and on server is almost identical. Then the first request for game.html on web server brings back html file itself + all associated content including (css, js, swf and other files) to client’s cache. After all elements of page will be downloaded the game swf file will executes some request for URL before playing and if validation will be successful the game will start playing. The third request is not actual request but I put it here to illustrate further ideas.
As we can see, the thin place here is URL check itself, cause all content game needs to play located inside SWF and if the user can find a way on how to fake validation or remove URL check the game can be executed anywhere w/o any restrictions. Obviously today it can be done easily using tools like SWF Decompiler or ASV or FLASM.
Now let’s see picture no.2:
http://ss55.shared.server-system.net.../tmp/pic_2.gif
Here we have almost the same situation except one thing. Not all content the game needs to play located inside SWF file. Therefore, the file still can be executed locally but the user needs internet connection to play and the game file executed on other server must refer to the original server for game content in order to play. Still not perfect but looks better. Here we prevent game to run locally and make SWF decompiling tools obsolete.
Now let’s mix both ways, see picture no.3:
http://ss55.shared.server-system.net.../tmp/pic_3.gif
Here we’ve added some check based on the session id of the original ASP or PHP file that holds our game (SWF file). Her I want to stay a little bit to make things clear. Lets suppose we have 3 files on server:
1. landing.php
2. getData.php
3. game.swf
First of all after the user makes request for the landing.php file our server performs php processing in order to create html content which will be passed to client. During this processing the html file client gets contains some session ID which is unique and defines client. Then when the game was loaded the SWF file makes further request to server for game data using session ID as a key to tell server that the game is played from the original page and not from the other website. Then the getData.php file when processed on server to provide game data check ID it got from flash opposite to ID server has for this client. And in case when they identical (which means the flash file runs on appropriate page on original webserver) it return game data.
Somebody can say that it will work to completely protect game from running locally, but there is still some security breach when thief executes file on another webserver.
You are right. The thin place here is ID we pass to game as a key. We’ve said it is session ID, then the attacker can make fake landing.php page which will go to our server to get a key and then pass it to Flash. It is possible, but we go further. What will be if we use some key which can’t be faked? For example we can add some logic to our server when the key will contain the client’s IP and game level and in case when there are several requests from the same IP for other game levels we’ll block IP because it can’t be client (assuming that playey can’t be on level 1 and level 99 in the same time).
There are many other tricks can be found in order to make thief life harder as hell. Finally I want to post some small game as an illustration for all of above. Your can compile it as stand along game as well as protected one which can be run on server simply by changing #include directive. I hope it will help to understand better the main idea.
The game can be found here:
http://ss55.shared.server-system.net.../tmp/pic_4.gif
And all sources here
My idea is to go to this MM site and tell Adobe you want something to protect your SWF from bad guys in Flash 9. If you don't know it by now, this is their "wish list" site where we tell them what we'd like in the next Flash.
weblogs.macromedia.com/flashteam/ archives/2005/09/its_that_time_a.cfm
It can be begginning of the end for the SWF format as an open format. There are plenty amount of tools that can create SWF files on server dynamically upon request, some of them open source some of them is Macromedia property but it is possible because SWF is an open format. When you ask to implement mechanisms to protect AS inside SWF files its means it will never be open anymore. Think about it.Quote:
Originally Posted by strodgers
Actually, I was thinking more along the line of an optional protection, meaning, you hit a command button and it protects it, and somehow keep swf open format, KoolMoves will still have their SWF. It would be like these products that are made to help you protect your work while not necessarily violating MM's open source policy.
I don't mean to take SWF "off the market" just keep the code and hard work safe.
I really can't see how it would risk SWF not being open source, it would be YOUR swf code that is not open, if you choose it.
But the .fla files is open format!Quote:
Originally Posted by The Helmsman
I am sure even if there is protection for .swf will be released there will be ammount of .fla sources tutorials. But still there will be problem with hacking. I think it is problem of the all digital information.
But the authors want to have a feedback for their work. And some people have feedback for do ungood things.
I don't know if there should be publishing system. Some people like the digital stuff is free.
I don't know php or any other web language so I can't much help with protection. I think it is possible to make that your game made from several/many .swf and other next file load other next file. This way game appear mostly on hackers sites not on flash directory sites cuz they use one file games generaly.
The protection will work if some functions make with the server. Flash send something and get back something but process of work with data that flash sended is hidden. That mean hacker should write similar functions for the game work correct. For example flash ask the level. On server side there is simple arrays but it sends flash separate objects with _x,_y and other separate properties.
for example
monster
[[1,0,0,0,0,0]
[0,0,0,0,0,0]
[0,0,0,2,0,0]
[0,0,0,0,0,0]]
color
[[9,0,0,0,0,0]
[0,0,0,0,0,0]
[0,0,0,5,0,0]
[0,0,0,0,0,0]]
but the flash get like monster1,_x,_y,color,monster2,_x,_y,color
That could be hard to easely recreate that kind of levels.
That exactly what i do in my example. All game data stored on server and protected using current session id.Quote:
Originally Posted by rubilon
When game starts, Flash asks server for data to specific level and send some key to authenticate proper request. If key provided is the same server calculates on request, we got level data, otherwise we don't.
Its difficult enough to hack because hacker actually have two choices:
- First one to write his own script to provide game w/ data and to modify original Flash to go and get this data.
- Second choice to get valid key for authentication, modify Flash to go with this key to original site to get data.
Both ways requires a lot of work to be done and in most cases the attacker will quit because none of this give 100% guarantee that a hacked game will be same as a original one.
i would recommend that everyone downloads a swf decompiler before they try to make a security patch for thier games so then they know how they work.
go to the website:www.gotoandplay.it
It has info on how to make your game undecompliable
Good joke. Everything made in flash can be de-complied. Either way, I can't find the article (and neither can a google search for "how to make your game un decompileable site:gotoandplay.it").Quote:
Originally Posted by dnsi
Why don't you post a link?
yeah but what if you renamed fish.swf to something like 22%0EMBED0%22.swf?Quote:
Originally Posted by UnknownGuy
A smart person would still at least check all the .swf files. I did find the article in the end, however it says nothing about how to really protect a file, just how decrypters work and other such stuff. Its only good recommendation is to have a critical portion of the code server-side in another language.Quote:
Originally Posted by spxmgb
How does Flash react to loading of file types which it supports, yet have the extension changed?
You can rename extensions as you like, Flash still loads them fine.Quote:
Originally Posted by Ray Beez
Well there you go! Real hard to get your files hacked if no one knows your SWFs are really named 23667bnda&88.tmp ! (Sure it MIGHT be figured out, based on the creation date, but I think script kiddies would assume the swf just didn't get cached).
Embed your movie on a php page, rather than an html one, then when the link is given out, just add "?57372363" or any other random number combo to the end of it to prevent it from being cached.
eg: www.google.com/game.php?472381
Why does this work? It's a built it function in php which isn't meant to be used to not cache pages, but it works well.
... and then watch your bandwidth usage go up tenfold! ;-)
When you have 1000GB transfer, and the file is .5MB to 4MB in size, it barely makes a dent, even with 400+ viewers.
two things:
1.: the file will normally still be in the user´s cache each time it gets loaded. The only difference will be that the file gets re-loaded each time the user visits the page.
2.: A well visited game can easily lead to several million plays a month,not just a few hundred. So it won´t make one happy to have raised traffic amount just because files aren´t cached.
Next up its annoying for your audience to have to re-load content everytime they visit your site even in cases where your content hasn´t changed.
You should think about security measures which are as few annoying for the end user as possible.
I was thinking small time. ;)
haha,ok :)
You're not explaining it correctly. The way PHP uses querystrings actually has nothing to do with it. The query string part just makes the url unique, so that page won't get cached. You can even add a querystring to a html page to prevent caching of that page too.Quote:
Why does this work? It's a built it function in php which isn't meant to be used to not cache pages, but it works well.
PHP just takes the part after ? and turns it into variables, but that really has nothing to do with it here.
Oooh, aaah, what an amazing amount of viewers, lol. When I release a new game, my sit gets up to 30 000 unique visitors daily (who each check out more than 1 game), and I don't even consider my games to be that popular or anything. So client-side caching helps in keeping the bandwidth down a little.Quote:
When you have 1000GB transfer, and the file is .5MB to 4MB in size, it barely makes a dent, even with 400+ viewers.
I agree, but like I said, small time. ;) Most of the stuff I make, just makes its rounds through my friends then some of their friends, ect. Not #1 position on newgrounds with 100,000+ views.
For large side...SwiftEncrypt + deviding the move up into pieces with random files names AND a random extension (not .swf - but flash still reads it fine). Now that would be enough to make 99% of flash pirates give up and look elsewhere. For example the site Peroni is an example of an almost 100% secure site. Maybe contacting them to their solution?
The random extension wouldn't help one bit. View source and you got the full filename.
I personally want my games to be freely distributable (at the moment), so I don't worry about it that much. If I ever need security, I'd use a domain check and then a swf encryption tool like you also suggested.