So minijuegos.com stole my half finished flash

[kendude]

I do find that most people who complain about their stuff being stolen haven't even implemented the basic _url security check. All you can expect really.

That is very true in my case

I'm working on it right now. Perhaps it will be too little, too late.

[slight]

well yes. In my case, it went: create a simple game, implement & test high score table, add copy protection, finish game.. in that order. This was my first game with a hiscore table, and it's hard to test that for security without making the game public to an extent. I was more concerned about people decompiling the flash and breaking the hi-scores.

Then in the few hours between the score table and the copy protection, it ended up on minijuegos. It was even a deliberately awful version of the game that was left on my site overnight to discourage exactly that.

I'm not surprised that it happened as much as I am surprised at the speed it happened. Likewise, I'm not annoyed that they would copy the game. It's made to be played after all. I'm annoyed that when the game IS finished, the 1000's of punters who played the crappy half-finished version won't bother looking at the final one.

From what I've gathered, the only way to really protect a swf file is by storing all the critical game variables outside the swf, and initialising the game with loadvars. That raises a whole bunch of other issues, of course.

btw murraymint, if you have the time and you're after something maybe a little challenging, take a look at my game www.evilbastard.org/slight/cc2b.html and see if you can add a high-score the back way.

[slight]

oh my.
Now I can't browse to my own site. Google "Captain Crastin" and you get 3 pages... it even has it's own subdomain at freeonlinegames.com

And which version do they all have? The ****ty broken one that minijuegos grabbed, of course.

This has certainly been an interesting introduction to releasing flash games for me.

[dnalogic]

just a thought,
but is there not some way to implement some sort RSA security type thing, and have portions of the game loaded dynamically from your website. sort of like a dongle.

dean

ps.
google "trampoline trickz". those mofos!

[yellowman]

Originally posted by slight

btw murraymint, if you have the time and you're after something maybe a little challenging, take a look at my game www.evilbastard.org/slight/cc2b.html and see if you can add a high-score the back way.

I was a little bored so had a go on that one, hope you don´t mind... The ones with 80675 and 200000 are mine if you want to remove them.

Nice try though

/klas

[strille]

Originally posted by murraymint
Trust me, the link does work.

minijuegos have not done anything special with sylvaniah, they have just recorded the hit using php and then redirected to the official site.
...
I expect Strille and Lux must have built security in and this is why the owner of minijuegos has simply linked to the official site, rather than taking the actual swf.

We haven't really built in that much security to talk about. We check the _url, that's all. The game does consists of over 20 files, so it's not just to grab the main .swf and hope everything will run ok. Also, it's possible Lux asked them to link to the site and not the swf.

[io3]

Originally posted by slight
oh my.
Now I can't browse to my own site. Google "Captain Crastin" and you get 3 pages... it even has it's own subdomain at freeonlinegames.com

And which version do they all have? The ****ty broken one that minijuegos grabbed, of course.

This has certainly been an interesting introduction to releasing flash games for me.

Similar thing happened to me too. Since then I always display my website's url, version number and 'Date created or updated' note somewhere.

[T1ger]

Murraymint!

http://www.aleksanderstrand.com/secure/

i say no more...

ok, just a little bit. I think i have bypassed all the workarounds you have used for my other so-called-secure swf's. Even the one you PMed me.

I challenge you all to try to host the swf on another site or anything, you're allowed to decompile it too! If you find a solution, post a link to where you have hosted it, and PM me the solution. (I dont want it to be public, though, if its an easy solution to it, you can post it here if you like)

Note: there are some methods i know are working, but i wont list them here, its up to you to find out.

(ps: kendude you're not allowed to participate :P )

But I wont be surprised if murraymint posts a post:

Originally posted by murraymint one post ahead
It was again easy to beat your file.
Nothing is bullet proof 4

[Squize]

"you're allowed to decompile it too!"

I must admit I was expecting some sort of asv screwing code in there with that statement.
Can't face trying to rebuild the fla, but just looking at the code, I'm guessing by altering the actual redir string along with the arg thats passed to the verify function it's going to be pretty much hacked.
Failing that, commenting out both the call to the verify function and the enterFrame should do it as well.

Like I said, I've not rebuilt the fla as I don't have the tools to do it and really can't face copying the as into Flash, but I reckon the above should pretty much kill the protection.

Sorry.

Squize.

[G4MES.net]

Well, I fancied a quick challenge.

http://g4mes.net/hack_swf.php

I just changed the url check to check my domain, I could have also removed the other checks, but as I had already figured out what your additional checks where doing I just duplicated them on my server.

At the end of the day, you'll never get flash 100% secured. But the domain check works pretty well I think, and should stop the majority of sites from stealing the game, although once someone makes the effort to crack your file, then everyone will just take a copy of that version.

(This was my first play with Flasm, it's quite neat, brings back memories of actually coding in assembler... and one of these days I really must learn to code in flash... )

[tomsamson]

squize is right,its pretty easy to get around that (http://www.geocities.com/ugur112/index.swf),i couldn´t be bothered to redo the check part so i removed it, i think you should better have a combination of these:
-have an url check (as you have)
-load extra files like map data,graphics etc from your host,again each containing an url check
-have asv screwing code in there
-have a few lines of code as crypted string which are run by using eval after using the key for unscrambling them. (and you get the key from one of the downloaded files.
each of those is pretty easy to get around but a combination of all (though still passable) should make it a bit trickier and not worthwile for ones just placing games on their sites.

[murraymint]

I guess there is your answer t1ger.

Don't be disheartened though, what the other guys have done here is show you it is pretty much impossible to stop someone hacking your file if they want to, but hey, that's true of any program/software.

The point is that most webmasters will not go to these lengths to steal a game, so as long as you have some sort of protection you should be fine.

If someone does steal your file and they dont reply to your emails, get on to their webhost. Most webhosts will take action on your behalf rather than risk possible legal action etc.

Keep plugging away with the protection ideas.



p.s good to see you back Squize. You got your net connection sorted then?

[T1ger]

ok, i forgot to say dont recompile. If you dont recompile, it's pretty hard to bypass. But it's a bit hard to implement though, and what we need is an easy way to protect against not-decompiling rippers, such as minijuegos.com.

I think this should work for most cases when not decompiling and rebuilding the swf:

code:

---

function verify(address) {

rand = random(666);

createEmptyMovieClip("urlcheck"+rand, 1);

stop();

//We check where urlcheck was created from, so noone can fiddle with _root._url

domain = _root["urlcheck"+rand]._url.substr(7, address.length);

//by changing != to == we force allowScriptAccess="sameDomain" to be in the html page.

if (domain == address) {

nextFrame();

} else {

getURL("http://"+address);

}

}

verify("www.aleksanderstrand.com");

---

Murraymint: please test the previous methods on this, as I think it shouldn't work.

(there could be typos and errors, as I'm at school atm)

[slight]

Originally posted by yellowman
I was a little bored so had a go on that one, hope you don´t mind... The ones with 80675 and 200000 are mine if you want to remove them.

Nice try though

/klas

I'd really like to know how you did that klas, so that I'm not wasting time putting in the wrong kind of protection. Sent you a PM anyway. The scoretable security has been improved somewhat now. (So has the rest of the game. Go look! Go! Go!)

Cpt. Crastin

[>flashl!ght<]

maybe i missed it, but how do you do an URL check from within Flash? I'm using MX, is in only possible in MX'04?

[slight]

_root._url

it returns the url of the flash file, not the page that loaded it though.

[>flashl!ght<]

interesting.

well if anyone wants to know my PHP script which will make things more difficult, i'd be happy to share via PM.

[yellowman]

Originally posted by slight
I'd really like to know how you did that klas, so that I'm not wasting time putting in the wrong kind of protection. Sent you a PM anyway. The scoretable security has been improved somewhat now. (So has the rest of the game. Go look! Go! Go!)

Cpt. Crastin

Ok, one way to do it, the easiest I think.. get Microsofts Web application stress tool(http://www.microsoft.com/downloads/d...DisplayLang=en).
Start it, set it to record, a browser window will pop up, go to the site.
It will then record every http request the browser makes. In your case it would look something like this when the highscore loads:
GET /slight/cc11gp53n.php?NAME0=fetching+scores%2E%2E... and so on...
and when submitting a score:
GET /slight/cc11gp53n.php?action=new&newname=Yello...

But there are of course other ways aswell... decompiling is another easy way. I don´t think there is or will be a secure highscore table in flash, ever.. So just live with it... Have seen a bunch of threads on the subject, but I don´t think anyone have solved it, or have you?

/klas

edit: oh.. and I tried to 'hack'(yeah right..) your highscore table again, didn´t notice that much difference from before, except for the filename. test - 200000, if you want to remove it.

[>flashl!ght<]

Let me see if I get this right. The main problems include:

1) Deep-Linking to your SWF. This is used to put your hosted SWF on their site, at the expense of your bandwidth, as well as takes advantage of your work for their profit via adverts

2) Framing your page. Taking your HTML page and framing it directly on their site, similar to Deep-linking the SWF but includes your whole page.

3) Stolen & hosted SWF. Downloading your SWF file and hosting it on thier servers, so they don't have to worry about countermeasures aimed at comprimising problem 1) and 2).

Wow, that's lame. Here's what comes to my mind(I know you guys have been discussing and I'm just jumping in here...)

1) hide the actual SWF through a maze of loadMovies and complex javascript/PHP functions which dont explicitly reveal the SWF name. use referals to keep the SWF from working if its not on your site as best as possible

2) use frame busting and page referal scripts

Also, using a password protected system can effectively kill both these

3) again, using some trickery to make finding the actual SWF difficult. _root._url check(peferably hidden, maybe even loaded externally.) basically, using plenty of externally loaded data with relative paths and constant URL / PHP referal checks will require them to do some major work, which hopefully they are not motivated to do.

lastly, i suggest you all put warnings! directly placed IN THE SWF file, explicitly saying that it is copyrighted and ILLEGAL to host elsewhere, or link to for any reason(dont even mention asking for permission). sure they arent honest in the first place, but now you have legal grounds to screw with them in return. and if you put it behind a password protected system, make it clear in the agreement as well.

PS - anybody know how jibjab loads their movies? i havent look close but seem i recall it was weird, maybe usefull

[thehumanchimp]

hmm, something i put together quickly:
http://members.lycos.co.uk/humanchim.../movieLock.php
try and get that swf (the one which says: ".swf goes here" not the "Authorization failure" one!) either by leeching or downloading the file and uploading to your server.

Feel free to decompile it if you want. In fact if you want the code in it, its:

PHP Code:

//Protection By HumanChimp
_root.loadVariables("loadScript.php?game=congrats")
_root.onData = function(){
    if(info2=="complete"){
    _root.loadMovie(_root.info1)
    }
} 


thats it, all the code in the .SWF

and the first person to get it, gets a: Gmail invite.....
hey, theyre going for $1 on ebay...