So minijuegos.com stole my half finished flash

**StenFLASH** · 09-16-2004, 09:14 PM

T1ger, which file are you protecting?

Is it the first swf that shows the "test file" scribble with the "load" box?

Or is it the "test##########.swf" file that the "test file" is supposed to load?

I got a copy of the "test file" but I never noticed it actually load this other "test##########.swf" file. Whats the go?

**T1ger** · 09-17-2004, 01:47 AM

There's only one swf file. Thats test##########.swf. That's the one you got a copy of? If so, please tell me in a pm. You too strille.
But this security check was originally only leech-proof, but i found a way to protect the swf too. Could any of you show me a page where the stolen swf is, or leeched?

**thehumanchimp** · 09-17-2004, 02:30 AM

Strille, can you pm me how you managed to get the file in the first place. Thanks

Ill also try and add a bit more protection to the loaded .swf file.

**thehumanchimp** · 09-17-2004, 02:35 AM

i see T1ger your using my idea of renaming the file everytime it is launched.

I got your pm. I think mine runs basically the same as yours.

**leason** · 09-17-2004, 06:40 AM

I wonder about that file renaming technique.... On my site I have had well over 300 online at any one point and I just wonder what would happen if they went to play a game and between their request for the file, and Apache's actual delivery if the name could be changed by another users request and would then give the second user a 404. I think its a cool technique, and simple too, but I'm not sure how that would do on a high traffic site.

Humanchimp, could you post or PM me the technique you use to mask the swf location? Thanks man.

**T1ger** · 09-17-2004, 08:03 AM

Leason, exactly what I have been thinking, but i dont know. Doesnt apache handle one process at a time? like, when 4 users requests the page, it processes the first one before it moves on to the second and so? If so, it should not be a problem i think.

**leason** · 09-17-2004, 08:10 AM

Im going to test it locally, then give it a shot on my site today :S - Hey, what's the worst thing that could happen....

I still really want to see the code behind the technique you guys were using to mask the src of the object tag. T1ger, either your or Humanchimps would be really appreciated cause you guys got a lot farther than I did. To me, that is the best option.

The other negative to renaming is when you try to actually update the file. You see, I have 200 games with each games location stored in a DB. Updating is not that big a deal cause I just drop the updated .swf file the author sends me into the games directory. If the games get renamed then I have to get in the DB, find the correct name for the game I'm updating, rename the new file so it will replace the one on the server, and all before someone else requests it and PHP renames it again. That option just seems like it could cause as many problems as it solves, even though its a cool idea and not hard to implement.

Another issue to consider with a high traffic site is the additional disk access involved. I wonder how effecient PHP's file interaction methods are and if the additional strain would cause a problem. I'd have to benchmark it.

**murraymint** · 09-17-2004, 10:14 AM

ok guys,

Have been messing around with a few ideas based on the work above.

I like the idea of the dynamic embed, so I quickly set that up in PHP and then thought, if you can't hide the swf file then why not get rid of it by putting the binary into a database,and deleteing the file off the server, so that's what I have done.

The dynamic embed php script now reads the binary of the swf from a database and not from an actual file. Surely this is almost impossible to steal?

With all the checks you can do in php, there should be no way this page can bee leeched at all. You can check the current page, server, requesting uri etc. etc.

I don't have an example yet sorry, but its fairly simple to write binary files to mysql, so I am sure someone else will do it here.

Thoughts on this.

**thehumanchimp** · 09-17-2004, 02:30 PM

murraymint "The dynamic embed php script now reads the binary of the swf from a database and not from an actual file. Surely this is almost impossible to steal?"

Sorry to say, but i reckon using Strille's method to get mine should also be able to get yours!

T1ger: like i said earlier, you seem to be using the same method as me. Do you still want to see my code?

Leason: Ill send you a pm soon. Although I want to add a few more ideas i thought of while at school. [EDIT] Sent! [/EDIT]

[EDIT]

Just reread the paragraph stating:
"The other negative to renaming is when you try to actually update the file. You see, I have 200 games with each games location stored in a DB..."

It shouldn't be too hard to get PHP to do it. You could have a prefix for the file, like how i have it. I have "game name + random number + string (for my convieniance).swf" The random number is the bit which gets changed.

All you would have to do, is type in the game prefix, and the location of the new file, and the script could easily delete the old entry, remebering the random number, and rename the new version to the old version in a split second

[/EDIT]

**Hasufel** · 09-18-2004, 01:06 AM

Nice thread !
We should maybe use more stuff like that:

Code:

function d(a) {
z = a;
y = undefined;
}
d("y");
set(z, "why ?");

**>flashl!ght<** · 09-18-2004, 01:10 AM

you mean make code thats as confusing as Kerry's policies? I think thats a great idea if you can do it, but I personally need very descriptive words/names when making my code. I would like to know if there's a good obfuscater out there? Seems like it wouldn't be too hard to make.

**Frag** · 09-18-2004, 10:01 AM

Originally posted by Hasufel
Nice thread !
We should maybe use more stuff like that:

Code:

function d(a) { z = a; y = undefined; } d("y"); set(z, "why ?");

**Squize** · 09-18-2004, 10:22 AM

"I would like to know if there's a good obfuscater out there? Seems like it wouldn't be too hard to make."

I was going to make a FLASM based one, but with 2.4k's excellent global find / replace you don't really need one. Just changing the important var / function names is more than enough to make even your own code look alien to you.

The weak point as ever though is the getURL command, and that's were you put the decompiler screwing byte-code in to make it as unreadable as possible.
Even that can be broken if the person looking knows byte-code, but if they do and they've taken that much time and effort then they deserve the crack.

Squize.

**>flashl!ght<** · 09-18-2004, 12:10 PM

Frag
I think he was just saying make it unreadable, so hackers don't know what's what. However that means making it unreadable to yourself; I know I wouldnt survive!

Squize
1) 2.4k's find and replace? Meaning there is a feature in MX 2004 that let's you find and replace code on a global scale? Will it allow you to strip out line breaks as well?(Of course you would need to be in the habit of using ; or this will screw your code.) I am using MX, not '04, and I don't think there is a global find & replace, but I might be wrong.

I don't know much about obfuscaters, but my basic request would be:
:: give all variables/functions/objects/ect. random names
:: strip out *all* uneeded formatting
:: change all common numbers to variables(with random name of course), and create those variables as _global
:: move any code that does not need to be where it is
:: remove/jumble all previous commenting
Plus maybe...
:: add TONS of random commenting, even things like
this/*sfdgsdfhgfjhfj*/.onRollOver/*dfkghds*/=function(){
:: add plenty of extra code that never gets executed

After that, it should be well-nigh unrecoverable. You may be able to reverse some of the stuff with the proper programming, but some of it wouldn't be nearly as simple to fix as it is to screw.

As for getURL, with a little algorithm you could make the getURL website string get split into individual letters-sub strings(with random names of course), which get chaotically distributed on random places that come BEFORE the call, then the actual call looks something like this:
getURL(sdgf+opiyutr+asfdut+ireuty+ect.,"_blank");
on the one hand they could figure it out the old fashioned way by searching for all those strings and combining, but you could make it one step harder by actually defining the variable names as a combination of letters, so that those strings names never actually appear anywhere but in the getURL
_global["s"+"p"+"l"+"i"+"t"+"V"+"a"+"r"] = 25;
trace(splitVar);

Just brainstorming.... but you know most people would not want to try and get around this. I sure as heck wouldn't.

**yellowman** · 09-18-2004, 12:14 PM

"I would like to know if there's a good obfuscater out there? Seems like it wouldn't be too hard to make."

http://www.as-protect.com/protect.php

Haven´t tried it, so I don´t know if it´s any good or what it does. Maybe someone wants to try it...

/klas

**>flashl!ght<** · 09-18-2004, 12:24 PM

Thanks, I'll check it out.

[EDIT] I don't have ASV...

**thehumanchimp** · 09-18-2004, 05:20 PM

Right, I have a little test. This is purely to test if i can confuse the user's cache. Can people try and "steal" the .swf file here: http://members.lycos.co.uk/humanchimp/cache/test.html
(the one which says "Loaded") by grabbing it from their cache, NOT by any other means, i only care about the cache. (You may use other programs, like Proxies, to surpress any headers, or anything else, But you can only get the file from the cache.)

Now if all goes to plan, when you check your cache you should only have a .swf with text saying: "Autherization Failure". There are no headers to tell it to not cache it, or anything like that used, and there is no script to check whether it is run on your machine or off the server. They are 2 different swf files.

If you do have the "Loaded" swf in your cache, can you tell me which browser you used to test it. Thanks.

**strille** · 09-18-2004, 10:29 PM

thehumanchimp, I managed to grab the "loaded" movie from the cache the first time I tried, but can't seem to repeat it. Must have been a freak accident that I grabbed it before the php file was loaded into the flash movie. It's a good idea, and seems to work fine.

Does saving the website (and thus test.swf) using a website spider like SurfOffline count?

**thehumanchimp** · 09-19-2004, 04:21 AM

hey Strille, thats strange, oh well - ill see if i can recreate that, and sort it out. and to answer your second question, no - it doesnt count

murraymint, check your pm.

Seeing as it seems to work most of the time, i'll add it to my movieLock version and see if you can grab the newer version.

**Squize** · 09-19-2004, 09:51 AM

flashl!ght formating and comments aren't stored in a swf, so you don't even have to worry about it ( With regards decompiling ).
There is a FLASM based ( http://home.byu.net/jtb64/Swob.htm ) obfuscater but it's more trouble than it's worth imho ( I do just stick with the global find / replace, which is 2.4k only I'm afraid ).

As to the getURL thing, we pretty much do that anyway, and then drop some false byte-code around it which messes up asv.

I don't know of anyone whose got as-protect to work, both pred and I have tried with no joy, which is a real pity. I think the only real way is to get your hands dirty with byte-code yourself.

Squize.

Thread: So minijuegos.com stole my half finished flash

Thread Tools

Display

[link]

Posting Permissions