-protecting your games-

[tomsamson]

hey there,
every few days-weeks i get pms on the same topic,which is how can a game be well protected.
some are asking on how to avoid decompiling,others on how to avoid thieves using the game on their site.
so it thought it´d be good to have a sticky and sum possible solutions up here.
if you have something to add,please write in the headline if its regarding decompiling or regarding abusage on other websites.

now to get this rolling:

-regarding decompiling:
i won´t name any decompilers as basically which one you use doesn´t matter a lot,most share the same functionality.
generally its always possible to get all your media assets out of your swf file.
on the code side its also always possible to get the code out of an swf file (in one way or the other). some decompilers bring it back in human readable form (the way you see it in the as panel in flash),others return the bytecode which needs a bit more understanding to be able to read it.
there are tools which are meant to help to protect the code of a swf file,they basically obfuscate the code so decompilers crash or can´t read the file.those are normally additions and changes in the code which are ignored by the flash player but not the decompilers,so that they don´t know how to handle those.
those ways of preventing are not ideal though,as once you add such obfuscation,a decompiler developer creates a new version of his app which gets around that crash reason.
better obfuscation is the kind which actually changes all variable and function names so that those don´t make sense to the human reader even if he gets the code.
both of these tool types/tool features are summed up under the common word obfuscator.
most used obfuscators are
aso (
http://www.genable.com/aso/
)
and flashincrypt (
http://www.flashincrypt.com
)
normally you just load a swf in such a tool and it obfuscates the swf in automatically.
there´s also flasm (http://flasm.sourceforge.net/ ) with which you can change the code on byte code level for yourself (which needs some more work though and should only be done once your product is completely finished).
to protect your content against theft,next to using obfuscators i´d suggest splitting your game up into several files
that makes it more painful for thefts to recreate all files.
(and to even understand the structure).


-on abusage of your games on other sites:
one possible solution:
you could load files across servers,meaning you have your game (for example) on server a and some xml files on server b.
if you attempt to load files like xml files from another server,flash will look on the server b if it features a crossdomain.xml which grants server a to load from it. if that isn´t the case,it won´t load on.


-general:
if you want to protect your swfs,that´s a good thing but keep in mind that there´s no 100% protection and therefore you should keep security related data outside of your swf,all we sum up here just makes the life way harder for thieves.

okies,
hope that´s a good start,would be cool if you add something to this so we get a good core base of solutions =)

[rsnail]

Add the following javascript to your html to break frames or iframes.

<SCRIPT language="JavaScript">
<!--
if (parent.frames.length > 0) {
parent.location.href = location.href;
}
// -->
</SCRIPT>

rsnail

[jebrael]

It's better in include the JavaScript directly in the FLA/SWF.

[Incrue]

I sayd it in another topic,i mean, when comming to the thief catch the swf in cache, i have this weir idea, not sure if it will work,If it dont work, this words should have be deleted

The swf sends and loads variables to a php
Flash send:varcontent=1
The php receives and echo another variables to send them to flash,ex:
enemies=4;lives=3;leprechaun="iwanttoeatu";sizeofs quare=45
Them swf receives those variables
And,only when the swf knows he has received those variables,he goes send and load another variables to the SAMEphp
He sends: varcontent=2
The php receives,and,if varcontent=2, echos another variables to flash:
enemies=0;lives=0;leprechaun="",sizeofsquare=0
Flash will not do anything with those new variables, he already has put the old variables inside other variables and that will be the ones he will use to run the game
And in the end, the thief will not find the php who send the variables in cache, and if he tries to run those php, the php will output the wrong content...
obs:when i talked about variables, those are the variables essential for the game to run properly, without them it will not work rigth...

Thanks to Razormedia,this is the way to make flash look for new content, rather them look for things in cache:
http://www.flashkit.com/board/showth...hlight=caching

And, thanks to Tiger, this is about how to make a php dont stay in cache
http://www.flashkit.com/board/showth...hlight=caching

[Skribble_Style]

This isnt my code, I just copied it from a thread I once saw here. Its a way to check if a game is being played on a certain website or not. If the website specified is the website that the swf is on, then it loads the game, if its not on the specified website, then it displays a msg displaying a copyright notice.

Just replace all of the "www.website.com" strings with the website of your choice. Note: You only need to put in the domain, not the exact URL.

Hope this helps out everyone.

Code:

hyperText = _url.substr(0, _url.indexOf(":"));
if (hyperText == "http") {
	slash = _url.indexOf("//");
	webSite = _url.substr(slash+2, _url.indexOf("/", slash+2)-slash-2);
	webSite = webSite.toLowerCase();
	if (webSite.indexOf("www.website.com") != -1) {
		webSite = webSite.substr(webSite.indexOf("www.website.com")+4, webSite.length);
	}
	if (webSite.indexOf("www.website.com") != -1) {
		//load the game
	} else {
		stop();
		myMessage = "Copyright Infringement! This movie has be disabled. "+"The following web address has been logged and the authorities will be notified: \n\n "+_url;
	}
}

[Incrue]

You can also put your swf inside a director file
But lots of people doenst have the director plugin, and you may loose some performance
But if you just want to show a beta version to very few people and not yet release the final version of the game to the whole public, this may help

[dnalogic]

what about..

have a lot of variables that are XORed on the url name or something. or a session variable or server time and IP.

eg..

var x=XOR(_root._url , "abcdefghikjshfksjdhfjkdshsdfsdfdsfsdfsdf");

that sort of thing.
in order to get the correct value of x for the game to work, you would have to go through all the variables and work out the result of the function XOR on "skdhgahdhsadhasdhasd" or whatever encoedd value it was. obviously that is crackable, but if you had one of those functions at every point when a variable was called (in places where it wouldnt slow the game down), then it would be quite a lot of effort to unravel it.

bottom line is that.. ive made games that havent had any protection .. google "trampoline trickz" for example. or games that have had a little bit of protection - "half pipe" (cant remember what it was called exactly), and the ones with a little bit of protection (even though its not 100%) havent been stolen, and the other ones have been stolen in hundreds of different places.
nothing is 100%, but if it requires enough effort then people wont steal it. I suppose if you can make a game that requires so much effort to decode that the person doing it might aswell rewrite it from scratch, then its as theft proof as its going to get. right?

[Incrue]

You know what; when i look to miniclip.com it was a good surprise to see that the second most view game was runescape (java) and that at a lot of time, robotrage was the first one(director)
To me, this is a evidence that people who like to play games dont care about wich plugin runs your game
So, that story "only 70% have the director plugin", when comes to games, it is not the whole story...when they make those numbers they arent looking only for those who like to play games

[jesserules]

Here is something one could do, if their .swf is put in an iframe on another site:
have a .htm page to load the .swf, in a different directory from the .swf, and have the .swf try to load a .txt file that is in the same directory as the .htm file, and if it can't it will redirect the user.
this way to use an iframe the thief will have to load the .htm file into the iframe, not the .swf.
on the .htm page it could say that if it is not played on a certain website it's stolen.

[Flow Motion]

Check out http://flo.neodelight.com/securemedia - it's an advanced open source solution against hotlinking of swf (or other) files... I think it's really safe, as it's based on cryptography and works with session like keys for each user... check it out...

[Zirclesoft]

but isnt it that it is possible to change your SWF file into
another diferent projector file...(if you would look at miniclips.com)

their flash works have a different projector...

so wouldnt it be safe from decompilers?

[Flow Motion]

Can you tell me the name of one of these special projectors games ? I've never seen one, yet, but I'm eager to find out what they did...

[Zirclesoft]

umm its in the tutorials link here....

i think its the one with the "projector link"

[fantasio]

hi there!

well i used flashincrypts follower SWF Encrypt 3.0 now for some projects
and i have to say, that it works fine against decompilers.
the only drawback is the bug hunting... especially in complex swf files their can be some awkward behaviour, so you have to make sure that you test thouroughly after the encryption.

for bandwidth stealing and hotlinking, well their are lots of possibilities
so thanks for the link to the new stuff, Flow Motion.

also i just tend to relax and try to get some peace of mind, knowing that everything can be stolen

[inamm]

hey tomsanson...thanks so much dude for the tips! THEY EXTREMELY HELPED ME!

[paperclip]

Well, i wrote something like this on stickpage about 5 months back. It includes i think two ways you haven't mentioned yet but then again you might have anyway. Hree is the link: Link to tutorial

[JamesonH]

I think everyone has very clever ways of protecting your games, but like tomsamson said, "there´s no 100% protection" against Flash Pirates.

I've been dealing with this problem and have listened to friends gripe about this problem for many years now. We finally got fed up and decided to build a free tool called MochiBot (http://www.mochibot.com) that tracks how many times your game is played and what websites your game ends up on. We've had a lot of people use it in their games and other Flash content with great success. Miniclip.com is also using MochiBot in some of their games.

We'll be adding a lot more features to help you better understand where your games end up and who's playing them.

I hope that MochiBot helps put your mind at ease when launching a new game.

[hI-Q]

Stealing flash games/flash movies has almost nothing at all to do with the flash file itself but the HTML surrounding it. All you need to do is encrypt it! Most browsers and softwares won't be able to detect it. Let me give you an example,

Lets say that your movie is called fish.swf. normally the html surrounding it is "<EMBED src="fish.swf" quality=high bgcolor=#CCCC99 WIDTH="550" HEIGHT="400" NAME="s_6" ALIGN="" TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"></EMBED>

All you do now is select and copy that code and put it through the html encryptor at http://www.designerwiz.com/ad-framer...cryptHTML1.htm
and you should and up with something like this "<script>
<!--
document.write(unescape("%3CEMBED%20src%3D%22fish. swf%22%20quality%3Dhigh%20bgcolor%3D%23CCCC99%20WI DTH%3D%22550%22%20HEIGHT%3D%22400%22%20NAME%3D%22s _6%22%20ALIGN%3D%22%22%20TYPE%3D%22application/x-shockwave-flash%22%20PLUGINSPAGE%3D%22http%3A//www.macromedia.com/go/getflashplayer%22%3E%3C/EMBED%3E"));
//-->
</script>


I hope this was useful

hI-Q

[UnknownGuy]

The hacker can still looks in his cache to find the .swf and go on from there. Even in the 'encryped' code, you can still pretty easily see fish.swf, or even if its some weird name, .swf.

<!--
document.write(unescape("%3CEMBED%20src%3D%22fish.swf%22%20quality%3Dhigh%20bgcolor%3D%23CCCC99%20WIDTH %3D%22550%22%20HEIGHT%3D%22400%22%20NAME%3D%22s_6% 22%20ALIGN%3D%22%22%20TYPE%3D%22application/x-shockwave-flash%22%20PLUGINSPAGE%3D%22http%3A//www.macromedia.com/go/getflashplayer%22%3E%3C/EMBED%3E"));
//-->
</script>

It is not that hard do work around.

[Zirclesoft]

i dont get it....

why would anybody go through all that trouble stealing flash?

can any1 tell me the possible things that flash stealers wanna do?

i mean...its just a flash game...