-
Senior Member
Yes, the cookie can be found in cash, but the trick is - if attacker copy this cookie it will be useless next time he want to play game.
This cookie represents session number the server opens when user gets connected to the website. Next time he wants to use the same cookie the server will give him a error, cause it wasn't be found in his current sessions opened.
Thats is the trick. The session number is a unique key, valid only during session server has. In case when session will be closed by a timeout or customer will close his browser, the session number stored in coockie will be expired. So each time you opens the flash engine outside from the website, he will be unable to get server data, cause the server will never validate his session number opposite to the sessions he currently holds. That's all.
-
Custom User Title
Not talking about the cookie, talking about the php who outputs the data for the swf to make a game
1.The php receives the cookie
2.The php outputs the data
3.Swf reads the data and make the game
4.The php with the data is in cache
5.The thief reads the data in cache and put the same data in another file
6.the thief makes his own swf read the same data in this another file
-
Senior Member
You're right - so, a game thief now needs to play whole game, complete all quests and simulate all situation in order to get data comes from server.
After this he must analyze every piece of data he got, and organize it in sequences and save in his DB.
Next thing must be done is write php script similar that we have on our webserver, in order to transfer data he has on his DB to Flash w/o session check.
After all he must analize AS code inside stolen Flash engine in order to understand which format he must use in order that php script he wrote will return data same format Flash engine awaits to get.
And last thing he must do - is to change address of the webserver Flash goes to get data to the new one he have.
Looks hard... isn't it? It's a really time consuming procedure to do all of above and be sure that thief didn't miss something, cause any part of data missed will lead to situation when the customer stuck somewhere in the game.
Besides this, the code in Flash as i said before is obfuscated and not so user friendly to thief as it appearse inside Flash
That's why i think it's a good enough to use this kind of protection for a big projects. You can be sure that all the time when other's will try to simulate something you did you'll be 10 steps forward and making your money
Last edited by The Helmsman; 08-31-2005 at 05:48 AM.
-
Senior Member
The Helmsman...
I like your strategy!
Could you post some working example with this PHP stuff?
Or, is there any good tutorial around about this?
We have good programmers here at Flashkit (not including myself at all)...
We should create a secure/protected application in flash with opensource .fla so anyone could learn how to protect a game and if the experts wanted to help improving the code/security it would be nice!
What do you people think?
-
Senior Member
I don't have any working example of this applied to Flash games, but i can make one. All i described here was only on the level of idea, how the Flash games can be protected. I've came to this when we discussed the problem with some of my friends here in the gaming company where i'm working now.
But, anyway it is a working conception - we use such appearence in some other projects required such type of authentication. So, the last thing to do is to write some code to make it working with flash games.
-
Custom User Title
Originally Posted by The Helmsman
Next thing must be done is write php script similar that we have on our webserver, in order to transfer data he has on his DB to Flash w/o session check.
He can make his swf look for the same data from a txt
Originally Posted by The Helmsman
Looks hard... isn't it? It's a really time consuming procedure to do
Never underestimated your enemies.If there is a way, he will do it.
I think a better solution is make those data came from a XmlSockets or from a director file.
IF those things dont let the data to be seem in cache.
Last edited by Incrue; 08-31-2005 at 09:08 AM.
-
Senior Member
Hi, sorry to jump in without reading the entire thread, but I was wondering if the new F8 security measures would address any of the "file protection" issues we've had to deal with?
I recently read the MM Security whitepaper, and it SOUNDS like there can be protections put in place now that the PLAYER itself will respect. (But I got a little lost--it's a long document)
Anyone looked into this?
-
Senior Member
Originally Posted by Ray Beez
I recently read the MM Security whitepaper, and it SOUNDS like there can be protections put in place now that the PLAYER itself will respect. (But I got a little lost--it's a long document)
Can you give a link to this doc, please?
-
Senior Member
good newz!
an article about protecting AS code!
http://www.kirupa.com/reviews/swf_encrypt_review.htm
I've tried SWF Encrypt myself and when I tried to extract the code with SWF Decompiler 2005... it crashed!!
that's good!
-
Custom User Title
Originally Posted by Vector Media
news?
This thread is going backward or what?
-
Senior Member
Originally Posted by Vector Media
I've tried SWF Encrypt myself and when I tried to extract the code with SWF Decompiler 2005... it crashed!!
And it took me only 15 minutes to find program that removes junk code inserted by SWF Encrypt. You should realise that all the actionscript is still in the swf even after "encryption" or else the Flash player couldnt play the movie. It adds extra code which makes decompiler think code is incorrect and ignore it, but that piece of extra code can also be removed.
-
Senior Member
Originally Posted by tonypa
And it took me only 15 minutes to find program that removes junk code inserted by SWF Encrypt.
Which prgm you've found to remove this junky code? Flasm?
-
Custom User Title
A tutorial about 'how to steal games beyond junk bite code' would be welcome, too.
For the thief should be one step MORE, not less.
Last edited by Incrue; 09-27-2005 at 04:38 AM.
-
Senior Member
Originally Posted by The Helmsman
Which prgm you've found to remove this junky code? Flasm?
yea, what program?
Flasm didn't work for me.
You can't get the original clean code, just a messy useless code.
-
Senior Member
I doubt he is going to say it, atleast on a public forum.
For obvious reasons.
-
Hi,
Can somebody tell me, how to stop people playing in direct SWF files not in HTML or PHP.
I know that's possible, i've seen that before, i think it was in StarRunner by tonypa
Is there a tutorial for a code. I'm not good at AS
-
Custom User Title
You cant.
Read the whole thread before ask next time.
-
Senior Member
Originally Posted by Krika
Can somebody tell me, how to stop people playing in direct SWF files not in HTML or PHP.
I know that's possible, i've seen that before, i think it was in StarRunner by tonypa
Remember, this is not 100% secure, but it stops people without knowledge of Flash:
Read about "Appended on a query string in HTML tags" here:
http://www.macromedia.com/cfusion/kn...53#querystring
*add variable in the end of sfw tag (both in embed and object tags)
movie.swf?myvar=hello
*in the swf file add this code to check if variable is set
if(myvar!="hello"){
_root.gotoAndStop("end");
}
-
thx, i'll try this. i just thought maybe there are some script what can check the last letters in URL. If SWF then unload etc. etc.
And i know everything is hackable, i just need some kind of protection, so noobs can't hack that.
Anyway, thanks again, i'll try this myvar tutorial
-
And it took me only 15 minutes to find program that removes junk code inserted by SWF Encrypt. You should realise that all the actionscript is still in the swf even after "encryption" or else the Flash player couldnt play the movie.
what is this program tony?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|