-protecting your games-

[adit_ya_sharma]

what is this program tony?

Stop being curious 3 post guy Anyway, it won't matter much even though tony won't tell, 'cause someone on the net will come up with it anyway.

[mpalma]

here is some easy flash code to help keep stuff protected

Article & code is linked here:
http://www.flashtreasures.com/Forum/viewtopic.php?t=2

The key is to make a couple small movies and burry them in your game. Then add the simple code. Its not 100% but you can make it a real pain in the butt for people to decomple and use your stuff.

[Incrue]

Just the old,well know urlCheck inside a lot of movieClips
To anyone who has read the whole threads urlcheck in nothing new(and nothing usefull too)
So why post a help who has already been told to everyone before?
Your post sounds more like a spam

[mpalma]

Just the old,well know urlCheck inside a lot of movieClips
To anyone who has read the whole threads urlcheck in nothing new(and nothing usefull too)
So why post a help who has already been told to everyone before?
Your post sounds more like a spam

The new trick is to burry it and have it goto frame 1, so it makes it harder to disable. But again its just a simple trick, for people who are looking for easier ways to protect their work.

[Inglor]

fact is there is no real way to protect the game against decompiling it, I coded a thing in C that makes it invisible and the script exists on EVERY SINGLE MOVIECLIP, it checks for a script in the _root (one) directly and if it's not there, it makes it invisible, that script is a URL check, it makes leechers have a rough life.

too bad it took me around 2 hours to write a script in C that reverse engineers it

[VENGEANCE MX]

Still, it's only a small minority of hackers who're willing to go beyond using a decompiler to steal something.

Inglor, what happens if you run the swf through an obfuscator before/after using your C program?

[Thor the Clod]

Let's say I don't want my work to appear on a certain website.

Using mpalma's code, I get:

// URL Checker
checkIt = this._url;
checkIt =checkIt.substring(0,29);
// Enforcer
if (checkIt = "(website we want to block content for)") {
//insert code to unload movie here;
}

I know that it'd probably be good to stick a getURL function in there to open up a page which states that the flash has been stolen, but I have no clue how to program it to unload the movie (...or if there's a better way, could someone point that out to me?)

I also saw this code on the first page:

hyperText = _url.substr(0, _url.indexOf(":"));
if (hyperText == "http") {
slash = _url.indexOf("//");
webSite = _url.substr(slash+2, _url.indexOf("/", slash+2)-slash-2);
webSite = webSite.toLowerCase();
if (webSite.indexOf("www.website.com") != -1) {
webSite = webSite.substr(webSite.indexOf("www.website.com")+ 4, webSite.length);
}
if (webSite.indexOf("(website I want to block)") != -1) {
stop();
myMessage = "Copyright Infringement! This movie has be disabled. "+"The following web address has been logged and the authorities will be notified: \n\n "+_url;
}
}

Where would I stick that? Could I slap it on a movie clip and hide it somewhere inside?

[mpalma]

New code protection Idea!

Use really bad coding to really confuse the hell out of anyone trying to rip your stuff.


hehe

[Ray Beez]

New code protection Idea!
Use really bad coding to really confuse the hell out of anyone trying to rip your stuff.

Yup. That's what they call "obfuscation". ;-)


Thor: (I know his message is old) To disable a game once you've figured out it's not on a permitted site, use this: _level0.unloadMovie()

[Thor the Clod]

heh, thanks much

[KamuiEXE]

Actually, I'm not too sure if this has been brought up by anyone yet, but I did discover that you can decompile some Flash with a Mac and Flash MX alone. I discovered this as part accident and part curiosity. I kinda wanted to see under the hood of how a particular Flash worked (I wasn't planning on ripping someone off or anything, I was just curious.) So when I fired up the Mac, I double clicked on the swf to just look at it and try and figure it out by looking. Instead, it opened up in MX completely and it half-decompiled it. I can't see the code, but I can modify the graphics and things if I wanted to. So I closed everything up and moved to PC. It was really strange but I think you might want to be a little careful of this. (And if anyone knows the answer, why did Flash do this on a Mac and not on my PC? It was really weird! )

~Kamui.EXE

[PattyvD]

Yes, the cookie can be found in cash, but the trick is - if attacker copy this cookie it will be useless next time he want to play game.

This cookie represents session number the server opens when user gets connected to the website. Next time he wants to use the same cookie the server will give him a error, cause it wasn't be found in his current sessions opened.

Thats is the trick. The session number is a unique key, valid only during session server has. In case when session will be closed by a timeout or customer will close his browser, the session number stored in coockie will be expired. So each time you opens the flash engine outside from the website, he will be unable to get server data, cause the server will never validate his session number opposite to the sessions he currently holds. That's all.

Ok, I've thought about this a lot, but I just can't see how it can work. What if the hacker FIRST visits the 'entrance' page where the cookie will be created and then goes about his/her usually hacking activities? That way the hacker has a valid session number and can go about.

[ozmic66]

Create a flash movie which acts as a preloader for your real game.
that movie could be decompiled, but the name of the movie it loads is not in it and the person would have no way to find it

Here's the trick
to do it, you would need to use a url rewriting capability on your server.

Let's say the loader flash file is located at "http://www.games.com/x/y/asd/game1.swf" (or something that could not be easily guessed)...

now let's say the page for this file is in:
http://www.games.com/x/y/asd/game1.html

you give that page a new (fake, rewritten) address like http://www.games.com/games/game1.html
(everyone will only see the fake address and won't even know that its fake)

viewing the source for that page would only reveal 'game1.swf' with no real info. on where it is on the server

so... here's the big thing
inside the flash movie, you will use the _url property to find out where the flash file is located. This property will give you the real address on the server from where the movie came -- you send that value to a php page which returns to you the name and location of the real game file...but only if the address you sent it is "http://www.games.com/x/y/asd/" (or wherever the real file may be.

So now, in order to find out what you called the game file, a person would have to find out where you really placed the loader swf file
which i don't think is possible if you rewrite the url

tell me what you think

[ozmic66]

please excuse the double post...
...my finger is faster than my browser

[691175002]

Can decompilers steal class files?
Is there any way to protect .as files?

[tonypa]

Can decompilers steal class files?
Is there any way to protect .as files?

class files and .as files only exist while developing . When creating swf they are all compiled into swf like normal actionscript code.

[tomsamson]

sure the files are imported and then the code gets merged into the swf´s other code but just to clear things up,class files are restored by most decompilers

[The Helmsman]

Ok, I've thought about this a lot, but I just can't see how it can work. What if the hacker FIRST visits the 'entrance' page where the cookie will be created and then goes about his/her usually hacking activities? That way the hacker has a valid session number and can go about.

As far as I see there is still a big interest in this thread. Therefore I decided to explain my idea a little bit better and give people here some direction on how to protect SWF files from copying to another websites and execution them offline. I don’t pretender to teach anyone here, cause there are plenty coders all around which code better then me

On picture no.1 we can see typical SWF protection of our days:

Now let’s describe all elements. First of all the content on client and on server is almost identical. Then the first request for game.html on web server brings back html file itself + all associated content including (css, js, swf and other files) to client’s cache. After all elements of page will be downloaded the game swf file will executes some request for URL before playing and if validation will be successful the game will start playing. The third request is not actual request but I put it here to illustrate further ideas.

As we can see, the thin place here is URL check itself, cause all content game needs to play located inside SWF and if the user can find a way on how to fake validation or remove URL check the game can be executed anywhere w/o any restrictions. Obviously today it can be done easily using tools like SWF Decompiler or ASV or FLASM.

Now let’s see picture no.2:

Here we have almost the same situation except one thing. Not all content the game needs to play located inside SWF file. Therefore, the file still can be executed locally but the user needs internet connection to play and the game file executed on other server must refer to the original server for game content in order to play. Still not perfect but looks better. Here we prevent game to run locally and make SWF decompiling tools obsolete.

Now let’s mix both ways, see picture no.3:

Here we’ve added some check based on the session id of the original ASP or PHP file that holds our game (SWF file). Her I want to stay a little bit to make things clear. Lets suppose we have 3 files on server:
1. landing.php
2. getData.php
3. game.swf
First of all after the user makes request for the landing.php file our server performs php processing in order to create html content which will be passed to client. During this processing the html file client gets contains some session ID which is unique and defines client. Then when the game was loaded the SWF file makes further request to server for game data using session ID as a key to tell server that the game is played from the original page and not from the other website. Then the getData.php file when processed on server to provide game data check ID it got from flash opposite to ID server has for this client. And in case when they identical (which means the flash file runs on appropriate page on original webserver) it return game data.

Somebody can say that it will work to completely protect game from running locally, but there is still some security breach when thief executes file on another webserver.
You are right. The thin place here is ID we pass to game as a key. We’ve said it is session ID, then the attacker can make fake landing.php page which will go to our server to get a key and then pass it to Flash. It is possible, but we go further. What will be if we use some key which can’t be faked? For example we can add some logic to our server when the key will contain the client’s IP and game level and in case when there are several requests from the same IP for other game levels we’ll block IP because it can’t be client (assuming that playey can’t be on level 1 and level 99 in the same time).

There are many other tricks can be found in order to make thief life harder as hell. Finally I want to post some small game as an illustration for all of above. Your can compile it as stand along game as well as protected one which can be run on server simply by changing #include directive. I hope it will help to understand better the main idea.
The game can be found here:



And all sources here

[strodgers]

My idea is to go to this MM site and tell Adobe you want something to protect your SWF from bad guys in Flash 9. If you don't know it by now, this is their "wish list" site where we tell them what we'd like in the next Flash.
weblogs.macromedia.com/flashteam/ archives/2005/09/its_that_time_a.cfm

[The Helmsman]

My idea is to go to this MM site and tell Adobe you want something to protect your SWF from bad guys in Flash 9. If you don't know it by now, this is their "wish list" site where we tell them what we'd like in the next Flash.
weblogs.macromedia.com/flashteam/ archives/2005/09/its_that_time_a.cfm

It can be begginning of the end for the SWF format as an open format. There are plenty amount of tools that can create SWF files on server dynamically upon request, some of them open source some of them is Macromedia property but it is possible because SWF is an open format. When you ask to implement mechanisms to protect AS inside SWF files its means it will never be open anymore. Think about it.