Hi ^_^ I am currently developing a game system for my website and found out how easy it is to reverde engineer a flash game back into .fla format with all it's action script still there. I am curios as to how to prevent people from using a modified version of my game to cheat on my site when I release it.
Also note that I am not using load variable for my php file I am using sendAndLoad(); with method post.
Last edited by LifeToTake; 04-06-2006 at 03:42 PM.
Holy cow thanks a million! I already secured the file from people downloading but it ends up in the temporary files so they could just search for it :/ The attached file helps out a lot.
I was wondering... what is the method that is used from loadMovie()? O_o....
Last edited by LifeToTake; 04-06-2006 at 04:42 PM.
Reason: Adding question T_T
Umm... name your variables funny names or long random things instead of something obvios O_o that is what I did... My score var is PzSfwadsiOHSAEOIGFGhsaiohfoiH ROFL
Hehe well I don't know if that will stop ArtMoney. In that program you search for values. Say you have 547 pts. The user will search for 547 and ArtMoney will find all the addresses containing 547. The user can then filter when the score changes, narrowing his results until finally he has one single address which is the score value. Then he can change that value with ArtMoney and then submit a ridiculous score.
I've never heard of 'ARtMoney' before... but I don't like the sound of it =(
Just to make life hard for people with ArtMoney (and such programs) you can always complicate things. Use an array to hold the score; each digit is held as a separate value, so the score 547 would be something like
Code:
var PzSfwadsiOHSAEOIGFGhsaiohfoiH = array("0", "0", "5", "4", "7");
or something, then update the array with splice. You could also use numbers that add together to get the score, so you would have two score values: 291 and 256, for example. When a user gets points just add on to one variable randomly and create a textbox dynamicaly to display both numbers added to gether in.
This kind of thing only makes it harder for people trying to get into your code, unfortunatly you can never fully protect your swf files.
Well, I don't know how cheating programs behave, but you should try filtering incoming requests for your score script in PHP.
In PHP the $_SERVER variable is an array containing useful data, such as the remote IP address, the referrer (the webpage that took the user to the script, which *should* in our case give the Flash file URL, but I haven't tested it).
If what I said above is true, you can choke the script if the request is not coming from the Flash file on your server, and output a string that tells the lamer to go cheat somewhere else...
Give me a minute and I'll check it out..
Altruism does not exist. Sustainability must be made profitable.
1) The PHP script retrieves an empty referer when Flash uses the sendAndLoad() method;
2) The PHP script retrieves a referer equal to the Flash URL when Flash uses the send() method;
3) Checking the remote headers, when Flash is fired from within a browser (either directly or embedded in an HTML document), the PHP script recieved the browser headers, while if fired from test player (within the Flash authoring environment) the PHP script recieves the Flash player headers. I wasn't able to get the connection working from the standalone player.
In conclusion: it might be possible to build a dispatcher by mixing together conditionals on the referer and on the remote headers, but I don't know how easy it may be to fake the headers (I think they can be customized with ActionScript).
So probably my idea is impossible to make.
Too bad..
p.s.
Well you could actually use the send() method, targetting a hidden frame in your page. And print a response that will display another flash movie that will send the response back to the first one via localConnection. Or you could do it with JavaScript and the ExternalInterface API. But all these solutions require great compatibility and support, which the Flash player does NOT have.
If you access such type of content on non-standard systems, it will simply not work.
But this is Flash..
Altruism does not exist. Sustainability must be made profitable.
Here is the most security you can get with php.... It took me days to finally figure I can't add anything else for security :/ I rewrote this to load in the source that ninjakannon posted (which I modified to get a var from the linked loader file ^_^) . If you want to just load your swf file on the page with out a loader change
this will pretty much stop people from directly downloading the file but if the person can play the file directly from the site in any way if they are using IE they can just got search for it in their temp folders :/ this is why I needed a loader
Code:
<?php
$referer=parse_url($_SERVER[HTTP_REFERER]);
$refcheck = $referer['host'];
$final_ref = str_replace("www.", "", $refcheck);
$siteref = "127.0.0.1"; // Do not add http:// or www.
$method = $_SERVER['REQUEST_METHOD'];
$gamefile = $_GET['gamefile'];
$username = $udata['username'];
// The udata is making sure user is logged in :/
if (!$gamefile || !$username || $final_ref || !$udata[id] || $udata[id] == "0"){
header("location: index.php");
die;
}
//$sql = "INSERT INTO `z_method` (`method`) VALUES ('$final_ref');";
//mysql_query("$sql");
Header ("Content-type: application/x-shockwave-flash");
Header( "Expires: Wed, 11 Nov 1998 11:11:11 GMT");
Header( "Cache-Control: no-cache");
Header( "Cache-Control: must-revalidate");
$file=fopen("flashfiles/$gamefile","rb");
// ^^^^^^^^^^^^
$source=fread($file,filesize("flashfiles/$gamefile"));
fclose($file);
print $source;
?>
I favor fopen(); because I already memorized it xD I mostly stick with the php I remember off hand and if I don't know a code then I just go to php.net and look up what I need or daydreamgraphics.com ^_^ I been doing php for 3 years I only know a small portion of all the commands and functions ... probly because I am self taught T_T (I just learned by modifying scripts and stuff just like I am learning flash right now ^^ O_o oddly I figured out how functions worked with out even messing with them a couple of days ago it just clicked in my head one morning when I woke up how they worked.
What I see happening on my server is that I get no referer if a new page is not being phisically loaded. Which is partially understandable. It is weird though that there is no way to retrieve the URL of the calling document.
Obviously you shouldn't be able to read the document path if it's not under the same sandbox, but at least within it...
Altruism does not exist. Sustainability must be made profitable.
Ohh yeah that reminds me O-o your flash files need to be in a folder called flashfiles/ ROFL I think you might have noticed that tho XD... hmmm :/ sorta odd. You did take out the user data stuff right (IE: username and all the $udata[])? X_x .... lol I originally set this up as a file to hide the real location of the swf files and prevent direct downloading which the || $finalref helps prevent that. hmmm If you can't get this to work Imma go back to the drawing board and make it up to the latest php standards.
Thanks I don't need help on the PHP side, but I've never heard of the "flashfiles/" directory... what about that? I have to place them in /var/www/html/flashfiles/?
Altruism does not exist. Sustainability must be made profitable.
I plan to make a full security system for php and flash that submit score when I finish the site that I am working on which I plan to include every possible safety feature possible and then release it to a few communities.
Last edited by LifeToTake; 04-07-2006 at 12:23 PM.
you are getting confused between the script I'm talking about in THIS thread and the script I posted in another thread.
The whole part that loads the Flash movie via PHP is not what I am looking at.
What I'm trying to do is to prevent a Flash movie that is loaded outside of my website to communicate with my PHP script.
That's the part I'm figuring now. My problem is that I can't manage to get a consistent datum I can build a conditional on, because sendAndLoad() commands don't produce any referer or other reference...
Altruism does not exist. Sustainability must be made profitable.
Reply With Quote
.
