Solved

What is the best way to ensure that my flash game doesn't get stolen? Would having it load into another flash clip prevent this?

Posted on 2008-10-30
25
468 Views
Last Modified: 2013-11-11
What is the best way to ensure that my flash game doesn't get stolen? Would having it load into another flash clip prevent this?

And also, does loading 1 flash clip into another cause the loaded flash clip to have the same FPS as the loading flash clip?
0
Comment
Question by:davideo7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 7
  • 5
  • +2
25 Comments
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22846047
I've done very deep extensive research and it's impossible to prevent.

I've try nesting in anonymous clips from sources that don't identify as flash, clearing and disallowing all cache, obscuring everything, and so on. I've exhausted the possibilities and there is always a way to get it. Wireshark, cURL POSTs, Firebug, there's always something.

Unfortunately, the only thing you can try to do is encrypt it, but there are programs that will decrypt it.

Sorry.
0
 
LVL 34

Accepted Solution

by:
Aneesh Chopra earned 325 total points
ID: 22847371
with due respect, I disagree with MatKenefick comments,
it is possible to protect your actionscript code,

restrict your game to run through your domain only, using following code:

if(_url.indexOf("http://www.mydomain.com") == -1)
{
  // add action to stop execution of SWF
}

next step is to use SWFencrypt to encrypt your SWF, ( http://www.amayeta.com/software/swfencrypt/ )

this encryption tool is on top since last 2 years, not a single SWF decompiler managed to crack its encryption..

most of the corporate flash websites are using its encryption services now a days,
for example:
http://www.flashden.net/
http://www.afcomponents.com/

you can try downloading SWFs from these websites and try decompiling to ensure the code security..

-------------------
Aneesh Chopra
-------------------
0
 
LVL 4

Assisted Solution

by:MattKenefick
MattKenefick earned 125 total points
ID: 22850461
Everything at FlashDen is decompilable so I'm not sure what you're talking about @aneeshchopra.
And trust me, it cannot be protected. For it to be visible on the clients machine, it has to be on their computer and readable...

How come someone can't download his swf, decompile it, remove that line, and then recompile it?

And if he was afraid of it *appearing* on someone elses site, which is the only thing your code will HELP (not solve) with... they could just iframe it which makes it pointless. Trust me, I'm 100% right on this issue. I've spent months and months on this particular topic.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 34

Assisted Solution

by:Aneesh Chopra
Aneesh Chopra earned 325 total points
ID: 22850581
Ok, I agree that my pointer to Flashden.net is not correct,
but I still assure that actionscript code encrypted using SWFEncrypt can be decompiled..

all flashcomponents at http://www.afcomponents.com/ are encrypted using SWFEncrypt,

for a test, anyone can download the following SWF and let me know if it can be decompiled
http://www.aneeshchopra.com/work/pageflip2/
0
 
LVL 34

Expert Comment

by:Aneesh Chopra
ID: 22850589
correction:
but I still assure that actionscript code encrypted using SWFEncrypt CANNOT be decompiled..
0
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22850734
"Can open most obfuscated/protected SWFs. Alhough this is not an 'official' feature, ASV bypasses many obfuscations. (Broken obfuscations disappear quite quickly). For your own protected/obfuscated SWF files, we provide support case by case basis. "
0
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22850758
Point is, any of these "encryption"s are nothing more than a temporary fix. It's the same reason why DVDs and Software can't help but be pirated. They spend thousands in anti-piracy software, then in 2 days... it's been torn apart and located in torrents.

If Adobe can't protect their CSx Suite, what makes you think you can protect your SWF?
0
 

Author Comment

by:davideo7
ID: 22850809
Not sure if you guys are familiar with newgrounds but they recommend 'SWF Protect'
http://www.swfprotect.net/

0
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22851612
Honestly though,

What are you protecting that hasn't already been made?
What ground-breaking revolutionary SWF did you create that no one else should have?

I realized this a while ago that there's nothing I can make that others can't. If you make something good enough, and people use it, you'll be known for it. You might as well just take an active step in the community to help others learn than keep it all for yourself.


Buy some encryption software, it may protect it for a week or from a fair group of people, but it's never gonna be fool-proof. It'll get cracked sooner or later just like everything else.
0
 

Author Comment

by:davideo7
ID: 22851794
Well actually I'm working on developing a flash game site which will have a small membership fee which will contain christian flash games exclusive to the site.  And I've already got many churches and about 500+ pre-registered members so it's very important that these games don't get stolen and placed on other sites since they are suppose to be exclusive to mybiblegames.com
0
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22851881
What makes you think someone would want to steal them?

If anyone wants something bad enough, they can get it. Anything you do is only a deterrent.
0
 

Author Comment

by:davideo7
ID: 22851962
I think someone would want to steal them to put them up on other sites, it happens all the time.  There are tons of sites that will try and steal flash games and put them on their own site.
0
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22851996
ok.. well.. if they do the code below.. it'll be on their site but actually showing your site and there's absolutely nothing possible you can do about that.

As noble as the efforts may be, it is futile.
<iframe src="http://mybiblegames.com/game1.swf" width="550" height="400" frameborder="0"></iframe>

Open in new window

0
 

Author Comment

by:davideo7
ID: 22852320
How would they know what the URL of the game is though?  I have a flash clip which is responsible for loading the url's and the flash loader doesn't know that the url's are that it's loading until it uses PHP to connect to the database to find out what that URL is.  Also, the games on the website can only be played if the user is logged in.
0
 
LVL 34

Expert Comment

by:Aneesh Chopra
ID: 22852428
MatKenefick comment:
"If Adobe can't protect their CSx Suite, what makes you think you can protect your SWF? "

Adobe actually does not want to make his software protection so strong that it can't be broken..
Even most of the big companies uses this approach..
reason is: 90% of users who actually made Flash what it is today are developers who dont have money to buy it. But they contribute in many ways in the development and improvement of such big softwares.

secondly,
here author is asking for the available solution to protect his work, so I suggested the best available option
till date, atleast SWFEncrypt's encrypted SWF can't be decompile at least till today.



0
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22852440
If you have something as simple as FireFox's Firebug or Safari's activity monitor, you can see every file loaded.

So even if you load your game into a container like..

container.swf ->loads -> game.swf

They'll see both of them and can just click game.swf to download it


There's really no avoiding it, I'm telling you. I spent months going over every possibility.
0
 

Author Comment

by:davideo7
ID: 22852553
Than perhaps I could make some of the important code to the game load into it dynamically from a database using PHP.  So if they did download the flash game, it wouldn't contain all the necessary code because the .swf file wouldn't actually contain all the code needed, it would have to load it from a database and using PHP I can detect where that .swf file is requesting that code and if it's not on my domain, it would not send the missing code into the .swf file.

Would that work?
0
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22852584
You can't dynamically compile code into the SWF file.
How would you prevent them from accessing http://www.mybiblegames.com/codefile.php?

Short answer: No.
0
 

Author Comment

by:davideo7
ID: 22852607
Sure you can.  Some of the variables would be empty until they load information from a database.  Maybe I missed something somewhere when I studied PHP but you can't actually steal a PHP file from a server because it gets ran on the server, not the users machine.
0
 
LVL 4

Expert Comment

by:MattKenefick
ID: 22852760
They wouldn't need to TAKE your PHP. They could just link to it. Your Flash file will be doing the same thing.

If they IFRAME your SWF, it works just asif it were on your site.. cause technically it IS on your site. The way you'd bypass that is to include FlashVars in your Javascript embedding... but then they could just add them on the end of the URL to the swf like game.swf?var1=this&var2=something.

As much as you want to protect it, you're fighting a losing battle and I am no longer going to participate in this thread because I know it cannot be done but you do not want to accept it.
0
 

Author Comment

by:davideo7
ID: 22852864
Well you got 2 problems there.

1. The PHP wouldn't send the variable data if the flash file wasn't on the domain name.
2. If they iframed the swf file, they would have to be logged in to play the game anyway.  All the games on my site aren't going to play unless the user is logged in.

Additionally, how are they going to find the url of the swf file?  That information would be sent to the flash loader from a database using PHP.
0
 
LVL 34

Expert Comment

by:Aneesh Chopra
ID: 22852950
MattKenefick,
you are really misleading the author,
I simply said that SWFEncrypt can protect SWF actionscript code and I assure it 100% that noone till date can decompile and reuse encrypted code..

I have given a link to the protected SWF also and this SWF is coded to run through my server only,
http://www.aneeshchopra.com/work/pageflip2/advancedPageFlip.swf

I challenge that if you can steal code from it or make it run from any other server, I will eat up my words.

if you can't break it then I request, please dont say that SWF code can't be protected.


0
 
LVL 4

Assisted Solution

by:MattKenefick
MattKenefick earned 125 total points
ID: 22853163
/*

    swfdecrypt: arc_'s unpacker for the commercial SWF Encrypt 4.0 Flash protection program
      (http://www.amayeta.com/software/swfencrypt/)

    The fun thing is their "protector" doesn't actually *encrypt* anything (not that that would be
    possible with ActionScript in the first place). Merely two obfuscation tricks are used:
    - An .swf file consists of a series of tags: blocks that can contain shapes, sounds, movies... and
      code. the first obfuscation trick moves the code of a code tag into a new tag just before
      it; this new tag gets a type number (253) that doesn't correspond to an existing type, thereby
      making decompilers ignore it. The original code tag is kept but filled with junk code.
      The only useful things in this garbage are the constants declaration and a jump instruction
      to the 253 tag.
      This trick is used with little variation on pretty much all tags that contain code.
    - A second obfuscation trick just places the code to be hidden in an instruction with an
      invalid opcode (0xFC) in the middle of the junk code.
    - For some code tags a different technique is used: a bit of junk code followed by the old
      jump-into-middle-of-instruction trick to confuse decompilers. Just removing this code (first
      0x2A bytes) fixes it.

   


General working procedure:

- iterate over tags
  - when we encounter a tag containing code:
    - if it contains special meta information (f.e. DefineButton2), copy it over
    - make sure the code starts with 9B 07 00 01 02 00 00 00
    - scan the tag for a constants definition where the constant names only have readable names.
      if found, copy it over
    - follow the backward branch at the end of the 253 tag preceding the tag to get to
      the actual code
  - if the tag code on the other hand starts with
      96 03 00 00 09 00 96 05 00 07 02 00 00 00 3C 96
      03 00 00 09 00 88 09 00 03 00 20 00 01 01 00 02
      00 1C 9D 02 00 03 00
    it's the splice jump trick. just drop the first 0x2A bytes from the code.
    (this code contains a constants declaration with some junk entries. one might think
    that the "real" constants declaration will be appended to this, and that therefore
    the constants references in the code need to be adjusted when the junk constants
    are dropped. luckily, a constants declaration *replaces* any previous ones, so there's
    no problem.)


    tags that contain code are:
    - 12: DoAction         -> contains just raw code
    - 26: PlaceObject2     -> skip a whole lot of structures that may or may not be there depending on flags
    - 34: DefineButton2    -> cond blocks start at tag_data + 3 + word ptr [tag_data+3].
    - 39: DefineSprite     -> skip four bytes and read tags until End tag is encountered
    - 59: DoInitAction     -> skip first two bytes (sprite ID)

    - 253: move the code over to the code tag that follows and drop this one


    may contain code but are apparently not used:
    too old:
      - 7:  DefineButton

      too new:
    - 70: PlaceObject3
    - 72: DoABC
    - 82: DoABCDefine


    When there are multiple code blocks in one tag (for example multiple conditions on DefineButton2),
    the code is arranged as follows in the 253 tag:

  enter2_cond1:
    <code cond1>
    jmp ret1_cond1
  enter1_cond1:
    jmp enter2_cond1

  enter_cond2:
    <code cond2>
    jmp ret_cond2        -> return to junk code
    jmp enter_cond2      <- junk code jumps here
  ret1_cond1:
    jmp ret2_cond1       -> return to junk code
    jmp enter1_cond1     <- junk code jumps here

*/
0
 
LVL 37

Assisted Solution

by:CyanBlue
CyanBlue earned 50 total points
ID: 22853230
I honestly do not understand why people are so obsessed with the encryption...  
There are people who uses decompiler to see what's in there, and there are people who creates encryption software to prevent that... and that's like a merry-go-round which never ends because people are keep creating better software...

I see SWFEncrypt works pretty well, and there is going to be somebody who will create something that will break that software, and SWFEncrypt people will find a way to stop that happening...
There is so much you can do to prevent a thief by adding multiple locks and electric devices, but you cannot simply prevent the theft 100%...  But adding multiple protection does give you a peace of mind...  Nothing more than that, nothing less than that...  That's how I see it...

If there was a way to really stop it, M$ should have done it long time ago...  I do agree that you get more user base by not shooting those people who steal, but that would never happen if M$ knows how to block them...

My 2 cents on this whole issue is that you've got to use the tool that's available in the market because that will give you some protection for now, but do not forget that there always will be somebody who will break that protection...  So, make sure you always keep an eye on the trend...

Oh, my piece of advice...  Throw in something visible that tells where it should be...  I mean things like watermark or your company logo and stuff into the location where it cannot be hidden...  Lots of people put their company name and sort at the bottom of the screen with nice background...  Well...  You can simply hide that by reducing the iframe size, and you don't have that anymore...  

CyanBlue
0
 
LVL 2

Expert Comment

by:Anniyan
ID: 23002270
yes its not encryption... its just obfuscation.. just like .NET code...
may be aneesh is right... has anyone broken that work  done by SWF encrypt ?
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction This article is primarily concerned with ActionScript 3 and generally specific to AVM2.  Most suggestions would apply to ActionScript 2 as well, and I've noted those tips that differ between AS2 and AS3. With the advent of ActionS…
The last time I worked with Flash and Socket connections was in AS1. A recent project required flash connecting to a Socket, and sending receiving information - we figured it would be easy enough - we all know about the socket policy documents and c…
The goal of the tutorial is to teach the user how to how to load their YouTube profile onto Flash Media Live Encoder.
The goal of the tutorial is to teach the user how to use the auto adjust feature and what the different options do. When your video is not working right you can choose the auto adjust feature to help choose your settings.
Suggested Courses

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question