Solved

What is the best way to ensure that my flash game doesn't get stolen? Would having it load into another flash clip prevent this?

Posted on 2008-10-30
25
462 Views
Last Modified: 2013-11-11
What is the best way to ensure that my flash game doesn't get stolen? Would having it load into another flash clip prevent this?

And also, does loading 1 flash clip into another cause the loaded flash clip to have the same FPS as the loading flash clip?
0
Comment
Question by:davideo7
  • 11
  • 7
  • 5
  • +2
25 Comments
 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
I've done very deep extensive research and it's impossible to prevent.

I've try nesting in anonymous clips from sources that don't identify as flash, clearing and disallowing all cache, obscuring everything, and so on. I've exhausted the possibilities and there is always a way to get it. Wireshark, cURL POSTs, Firebug, there's always something.

Unfortunately, the only thing you can try to do is encrypt it, but there are programs that will decrypt it.

Sorry.
0
 
LVL 34

Accepted Solution

by:
Aneesh Chopra earned 325 total points
Comment Utility
with due respect, I disagree with MatKenefick comments,
it is possible to protect your actionscript code,

restrict your game to run through your domain only, using following code:

if(_url.indexOf("http://www.mydomain.com") == -1)
{
  // add action to stop execution of SWF
}

next step is to use SWFencrypt to encrypt your SWF, ( http://www.amayeta.com/software/swfencrypt/ )

this encryption tool is on top since last 2 years, not a single SWF decompiler managed to crack its encryption..

most of the corporate flash websites are using its encryption services now a days,
for example:
http://www.flashden.net/
http://www.afcomponents.com/

you can try downloading SWFs from these websites and try decompiling to ensure the code security..

-------------------
Aneesh Chopra
-------------------
0
 
LVL 4

Assisted Solution

by:MattKenefick
MattKenefick earned 125 total points
Comment Utility
Everything at FlashDen is decompilable so I'm not sure what you're talking about @aneeshchopra.
And trust me, it cannot be protected. For it to be visible on the clients machine, it has to be on their computer and readable...

How come someone can't download his swf, decompile it, remove that line, and then recompile it?

And if he was afraid of it *appearing* on someone elses site, which is the only thing your code will HELP (not solve) with... they could just iframe it which makes it pointless. Trust me, I'm 100% right on this issue. I've spent months and months on this particular topic.
0
 
LVL 34

Assisted Solution

by:Aneesh Chopra
Aneesh Chopra earned 325 total points
Comment Utility
Ok, I agree that my pointer to Flashden.net is not correct,
but I still assure that actionscript code encrypted using SWFEncrypt can be decompiled..

all flashcomponents at http://www.afcomponents.com/ are encrypted using SWFEncrypt,

for a test, anyone can download the following SWF and let me know if it can be decompiled
http://www.aneeshchopra.com/work/pageflip2/
0
 
LVL 34

Expert Comment

by:Aneesh Chopra
Comment Utility
correction:
but I still assure that actionscript code encrypted using SWFEncrypt CANNOT be decompiled..
0
 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
"Can open most obfuscated/protected SWFs. Alhough this is not an 'official' feature, ASV bypasses many obfuscations. (Broken obfuscations disappear quite quickly). For your own protected/obfuscated SWF files, we provide support case by case basis. "
0
 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
Point is, any of these "encryption"s are nothing more than a temporary fix. It's the same reason why DVDs and Software can't help but be pirated. They spend thousands in anti-piracy software, then in 2 days... it's been torn apart and located in torrents.

If Adobe can't protect their CSx Suite, what makes you think you can protect your SWF?
0
 

Author Comment

by:davideo7
Comment Utility
Not sure if you guys are familiar with newgrounds but they recommend 'SWF Protect'
http://www.swfprotect.net/

0
 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
Honestly though,

What are you protecting that hasn't already been made?
What ground-breaking revolutionary SWF did you create that no one else should have?

I realized this a while ago that there's nothing I can make that others can't. If you make something good enough, and people use it, you'll be known for it. You might as well just take an active step in the community to help others learn than keep it all for yourself.


Buy some encryption software, it may protect it for a week or from a fair group of people, but it's never gonna be fool-proof. It'll get cracked sooner or later just like everything else.
0
 

Author Comment

by:davideo7
Comment Utility
Well actually I'm working on developing a flash game site which will have a small membership fee which will contain christian flash games exclusive to the site.  And I've already got many churches and about 500+ pre-registered members so it's very important that these games don't get stolen and placed on other sites since they are suppose to be exclusive to mybiblegames.com
0
 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
What makes you think someone would want to steal them?

If anyone wants something bad enough, they can get it. Anything you do is only a deterrent.
0
 

Author Comment

by:davideo7
Comment Utility
I think someone would want to steal them to put them up on other sites, it happens all the time.  There are tons of sites that will try and steal flash games and put them on their own site.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
ok.. well.. if they do the code below.. it'll be on their site but actually showing your site and there's absolutely nothing possible you can do about that.

As noble as the efforts may be, it is futile.
<iframe src="http://mybiblegames.com/game1.swf" width="550" height="400" frameborder="0"></iframe>

Open in new window

0
 

Author Comment

by:davideo7
Comment Utility
How would they know what the URL of the game is though?  I have a flash clip which is responsible for loading the url's and the flash loader doesn't know that the url's are that it's loading until it uses PHP to connect to the database to find out what that URL is.  Also, the games on the website can only be played if the user is logged in.
0
 
LVL 34

Expert Comment

by:Aneesh Chopra
Comment Utility
MatKenefick comment:
"If Adobe can't protect their CSx Suite, what makes you think you can protect your SWF? "

Adobe actually does not want to make his software protection so strong that it can't be broken..
Even most of the big companies uses this approach..
reason is: 90% of users who actually made Flash what it is today are developers who dont have money to buy it. But they contribute in many ways in the development and improvement of such big softwares.

secondly,
here author is asking for the available solution to protect his work, so I suggested the best available option
till date, atleast SWFEncrypt's encrypted SWF can't be decompile at least till today.



0
 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
If you have something as simple as FireFox's Firebug or Safari's activity monitor, you can see every file loaded.

So even if you load your game into a container like..

container.swf ->loads -> game.swf

They'll see both of them and can just click game.swf to download it


There's really no avoiding it, I'm telling you. I spent months going over every possibility.
0
 

Author Comment

by:davideo7
Comment Utility
Than perhaps I could make some of the important code to the game load into it dynamically from a database using PHP.  So if they did download the flash game, it wouldn't contain all the necessary code because the .swf file wouldn't actually contain all the code needed, it would have to load it from a database and using PHP I can detect where that .swf file is requesting that code and if it's not on my domain, it would not send the missing code into the .swf file.

Would that work?
0
 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
You can't dynamically compile code into the SWF file.
How would you prevent them from accessing http://www.mybiblegames.com/codefile.php?

Short answer: No.
0
 

Author Comment

by:davideo7
Comment Utility
Sure you can.  Some of the variables would be empty until they load information from a database.  Maybe I missed something somewhere when I studied PHP but you can't actually steal a PHP file from a server because it gets ran on the server, not the users machine.
0
 
LVL 4

Expert Comment

by:MattKenefick
Comment Utility
They wouldn't need to TAKE your PHP. They could just link to it. Your Flash file will be doing the same thing.

If they IFRAME your SWF, it works just asif it were on your site.. cause technically it IS on your site. The way you'd bypass that is to include FlashVars in your Javascript embedding... but then they could just add them on the end of the URL to the swf like game.swf?var1=this&var2=something.

As much as you want to protect it, you're fighting a losing battle and I am no longer going to participate in this thread because I know it cannot be done but you do not want to accept it.
0
 

Author Comment

by:davideo7
Comment Utility
Well you got 2 problems there.

1. The PHP wouldn't send the variable data if the flash file wasn't on the domain name.
2. If they iframed the swf file, they would have to be logged in to play the game anyway.  All the games on my site aren't going to play unless the user is logged in.

Additionally, how are they going to find the url of the swf file?  That information would be sent to the flash loader from a database using PHP.
0
 
LVL 34

Expert Comment

by:Aneesh Chopra
Comment Utility
MattKenefick,
you are really misleading the author,
I simply said that SWFEncrypt can protect SWF actionscript code and I assure it 100% that noone till date can decompile and reuse encrypted code..

I have given a link to the protected SWF also and this SWF is coded to run through my server only,
http://www.aneeshchopra.com/work/pageflip2/advancedPageFlip.swf

I challenge that if you can steal code from it or make it run from any other server, I will eat up my words.

if you can't break it then I request, please dont say that SWF code can't be protected.


0
 
LVL 4

Assisted Solution

by:MattKenefick
MattKenefick earned 125 total points
Comment Utility
/*

    swfdecrypt: arc_'s unpacker for the commercial SWF Encrypt 4.0 Flash protection program
      (http://www.amayeta.com/software/swfencrypt/)

    The fun thing is their "protector" doesn't actually *encrypt* anything (not that that would be
    possible with ActionScript in the first place). Merely two obfuscation tricks are used:
    - An .swf file consists of a series of tags: blocks that can contain shapes, sounds, movies... and
      code. the first obfuscation trick moves the code of a code tag into a new tag just before
      it; this new tag gets a type number (253) that doesn't correspond to an existing type, thereby
      making decompilers ignore it. The original code tag is kept but filled with junk code.
      The only useful things in this garbage are the constants declaration and a jump instruction
      to the 253 tag.
      This trick is used with little variation on pretty much all tags that contain code.
    - A second obfuscation trick just places the code to be hidden in an instruction with an
      invalid opcode (0xFC) in the middle of the junk code.
    - For some code tags a different technique is used: a bit of junk code followed by the old
      jump-into-middle-of-instruction trick to confuse decompilers. Just removing this code (first
      0x2A bytes) fixes it.

   


General working procedure:

- iterate over tags
  - when we encounter a tag containing code:
    - if it contains special meta information (f.e. DefineButton2), copy it over
    - make sure the code starts with 9B 07 00 01 02 00 00 00
    - scan the tag for a constants definition where the constant names only have readable names.
      if found, copy it over
    - follow the backward branch at the end of the 253 tag preceding the tag to get to
      the actual code
  - if the tag code on the other hand starts with
      96 03 00 00 09 00 96 05 00 07 02 00 00 00 3C 96
      03 00 00 09 00 88 09 00 03 00 20 00 01 01 00 02
      00 1C 9D 02 00 03 00
    it's the splice jump trick. just drop the first 0x2A bytes from the code.
    (this code contains a constants declaration with some junk entries. one might think
    that the "real" constants declaration will be appended to this, and that therefore
    the constants references in the code need to be adjusted when the junk constants
    are dropped. luckily, a constants declaration *replaces* any previous ones, so there's
    no problem.)


    tags that contain code are:
    - 12: DoAction         -> contains just raw code
    - 26: PlaceObject2     -> skip a whole lot of structures that may or may not be there depending on flags
    - 34: DefineButton2    -> cond blocks start at tag_data + 3 + word ptr [tag_data+3].
    - 39: DefineSprite     -> skip four bytes and read tags until End tag is encountered
    - 59: DoInitAction     -> skip first two bytes (sprite ID)

    - 253: move the code over to the code tag that follows and drop this one


    may contain code but are apparently not used:
    too old:
      - 7:  DefineButton

      too new:
    - 70: PlaceObject3
    - 72: DoABC
    - 82: DoABCDefine


    When there are multiple code blocks in one tag (for example multiple conditions on DefineButton2),
    the code is arranged as follows in the 253 tag:

  enter2_cond1:
    <code cond1>
    jmp ret1_cond1
  enter1_cond1:
    jmp enter2_cond1

  enter_cond2:
    <code cond2>
    jmp ret_cond2        -> return to junk code
    jmp enter_cond2      <- junk code jumps here
  ret1_cond1:
    jmp ret2_cond1       -> return to junk code
    jmp enter1_cond1     <- junk code jumps here

*/
0
 
LVL 37

Assisted Solution

by:CyanBlue
CyanBlue earned 50 total points
Comment Utility
I honestly do not understand why people are so obsessed with the encryption...  
There are people who uses decompiler to see what's in there, and there are people who creates encryption software to prevent that... and that's like a merry-go-round which never ends because people are keep creating better software...

I see SWFEncrypt works pretty well, and there is going to be somebody who will create something that will break that software, and SWFEncrypt people will find a way to stop that happening...
There is so much you can do to prevent a thief by adding multiple locks and electric devices, but you cannot simply prevent the theft 100%...  But adding multiple protection does give you a peace of mind...  Nothing more than that, nothing less than that...  That's how I see it...

If there was a way to really stop it, M$ should have done it long time ago...  I do agree that you get more user base by not shooting those people who steal, but that would never happen if M$ knows how to block them...

My 2 cents on this whole issue is that you've got to use the tool that's available in the market because that will give you some protection for now, but do not forget that there always will be somebody who will break that protection...  So, make sure you always keep an eye on the trend...

Oh, my piece of advice...  Throw in something visible that tells where it should be...  I mean things like watermark or your company logo and stuff into the location where it cannot be hidden...  Lots of people put their company name and sort at the bottom of the screen with nice background...  Well...  You can simply hide that by reducing the iframe size, and you don't have that anymore...  

CyanBlue
0
 
LVL 2

Expert Comment

by:Anniyan
Comment Utility
yes its not encryption... its just obfuscation.. just like .NET code...
may be aneesh is right... has anyone broken that work  done by SWF encrypt ?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This is intended to introduce all collision detection principles in flash, their strengths, weaknesses and workarounds. The main method for Collision Detection in flash is using hitTestObject. But unless you'll be pushing rectangular shapes without …
I come across a lot of question about how to access things in the document class from a movieclip, or accessing something from a movieclip in the document class. It took me a while to figure this out but once I did it makes life so much easier. …
The goal of the tutorial is to teach the user how to how to record live broadcast.
The goal of the tutorial is to teach the user how to set there setting in Adobe Flash Media Live Encoder and YouTube for optimal video and audio quality.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now