I am building an online game, similar to a flash online game, but using HTML only. (HTML5)
I would like to prevent people from copying it and putting the game on their site.
With flash, I used to do this by adding the URL check to make sure it was running on my site, but this seems useless if i can only put the check in Javascript.
Is there anything that can prevent someone from simply copying the game?
as a followup..
Can I protect the source at all? (aside from obfuscation with javascript.)
Thanks!
Unfortunately if the game engine is 100% JavaScript, the most practical way to do this would be with obfuscating your code. Here's a link to a site that does just that.
However, by using Ajax which allows your client side script to communicate with your server, you can store the majority of your game's logic and functionality on your server in any type of server-side scripting such as PHP.
Basically your PHP (or some other language) files on your site would get requests from the user's machine to make decisions about logic in the game whenever logic is needed for the game to function, and your server would respond, all through using Ajax. Then someone could only really copy half of your game - that part stored in JavaScript.
The one downside with this method is that it may slow down the user's game drastically due to having to communicate with the server constantly.
Hope this helped and made sense!
No way to do this, it's the nature of the web. Your best bet is obfuscating your code.
Related
I need my Flash client to communicate with a server securely (through binary sockets). For this, I was thinking of embedding a pre-shared key inside the AS3 code and exchanging XORed data through a custom protocol.
I am told that SWF decompilers do a good job at making all embedded code clearly apparent and readable. Does this mean that I can't really hide my key?
If this method is impractical, what other options are there? I have tried as3crypto, only to find that it's full of shortcomings and lacks serious documentation.
You cannot hide your key at all - SWF is totally untrusted, can be easily decompiled. It's pretty difficult to deal with security with SWF's because they run on the client and are not trusted.
It might depend specifically on what you are trying to accomplish with secure communication. For instance, if you are trying to secure a high-score system that is pretty much impossible because the game runs on the client (the SWF) and they can manipulate it to spit out any score they want to the server. Here is a good read on this: What is the best way to stop people hacking the PHP-based highscore table of a Flash game
If you can use the SWF only as a front-end UI and all logic takes place on the back-end, then you can secure your application (using the above highscore example, if the game was not an AS3 game but actually ran on the server itself, it would be a lot easier to secure, because the backend is trusted and cannot be modified or viewed by a user), but if the logic takes place on the SWF then you are pretty much out of luck.
I am making a Flash game that stores user's statistics from previous sessions. I would also like to maintain some sort of leader board as well.
After I posted, I realized I was asking the wrong question. I feel that shared objects are the proper solution to this problem rather than using a database. Any further feedback for implementing shared objects is welcome.
Thanks for any feedback.
You can not directly query MySQL database table from Flash game, you must have some server-side technology backing you up for the job.
I would suggest using some PHP or Ruby - or whatever is easily available to you for the job.
Flash is going to be rendered on Client browser (as swf) and won't be in touch with server as it will be served as a static resource by the web browser.
I hope this reply will help you moving towards right direction.
As Dharmavir mentioned, you cannot process MySQL queries through Flash (AS*).
That said, its pretty easy to setup Flash to communicate with remote scripts, as it has the ability to POST/GET data through requests.
There are many tutorials on this.
First, write a simple script to input the data into the DB. I recommend using PHP (I think its the easiest to learn tbh).
If this is your first time performing queries with PHP, I also recommend using Prepared Statements instead of mysql_*.
Once you have your script setup, you can then move onto processing a request from your flash app to your script (which is also pretty easy).
I found a tutorial series on making a chat app with flash and PHP. The tutorial includes making requests to PHP scripts and inputting data to SQL DBs, so it should help you:
http://www.youtube.com/watch?v=XeWKauwFUEQ < This tutorial is split into many different videos. take a look at the suggestions to find the others.
I'm working on a little networked flash game. I have my own server built in C/Linux and I connect to the server via a flash socket. I'm debating whether to put the heavy load of game logic on the client or on the server. The main concern is someone hacking the code and ruining the game for others.
Even if I put as much logic on the server as I can, if someone can hack the code and figure out my messages that are sent to the server it seems impossible to stop all intrusions.
How should I handle this and how worried should I be about AS3 hackers?
I gave a talk on a conference 2 years ago about protecting flash games. Check out the slides.
Yes, it is pretty easy to decompile a swf and modify it as desired. The risk is fairly low, but if there is some large possible monetary reward, then yes I would be careful.
So, my advice is:
Don't put high risk logic on the client
But do put high cost algorithms on the client.
Edit: I would like to add one more point. If the server is relying on the client to it some state of the game, you can also proxy, inspect, and then modify the requests with a tool like Charles. Someone can use this tool to setup breakpoints on requests, and then modify the results before forwarding them to the server. It is even easier than decompiling and modifying a swf.
The lesson is, you should never rely on having an honest client.
Flash code is incredibly easy to hack. I may be wrong, but I think that when you decompile a swf, it's a full decompile - it gives you the original names of the variables and everything. It's also fairly easy to use tools like Cheat Engine to modify memory while the game is running. Unless you intentionally obfuscate your code and your data structures, I'd recommend putting most computation on the server.
I'm looking for a way to allow a user to upload a large file (~1gb) to my unix server using a web page and browser.
There are a lot of examples that illustrate how to do this with a traditional post request, however this doesn't seem like a good idea when the file is this large.
I'm looking for recommendations on the best approach.
Bonus points if the method includes a way of providing progress information to the user.
For now security is not a major concern, as most users who will be using the service can be trusted. We can also assume that the connection between client and host will not be interrupted (or if it is they have to start over).
We can also assume the user is running a browser of supporting most modern features (JavaScript, Flash, etc)
edit
No language requirements. Just looking for the best solution.
There are several ways to handle this,
1. Flash Uploader
Theres plenty of flash uploaders to improve the users GUI so that they can examine the process and the process factors such as time left, KB Done etc.
This is very good if you understand how to improve Flash source code for later developments.
2. Ajax
Theres a few ways using Ajax and PHP (although PHP Does not support it) you can use Perl module to accomplish the same thing http://pecl.php.net/package/uploadprogress, This is only if you wish to show percentage information etc.
3 Basic Javascript.
This method would be just the regular form, but with some ajax styling so when the form is submitted you can show a basic loader saying please wait while you send us the file...
If your using asp, you can take a look at: http://neatupload.codeplex.com/
Hope theres some good information to get you on your way.
Regards
Not sure about your language requirements, but you can look e.g. into
http://pypi.python.org/pypi/gp.fileupload/
Supports progress information also, btw.
I have used the dojo FileUploader widget to reliably upload audio files greater than a gigabyte with a progress bar. Though you said security was not an issue, I'd like to say that I got HTTPS uploads w/cookie based authentication hooked up flawlessly.
See: http://www.sitepen.com/blog/2008/09/02/the-dojo-toolkit-multi-file-uploader/ and
http://api.dojotoolkit.org/jsdoc/1.3/dojox.form.FileUploader
Is there a reliable way of preventing my actionscript code (as2 or as3) from being copied (e.g. if there's some IP in it)?
I know there are tools that can decompile flash code so it's easily reverse-engineered and I've also seen a few tools that claim to be able to obfuscate actionscript code in such a way that it's not steal-able, but I wonder how reliable they are...
Do you know? Thanks!
It is by definition imposible to prevent it.
The reason is simple, the code needs to run on the client, so the client needs to be able to read it.
The best you can do is to make so hard (time demanding) to do that it's not profitble.
Flash has a built in feature to protect againt decompiling with a password. I'm not sure exactly how it works, I guess some form of encryption.
You can try and spil sensetive data up and join it at runtime, og encrypt it and get the descryption key from the server.
But in the end there's nothing you can really do. Unless you wan't the users to input the encryption key (password or a file).
There is no build in encryption in Flash but there is a couple of free librarys like crypto lib http://code.google.com/p/as3crypto/.
I've found no reliable and sustainable way to obfuscate the code. If there's a way to obfuscate the code, I'd bet that:
it would affect the performance of your code
it would be just a matter of time before someone makes/finds a decompiler for that obfuscation method
I wouldn't consider a good practice to rely on the security of your client code. Even if the code couldn't be decompiled, the swf is run on the client and communicates with the Internet via a network connection the user has access to. The packets can be sniffed and all the data that's being transfered can be easily analyzed.
I think you should find a way to develop a secure application, even considering that the client knows everything you do. You should try to use server-side constraints and filter all inputs before using them. Also, requesting all the sensitive data from a server-side script, instead of embedding it in your AS code could be a good start.