[casual_games] Current advice on SWF encryption?

Austin Haas austin at pettomato.com
Sun Mar 8 20:47:50 EDT 2009



I haven't used any commercial swf tools, so I can't comment on any specifically, but I have written a swf decompiler and obfuscator, so I am somewhat familiar with the issues. The only game that I have released independently (i.e., not work-for-hire) also used Mochi Media's protection system, which comes free with using their ad system.

The best I can offer is some notes:

In my experience, if you put a Flash game online, several dozen sites will immediately cherry-pick it and put it on their site. I did the site-locking thing, but made the game revert to a demo mode when used off of one of my sites. To my knowledge, everyone who has stolen the game has been content enough with the demo mode. I think there are so many Flash games out there that most sites will just take whatever they can get easily. But, maybe some people have been foiled by the Mochi system as well; I don't know. If you've created the next Bejeweled, then you might have more to worry about. But, in that case, your first mistake was using Flash.

Even if your swf could be fully encrypted, pirate sites will work around it by placing an ad on a layer above your game while your game's ad is hidden underneath, or at least, just before your game starts. However, ads on pages pay a lot more than in-game ads these days, so many sites are more than willing to let your ads run in the game, so long as they have new content on their site.

I think the best protection systems are probably the ones that work like the Mochi system. They encrypt the swf and then use a second host swf to decrypt it on the fly. Of course, someone can decompile the host swf, figure out the encryption method, etc., but that's a lot more work than just using an off-the-shelf tool to replace a string (e.g., your url to the ad server) in the string table.

Methods that call back to a server can also help. For instance, your game could call back to the server when it loads to see if it's being played on an allowed domain. Circumventing that might require the pirate to recode portions of the game or try to mirror the functionality on their server, which could be a major pain.

The word "encrypt" is often abused by swf protection vendors. Most often they are selling obfuscators. Some are designed to prevent disassembly of the swf into source code, but that isn't necessarily going to do anything to prevent the much simpler task of changing a url in the swf string table.

I'm guessing that you either want a tool that can do the full swf encryption with the separate host decrypter, or you want something that can encrypt the strings (I believe I've seen that advertised) and then also do the obfuscation features that make it a hassle to recompile from source (e.g., replacing all identifiers with names that the Adobe compiler doesn't like).

I hope that helps some.

-austin

--
Austin Haas
Pet Tomato, Inc.
http://pettomato.com

On Mon Mar 09 08:56 , Matthew Ford wrote:

> Thanks Austin, those are good questions.

>

> 1. This is my chief concern: I want to avoid someone from stealing my game,

> pulling out my imbedded ads, perhaps putting in their own, and hosting it or

> posting it on some other game portal.

>

> 2. I'm only mildly concerned about my source code being used for any other

> purpose-- I don't write very good code yet. :)

>

> 3. I'm not concerned about multiplayer cheating.

>

> 4. I'm not concerned about exposure of any trade secrets in the source.

>

> True enough, nothing can be fully protected. I just hope to become a tougher

> target than seems worth the effort to crack.

>

> Thanks for any help!

>

> * * *

> Matthew Ford - matthew at fordfam dot com - http://www.fordfam.com/matthew

>

>

> -----Original Message-----

> From: casual_games-bounces at igda.org [mailto:casual_games-bounces at igda.org]

> On Behalf Of Austin Haas

> Sent: Monday, 9 March 2009 12:14 AM

> To: IGDA Casual Games SIG Mailing List

> Subject: Re: [casual_games] Current advice on SWF encryption?

>

>

> It might help if you said what your goals were. For instance,

>

> 1. Are you trying to keep someone from stealing your game and hosting it on

> their site?

> 2. Do you want to prevent someone from using your source code?

> 3. Do you want to prevent people from cheating in a multiplayer game?

> 4. Are you trying to protect some secret embedded in the source code?

>

> Those problems may have different solutions.

>

> FWIW, you can never fully protect an online playable swf from

> decompilation/dissassembly.

>

> -austin

>

> --

> Austin Haas

> Pet Tomato, Inc.

> http://pettomato.com

>

> On Sun Mar 08 17:13 , Matthew Ford wrote:

> > *crickets*

> >

> >

> >

> > Sorry to repeat my question but there must be somebody who has a bit of

> > advice to give on SWF decryption? There are many packages to choose from

> and

> > I can't tell which ones are good, so any testimonials from hands-on

> > experience would be helpful. Again, apologies for the repeat, but this

> list

> > is my best resource for this kind of question.

> >

> >

> >

> > From: Matthew Ford [mailto:matthew at fordfam.com]

> > Sent: Friday, 6 March 2009 3:48 PM

> > To: (casual_games at igda.org)

> > Subject: Current advice on SWF encryption?

> >

> >

> >

> > Hello all-been on the list for years and I think this may be my 4th post

> as

> > I am mostly an absorber of advice, not an emitter yet. I am an indie

> > developer, ex-game-industry designer and producer. See more at

> > http://www.digitalcream.com.au/blog/ , http://twitter.com/MatthewMFord,

> etc.

> >

> >

> >

> > I am very soon going to be opening up private alpha testing of my Flash

> > game, Taboo Snaps, and it's time to look at SWF encryption. I had heard on

> > this list that www.amayeta.com was good but elsewhere I read that it has

> > been cracked. So I'd appreciate any advice on the current best encryption

> > software and advice for keeping it hard to crack.

> >

> >

> >

> > I am currently sitelocking the game (swf checks it own loaderInfo.url and

> > dies if it's not my home domain) but eventually I will want the swf to be

> > spread far and wide-it has imbedded ads and will revert to a demo mode if

> > not on a blessed domain. So though sitelocking is some protection, of

> course

> > if it is decrypted that sitelock can be taken out.

> >

> >

> >

> > I also have the game load XML files from my home domain and do sitelocking

> > for that with my crossdomain.xml, but again, it can be got around once

> > decrypted.

> >

> >

> >

> > Please catch me up on the latest greatest advice on encryption software

> and

> > techniques, and of course let me know if any of the above is nonsensical!

> >

> >

> >

> > Kind regards,

> >

> > Matthew Ford

> >

> > Matthew at fordfam dot com

> >

> > http://www.digitalcream.com.au/blog/

> >

> > http://twitter.com/DCgames

> >

> > http://twitter.com/MatthewMFord

> >

> > http://www.fordfam.com/matthew

> >

>

> > _______________________________________________

> > Casual_Games mailing list

> > Casual_Games at igda.org

> > http://www.igda.org/casual-subscribe

> > Archive: http://www.igda.org/casual-subscribe

> > Archive Search:

> http://www.google.com/coop/cse?cx=010373383720242846960%3Az3tdwggxil8

> > List FAQ:

> http://www.igda.org/wiki/index.php/Casual_Games_SIG/Casual_Games_List_FAQ

>

>

> _______________________________________________

> Casual_Games mailing list

> Casual_Games at igda.org

> http://www.igda.org/casual-subscribe

> Archive: http://www.igda.org/casual-subscribe

> Archive Search:

> http://www.google.com/coop/cse?cx=010373383720242846960%3Az3tdwggxil8

> List FAQ:

> http://www.igda.org/wiki/index.php/Casual_Games_SIG/Casual_Games_List_FAQ

> No virus found in this incoming message.

> Checked by AVG - www.avg.com

> Version: 8.0.237 / Virus Database: 270.11.3/1974 - Release Date: 03/06/09

> 19:17:00

>

> _______________________________________________

> Casual_Games mailing list

> Casual_Games at igda.org

> http://www.igda.org/casual-subscribe

> Archive: http://www.igda.org/casual-subscribe

> Archive Search: http://www.google.com/coop/cse?cx=010373383720242846960%3Az3tdwggxil8

> List FAQ: http://www.igda.org/wiki/index.php/Casual_Games_SIG/Casual_Games_List_FAQ

>




More information about the Casual_Games mailing list