[casual_games] Current advice on SWF encryption?

Matthew Ford matthew at fordfam.com
Wed Mar 11 19:29:34 EDT 2009

Previous message: [casual_games] Current advice on SWF encryption?
Next message: [casual_games] Current advice on SWF encryption?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks very much for your help, Austin!

If anyone else has more advice, please let me know as I am about to take the
plunge...

* * *
Matthew Ford - matthew at fordfam dot com - http://www.fordfam.com/matthew

-----Original Message-----
From: casual_games-bounces at igda.org [mailto:casual_games-bounces at igda.org]
On Behalf Of Austin Haas
Sent: Monday, 9 March 2009 10:48 AM
To: IGDA Casual Games SIG Mailing List
Subject: Re: [casual_games] Current advice on SWF encryption?

I haven't used any commercial swf tools, so I can't comment on any
specifically, but I have written a swf decompiler and obfuscator, so I am
somewhat familiar with the issues. The only game that I have released
independently (i.e., not work-for-hire) also used Mochi Media's protection
system, which comes free with using their ad system.

The best I can offer is some notes:

In my experience, if you put a Flash game online, several dozen sites will
immediately cherry-pick it and put it on their site. I did the site-locking
thing, but made the game revert to a demo mode when used off of one of my
sites. To my knowledge, everyone who has stolen the game has been content
enough with the demo mode. I think there are so many Flash games out there
that most sites will just take whatever they can get easily. But, maybe some
people have been foiled by the Mochi system as well; I don't know. If you've
created the next Bejeweled, then you might have more to worry about. But, in
that case, your first mistake was using Flash.

Even if your swf could be fully encrypted, pirate sites will work around it
by placing an ad on a layer above your game while your game's ad is hidden
underneath, or at least, just before your game starts. However, ads on pages
pay a lot more than in-game ads these days, so many sites are more than
willing to let your ads run in the game, so long as they have new content on
their site.

I think the best protection systems are probably the ones that work like the
Mochi system. They encrypt the swf and then use a second host swf to decrypt
it on the fly. Of course, someone can decompile the host swf, figure out the
encryption method, etc., but that's a lot more work than just using an
off-the-shelf tool to replace a string (e.g., your url to the ad server) in
the string table.

Methods that call back to a server can also help. For instance, your game
could call back to the server when it loads to see if it's being played on
an allowed domain. Circumventing that might require the pirate to recode
portions of the game or try to mirror the functionality on their server,
which could be a major pain.

The word "encrypt" is often abused by swf protection vendors. Most often
they are selling obfuscators. Some are designed to prevent disassembly of
the swf into source code, but that isn't necessarily going to do anything to
prevent the much simpler task of changing a url in the swf string table.

I'm guessing that you either want a tool that can do the full swf encryption
with the separate host decrypter, or you want something that can encrypt the
strings (I believe I've seen that advertised) and then also do the
obfuscation features that make it a hassle to recompile from source (e.g.,
replacing all identifiers with names that the Adobe compiler doesn't like).

I hope that helps some.

-austin

--
Austin Haas
Pet Tomato, Inc.
http://pettomato.com

On Mon Mar 09 08:56 , Matthew Ford wrote:

> Thanks Austin, those are good questions.

>

> 1. This is my chief concern: I want to avoid someone from stealing my

game,

> pulling out my imbedded ads, perhaps putting in their own, and hosting it

or

> posting it on some other game portal.

>

> 2. I'm only mildly concerned about my source code being used for any other

> purpose-- I don't write very good code yet. :)

>

> 3. I'm not concerned about multiplayer cheating.

>

> 4. I'm not concerned about exposure of any trade secrets in the source.

>

> True enough, nothing can be fully protected. I just hope to become a

tougher

> target than seems worth the effort to crack.

>

> Thanks for any help!

>

> * * *

> Matthew Ford - matthew at fordfam dot com - http://www.fordfam.com/matthew

>

>

> -----Original Message-----

> From: casual_games-bounces at igda.org [mailto:casual_games-bounces at igda.org]

> On Behalf Of Austin Haas

> Sent: Monday, 9 March 2009 12:14 AM

> To: IGDA Casual Games SIG Mailing List

> Subject: Re: [casual_games] Current advice on SWF encryption?

>

>

> It might help if you said what your goals were. For instance,

>

> 1. Are you trying to keep someone from stealing your game and hosting it

on

> their site?

> 2. Do you want to prevent someone from using your source code?

> 3. Do you want to prevent people from cheating in a multiplayer game?

> 4. Are you trying to protect some secret embedded in the source code?

>

> Those problems may have different solutions.

>

> FWIW, you can never fully protect an online playable swf from

> decompilation/dissassembly.

>

> -austin

>

> --

> Austin Haas

> Pet Tomato, Inc.

> http://pettomato.com

>

> On Sun Mar 08 17:13 , Matthew Ford wrote:

> > *crickets*

> >

> >

> >

> > Sorry to repeat my question but there must be somebody who has a bit of

> > advice to give on SWF decryption? There are many packages to choose from

> and

> > I can't tell which ones are good, so any testimonials from hands-on

> > experience would be helpful. Again, apologies for the repeat, but this

> list

> > is my best resource for this kind of question.

> >

> >

> >

> > From: Matthew Ford [mailto:matthew at fordfam.com]

> > Sent: Friday, 6 March 2009 3:48 PM

> > To: (casual_games at igda.org)

> > Subject: Current advice on SWF encryption?

> >

> >

> >

> > Hello all-been on the list for years and I think this may be my 4th post

> as

> > I am mostly an absorber of advice, not an emitter yet. I am an indie

> > developer, ex-game-industry designer and producer. See more at

> > http://www.digitalcream.com.au/blog/ , http://twitter.com/MatthewMFord,

> etc.

> >

> >

> >

> > I am very soon going to be opening up private alpha testing of my Flash

> > game, Taboo Snaps, and it's time to look at SWF encryption. I had heard

on

> > this list that www.amayeta.com was good but elsewhere I read that it has

> > been cracked. So I'd appreciate any advice on the current best

encryption

> > software and advice for keeping it hard to crack.

> >

> >

> >

> > I am currently sitelocking the game (swf checks it own loaderInfo.url

and

> > dies if it's not my home domain) but eventually I will want the swf to

be

> > spread far and wide-it has imbedded ads and will revert to a demo mode

if

> > not on a blessed domain. So though sitelocking is some protection, of

> course

> > if it is decrypted that sitelock can be taken out.

> >

> >

> >

> > I also have the game load XML files from my home domain and do

sitelocking

> > for that with my crossdomain.xml, but again, it can be got around once

> > decrypted.

> >

> >

> >

> > Please catch me up on the latest greatest advice on encryption software

> and

> > techniques, and of course let me know if any of the above is

nonsensical!

> >

> >

> >

> > Kind regards,

> >

> > Matthew Ford

> >

> > Matthew at fordfam dot com

> >

> > http://www.digitalcream.com.au/blog/

> >

> > http://twitter.com/DCgames

> >

> > http://twitter.com/MatthewMFord

> >

> > http://www.fordfam.com/matthew

> >

>

> > _______________________________________________

> > Casual_Games mailing list

> > Casual_Games at igda.org

> > http://www.igda.org/casual-subscribe

> > Archive: http://www.igda.org/casual-subscribe

> > Archive Search:

> http://www.google.com/coop/cse?cx=010373383720242846960%3Az3tdwggxil8

> > List FAQ:

> http://www.igda.org/wiki/index.php/Casual_Games_SIG/Casual_Games_List_FAQ

>

>

> _______________________________________________

> Casual_Games mailing list

> Casual_Games at igda.org

> http://www.igda.org/casual-subscribe

> Archive: http://www.igda.org/casual-subscribe

> Archive Search:

> http://www.google.com/coop/cse?cx=010373383720242846960%3Az3tdwggxil8

> List FAQ:

> http://www.igda.org/wiki/index.php/Casual_Games_SIG/Casual_Games_List_FAQ

> No virus found in this incoming message.

> Checked by AVG - www.avg.com

> Version: 8.0.237 / Virus Database: 270.11.3/1974 - Release Date: 03/06/09

> 19:17:00

>

> _______________________________________________

> Casual_Games mailing list

> Casual_Games at igda.org

> http://www.igda.org/casual-subscribe

> Archive: http://www.igda.org/casual-subscribe

> Archive Search:

http://www.google.com/coop/cse?cx=010373383720242846960%3Az3tdwggxil8

> List FAQ:

http://www.igda.org/wiki/index.php/Casual_Games_SIG/Casual_Games_List_FAQ

>

_______________________________________________
Casual_Games mailing list
Casual_Games at igda.org
http://www.igda.org/casual-subscribe
Archive: http://www.igda.org/casual-subscribe
Archive Search:
http://www.google.com/coop/cse?cx=010373383720242846960%3Az3tdwggxil8
List FAQ:
http://www.igda.org/wiki/index.php/Casual_Games_SIG/Casual_Games_List_FAQ
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.0.237 / Virus Database: 270.11.3/1974 - Release Date: 03/08/09
17:17:00

Previous message: [casual_games] Current advice on SWF encryption?
Next message: [casual_games] Current advice on SWF encryption?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Casual_Games mailing list