I got it too, not so hard (used Tamper Data - Firefox plugin)
Also, I'd like to point out a security vulnerability in your PHP code:
$content = file_get_contents("pathToRealSwf/$data");
You're not escaping or validating in any way the data coming from the user
(through HTTP GET), so you're open to many exploits.
Just a simple example, a user could view the source to every PHP file on the
server that he can guess or find the path.
As an example, the file itself:
http://jimbo.us/Games/jumpPeg/path.php?data=../path.php
Open it in your browser and view source.
I'd suggest you fix it or take it down right away (now that I made it
public).
Feel free to contact me if you need details on how to fix it.
Wagner
On 7/23/07, Rákos Attila <[EMAIL PROTECTED]> wrote:
http://www.tengerstudio.com/public/jumppeg2/
That was not harder than previous ones :) I think you are going on a
wrong way - hiding the real games source URL and preventing the user
from downloading is simply impossible. If I use some kind of a traffic
monitoring stuff everything is visible (personally I use Fiddler - not
for cracking Flash games :) just for debugging my applications).
Attila
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From: Jim Berkey <[EMAIL PROTECTED]>
To: Flashcoders mailing list <[email protected]>
Date: Monday, July 23, 2007, 1:50:09 PM
Subject: [Flashcoders] swf obfuscation - new challenge
--====----====----====----====----====----====----====----====----====----===--
Okay, another brick in the wall to keep you from grabbing a swf (the old
joyluckclub.com peg game from flashkit again - my version 4, I upgraded
flash 5 as1 to flash 8, as2
http://jimbo.us/Games/jumpPeg/index.html
In the interest of transparency, here is what I've put together so far:
The goal is to have the best protection possible, while maintaining:
(1) - zero code obfuscation
(2) - technically easy enough for a n00b++ to implement
(3) - Sharing/knowing the technique does not make it weaker
To this end, since so many of you last grabbed the game so quickly, I've
added some noise to the Herring, and I think I nailed shut the door that
Eric Priou showed us (executing the php script directly from the browser
address bar). Hopefully the number of folks that can grab the game is
reduced??
Here is how it's done:
Container swf (game.swf) holds a Red Herring faux game to keep the --n00bs
busy, and a script loaded via smoke and mirrors - logo.gif is actually
logo.swf - suffix changed after compiling - Flashplayer obviously doesn't
use the dot-three suffix to determine what a file holds. None of this is
necessary for the system to work, but is easy, fun and does no harm.
The code in logo.gif checks to see that it is being loaded onto a trusted
url, and if so loads the real swf via a php script that conceals the
directory location of the real swf, and prevents caching. Here is the php
file that does this:
<?php
$data = $_GET['data'];
header("Expires: Thu, 01 Jan 1970 00:00:00 GMT, -1 ");
header("Cache-Control: no-cache, no-store, must-revalidate");
header("Pragma: no-cache");
$content = file_get_contents("pathToRealSwf/$data");
echo$content;
?>
The only change you make to the php file is to change the 'pathToRealSwf/'
to your own relative or absolute path to the directory holding the real swf.
I eliminated a line in the script that typed the data as a shockwave/flash
file, and removed the dot three suffix from 'rainbow.swf' - the actual
file. So now, when one runs the php script from the browser window, the
browser doesn't know what it is opening, and just shows the bytecode.
If anyone wants the system so far, write me offlist and I will send the
source files for your examination. I'll also post the system online once all
the doors are closed that can be closed. It's probably premature to do this
yet, there are probably more doors to close, and more bricks to add to the
wall, but as we go along, anyone is welcome to what I've done so far. If you
have a suggestion for making the system stronger, I'd appreciate the help.
So grab this version of the game, and let me know what other doors might
be closed?
Thanks for kicking at my wall,
jimbo
_______________________________________________
[email protected]
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
_______________________________________________
[email protected]
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
_______________________________________________
[email protected]
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
