Thank you Rákos,
I see now how one can get the data from Fiddler, I got it quite easily
without knowing or seeing the location of the file online, just saving the
response was enough.
Of course, now with Amaral's input on the php file, it is easily readable,
so the location can be easily found.
more work, . . . I must move outside another box somehow.
Thanks,
jimbo
----- Original Message -----
From: "Rákos Attila" <[EMAIL PROTECTED]>
To: "Jim Berkey" <flashcoders@chattyfig.figleaf.com>
Sent: Monday, July 23, 2007 9:49 AM
Subject: Re: [Flashcoders] swf obfuscation - new challenge
http://www.tengerstudio.com/public/jumppeg2/
That was not harder than previous ones :) I think you are going on a
wrong way - hiding the real games source URL and preventing the user
from downloading is simply impossible. If I use some kind of a traffic
monitoring stuff everything is visible (personally I use Fiddler - not
for cracking Flash games :) just for debugging my applications).
Attila
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From: Jim Berkey <[EMAIL PROTECTED]>
To: Flashcoders mailing list <flashcoders@chattyfig.figleaf.com>
Date: Monday, July 23, 2007, 1:50:09 PM
Subject: [Flashcoders] swf obfuscation - new challenge
--====----====----====----====----====----====----====----====----====----===--
Okay, another brick in the wall to keep you from grabbing a swf (the old
joyluckclub.com peg game from flashkit again - my version 4, I upgraded
flash 5 as1 to flash 8, as2
http://jimbo.us/Games/jumpPeg/index.html
In the interest of transparency, here is what I've put together so far:
The goal is to have the best protection possible, while maintaining:
(1) - zero code obfuscation
(2) - technically easy enough for a n00b++ to implement
(3) - Sharing/knowing the technique does not make it weaker
To this end, since so many of you last grabbed the game so quickly, I've
added some noise to the Herring, and I think I nailed shut the door that
Eric Priou showed us (executing the php script directly from the browser
address bar). Hopefully the number of folks that can grab the game is
reduced??
Here is how it's done:
Container swf (game.swf) holds a Red Herring faux game to keep the --n00bs
busy, and a script loaded via smoke and mirrors - logo.gif is actually
logo.swf - suffix changed after compiling - Flashplayer obviously doesn't
use the dot-three suffix to determine what a file holds. None of this is
necessary for the system to work, but is easy, fun and does no harm.
The code in logo.gif checks to see that it is being loaded onto a trusted
url, and if so loads the real swf via a php script that conceals the
directory location of the real swf, and prevents caching. Here is the php
file that does this:
<?php
$data = $_GET['data'];
header("Expires: Thu, 01 Jan 1970 00:00:00 GMT, -1 ");
header("Cache-Control: no-cache, no-store, must-revalidate");
header("Pragma: no-cache");
$content = file_get_contents("pathToRealSwf/$data");
echo$content;
?>
The only change you make to the php file is to change the 'pathToRealSwf/'
to your own relative or absolute path to the directory holding the real
swf. I eliminated a line in the script that typed the data as a
shockwave/flash file, and removed the dot three suffix from
'rainbow.swf' - the actual file. So now, when one runs the php script from
the browser window, the browser doesn't know what it is opening, and just
shows the bytecode.
If anyone wants the system so far, write me offlist and I will send the
source files for your examination. I'll also post the system online once
all the doors are closed that can be closed. It's probably premature to do
this yet, there are probably more doors to close, and more bricks to add
to the wall, but as we go along, anyone is welcome to what I've done so
far. If you have a suggestion for making the system stronger, I'd
appreciate the help.
So grab this version of the game, and let me know what other doors might
be closed?
Thanks for kicking at my wall,
jimbo
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
_______________________________________________
Flashcoders@chattyfig.figleaf.com
To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
Brought to you by Fig Leaf Software
Premier Authorized Adobe Consulting and Training
http://www.figleaf.com
http://training.figleaf.com
