Re: [Flashcoders] swf obfuscation - new challenge
I got it too, not so hard (used Tamper Data - Firefox plugin) Also, I'd like to point out a security vulnerability in your PHP code: $content = file_get_contents(pathToRealSwf/$data); You're not escaping or validating in any way the data coming from the user (through HTTP GET), so you're open to many exploits. Just a simple example, a user could view the source to every PHP file on the server that he can guess or find the path. As an example, the file itself: http://jimbo.us/Games/jumpPeg/path.php?data=../path.php Open it in your browser and view source. I'd suggest you fix it or take it down right away (now that I made it public). Feel free to contact me if you need details on how to fix it. Wagner On 7/23/07, Rákos Attila [EMAIL PROTECTED] wrote: http://www.tengerstudio.com/public/jumppeg2/ That was not harder than previous ones :) I think you are going on a wrong way - hiding the real games source URL and preventing the user from downloading is simply impossible. If I use some kind of a traffic monitoring stuff everything is visible (personally I use Fiddler - not for cracking Flash games :) just for debugging my applications). Attila =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From:Jim Berkey [EMAIL PROTECTED] To: Flashcoders mailing list flashcoders@chattyfig.figleaf.com Date:Monday, July 23, 2007, 1:50:09 PM Subject: [Flashcoders] swf obfuscation - new challenge --===-- Okay, another brick in the wall to keep you from grabbing a swf (the old joyluckclub.com peg game from flashkit again - my version 4, I upgraded flash 5 as1 to flash 8, as2 http://jimbo.us/Games/jumpPeg/index.html In the interest of transparency, here is what I've put together so far: The goal is to have the best protection possible, while maintaining: (1) - zero code obfuscation (2) - technically easy enough for a n00b++ to implement (3) - Sharing/knowing the technique does not make it weaker To this end, since so many of you last grabbed the game so quickly, I've added some noise to the Herring, and I think I nailed shut the door that Eric Priou showed us (executing the php script directly from the browser address bar). Hopefully the number of folks that can grab the game is reduced?? Here is how it's done: Container swf (game.swf) holds a Red Herring faux game to keep the --n00bs busy, and a script loaded via smoke and mirrors - logo.gif is actually logo.swf - suffix changed after compiling - Flashplayer obviously doesn't use the dot-three suffix to determine what a file holds. None of this is necessary for the system to work, but is easy, fun and does no harm. The code in logo.gif checks to see that it is being loaded onto a trusted url, and if so loads the real swf via a php script that conceals the directory location of the real swf, and prevents caching. Here is the php file that does this: ?php $data = $_GET['data']; header(Expires: Thu, 01 Jan 1970 00:00:00 GMT, -1 ); header(Cache-Control: no-cache, no-store, must-revalidate); header(Pragma: no-cache); $content = file_get_contents(pathToRealSwf/$data); echo$content; ? The only change you make to the php file is to change the 'pathToRealSwf/' to your own relative or absolute path to the directory holding the real swf. I eliminated a line in the script that typed the data as a shockwave/flash file, and removed the dot three suffix from 'rainbow.swf' - the actual file. So now, when one runs the php script from the browser window, the browser doesn't know what it is opening, and just shows the bytecode. If anyone wants the system so far, write me offlist and I will send the source files for your examination. I'll also post the system online once all the doors are closed that can be closed. It's probably premature to do this yet, there are probably more doors to close, and more bricks to add to the wall, but as we go along, anyone is welcome to what I've done so far. If you have a suggestion for making the system stronger, I'd appreciate the help. So grab this version of the game, and let me know what other doors might be closed? Thanks for kicking at my wall, jimbo ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
Re: [Flashcoders] swf obfuscation - new challenge
Thank you Rákos, I see now how one can get the data from Fiddler, I got it quite easily without knowing or seeing the location of the file online, just saving the response was enough. Of course, now with Amaral's input on the php file, it is easily readable, so the location can be easily found. more work, . . . I must move outside another box somehow. Thanks, jimbo - Original Message - From: Rákos Attila [EMAIL PROTECTED] To: Jim Berkey flashcoders@chattyfig.figleaf.com Sent: Monday, July 23, 2007 9:49 AM Subject: Re: [Flashcoders] swf obfuscation - new challenge http://www.tengerstudio.com/public/jumppeg2/ That was not harder than previous ones :) I think you are going on a wrong way - hiding the real games source URL and preventing the user from downloading is simply impossible. If I use some kind of a traffic monitoring stuff everything is visible (personally I use Fiddler - not for cracking Flash games :) just for debugging my applications). Attila =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From:Jim Berkey [EMAIL PROTECTED] To: Flashcoders mailing list flashcoders@chattyfig.figleaf.com Date:Monday, July 23, 2007, 1:50:09 PM Subject: [Flashcoders] swf obfuscation - new challenge --===-- Okay, another brick in the wall to keep you from grabbing a swf (the old joyluckclub.com peg game from flashkit again - my version 4, I upgraded flash 5 as1 to flash 8, as2 http://jimbo.us/Games/jumpPeg/index.html In the interest of transparency, here is what I've put together so far: The goal is to have the best protection possible, while maintaining: (1) - zero code obfuscation (2) - technically easy enough for a n00b++ to implement (3) - Sharing/knowing the technique does not make it weaker To this end, since so many of you last grabbed the game so quickly, I've added some noise to the Herring, and I think I nailed shut the door that Eric Priou showed us (executing the php script directly from the browser address bar). Hopefully the number of folks that can grab the game is reduced?? Here is how it's done: Container swf (game.swf) holds a Red Herring faux game to keep the --n00bs busy, and a script loaded via smoke and mirrors - logo.gif is actually logo.swf - suffix changed after compiling - Flashplayer obviously doesn't use the dot-three suffix to determine what a file holds. None of this is necessary for the system to work, but is easy, fun and does no harm. The code in logo.gif checks to see that it is being loaded onto a trusted url, and if so loads the real swf via a php script that conceals the directory location of the real swf, and prevents caching. Here is the php file that does this: ?php $data = $_GET['data']; header(Expires: Thu, 01 Jan 1970 00:00:00 GMT, -1 ); header(Cache-Control: no-cache, no-store, must-revalidate); header(Pragma: no-cache); $content = file_get_contents(pathToRealSwf/$data); echo$content; ? The only change you make to the php file is to change the 'pathToRealSwf/' to your own relative or absolute path to the directory holding the real swf. I eliminated a line in the script that typed the data as a shockwave/flash file, and removed the dot three suffix from 'rainbow.swf' - the actual file. So now, when one runs the php script from the browser window, the browser doesn't know what it is opening, and just shows the bytecode. If anyone wants the system so far, write me offlist and I will send the source files for your examination. I'll also post the system online once all the doors are closed that can be closed. It's probably premature to do this yet, there are probably more doors to close, and more bricks to add to the wall, but as we go along, anyone is welcome to what I've done so far. If you have a suggestion for making the system stronger, I'd appreciate the help. So grab this version of the game, and let me know what other doors might be closed? Thanks for kicking at my wall, jimbo ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com
Re: [Flashcoders] swf obfuscation - new challenge
Danny Kodicek wrote: The only method I can think of that might do what you're looking for is to have some of the actual code work on the server. So for example you'd do something that has a fundamental effect in the game, but you make its code run on your server instead of on the client and just return the result (not that different from making a multiplayer game with server-side scripting and a dumb client). That's a good idea. It would have to be something with a real effect on the game, though, not just some authorization token which could easily be replaced or commented out. And then we're getting away from the real point of this sort of effort -- clients often want to keep their methods or innovations secret. You can't hide, say, a GUI component by backending part of it. ___ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
RE: [Flashcoders] swf obfuscation - new challenge
The only method I can think of that might do what you're looking for is to have some of the actual code work on the server. So for example you'd do something that has a fundamental effect in the game, but you make its code run on your server instead of on the client and just return the result (not that different from making a multiplayer game with server-side scripting and a dumb client). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Berkey Sent: 23 July 2007 15:44 To: Rákos Attila; flashcoders@chattyfig.figleaf.com Subject: Re: [Flashcoders] swf obfuscation - new challenge Thank you Rákos, I see now how one can get the data from Fiddler, I got it quite easily without knowing or seeing the location of the file online, just saving the response was enough. Of course, now with Amaral's input on the php file, it is easily readable, so the location can be easily found. more work, . . . I must move outside another box somehow. Thanks, jimbo - Original Message - From: Rákos Attila [EMAIL PROTECTED] To: Jim Berkey flashcoders@chattyfig.figleaf.com Sent: Monday, July 23, 2007 9:49 AM Subject: Re: [Flashcoders] swf obfuscation - new challenge http://www.tengerstudio.com/public/jumppeg2/ That was not harder than previous ones :) I think you are going on a wrong way - hiding the real games source URL and preventing the user from downloading is simply impossible. If I use some kind of a traffic monitoring stuff everything is visible (personally I use Fiddler - not for cracking Flash games :) just for debugging my applications). Attila =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-= From:Jim Berkey [EMAIL PROTECTED] To: Flashcoders mailing list flashcoders@chattyfig.figleaf.com Date:Monday, July 23, 2007, 1:50:09 PM Subject: [Flashcoders] swf obfuscation - new challenge -- ===-- Okay, another brick in the wall to keep you from grabbing a swf (the old joyluckclub.com peg game from flashkit again - my version 4, I upgraded flash 5 as1 to flash 8, as2 http://jimbo.us/Games/jumpPeg/index.html In the interest of transparency, here is what I've put together so far: The goal is to have the best protection possible, while maintaining: (1) - zero code obfuscation (2) - technically easy enough for a n00b++ to implement (3) - Sharing/knowing the technique does not make it weaker To this end, since so many of you last grabbed the game so quickly, I've added some noise to the Herring, and I think I nailed shut the door that Eric Priou showed us (executing the php script directly from the browser address bar). Hopefully the number of folks that can grab the game is reduced?? Here is how it's done: Container swf (game.swf) holds a Red Herring faux game to keep the --n00bs busy, and a script loaded via smoke and mirrors - logo.gif is actually logo.swf - suffix changed after compiling - Flashplayer obviously doesn't use the dot-three suffix to determine what a file holds. None of this is necessary for the system to work, but is easy, fun and does no harm. The code in logo.gif checks to see that it is being loaded onto a trusted url, and if so loads the real swf via a php script that conceals the directory location of the real swf, and prevents caching. Here is the php file that does this: ?php $data = $_GET['data']; header(Expires: Thu, 01 Jan 1970 00:00:00 GMT, -1 ); header(Cache-Control: no-cache, no-store, must-revalidate); header(Pragma: no-cache); $content = file_get_contents(pathToRealSwf/$data); echo$content; ? The only change you make to the php file is to change the 'pathToRealSwf/' to your own relative or absolute path to the directory holding the real swf. I eliminated a line in the script that typed the data as a shockwave/flash file, and removed the dot three suffix from 'rainbow.swf' - the actual file. So now, when one runs the php script from the browser window, the browser doesn't know what it is opening, and just shows the bytecode. If anyone wants the system so far, write me offlist and I will send the source files for your examination. I'll also post the system online once all the doors are closed that can be closed. It's probably premature to do this yet, there are probably more doors to close, and more bricks to add to the wall, but as we go along, anyone is welcome to what I've done so far. If you have a suggestion for making the system stronger, I'd appreciate the help. So grab this version of the game, and let me know what other doors might be closed? Thanks for kicking at my wall, jimbo ___ Flashcoders