«
»

Protecting your SWF

Discussion

I've tried to research and come up with my own solutions to this age old problem. But so far my attempts have been pretty fruitless. How do you protect your published swf's from people abusing the fact that you've made them available publically?


Problem one - your work can be downloaded/disassembled, revealing information you may not want to be revealed. For instance, say you are coding an online multiplayer game. Typically, you don't want people to cheat, artificially push their name up leaderboards, etcetera. Anyone determined enough can find out how you are pushing data to the server, your score for instance.

How do people go about securing their swf's to avoid things being seen by prying eyes? Can you even avoid a dynamically loaded swf being cached or saved by certain utilities?

Problem two - hotlinking your work. Say you produce a game and it becomes popular. Some unscrupulous person hotlinks your file and your bandwidth goes way up. As far as I know, the Apache rewrite rule doesn't help as it does with preventing hotlinking images. Since the swf file is embedded, the http referer ends up being blank (at least on my server anyway), so the rewrite rule isn't invoked.

This entry was posted on Wednesday, October 13th, 2004 at 9:36 pm and is filed under Discussion. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

12 Responses to “Protecting your SWF”

  1. Richard Leggett Says:
    October 13th, 2004 at 11:52 pm

    Such a frustrating area, even though Flash obfuscators rid the usuals from stealing your code (if only because even though they can still reverse engineer the code, it's far too much effort to get it back into a workable state to extend it), but at the end of the day, the "elite" hackers are still going to sniff the HTTP traffic, reverse engineer the encryption you are using and make sure they get the best score on your highscore board :p Had these links in my bookmarks from a little while ago that may be worth looking into:

    http://www.genable.com/aso/
    http://www.debreuil.com/vs/

    There's also lots of speak of keeping the SWF's encrypted and/or stored as binary in a DB, then dynamically un-encrypting by the server whilst preventing clientside caching by the browser, but this stops preloaders working in most situations.

    A while back you could even use the following code to thwart ASV:

    void(user)< =user2>"part1,stop ASV!" || 0 (!1 && !0);
    user = "part2,stop ASV!";

    I doubt that works nowdays! Love to hear other ideas :)

  2. James Says:
    October 14th, 2004 at 9:09 pm

    I heard about this other SWF scrambler recently, it's not out yet, but it looks like it could work pretty well: http://swfguard.com (plus their website's really slick - can you tell the whole site is entirely flash? these guys know their stuff) They have signups for a free beta test.

  3. Ash Says:
    October 15th, 2004 at 2:34 pm

    I also found this site, but I have been unable to test it (I don't own ASV). http://www.as-protect.com/

  4. eyezberg Says:
    October 19th, 2004 at 6:01 pm

    Could encryption help..?
    http://www.richinternet.de/blog/index.cfm?entry=8C8B659E-0858-D8EC-61DECA2DFF048623
    Joe

  5. JEAN Says:
    October 25th, 2004 at 1:13 pm

    Cool

  6. eyezberg Says:
    November 6th, 2004 at 9:55 pm

    Yo, new protection is out: http://www.flashincrypt.com/index.htm
    And it's only $30 ...

  7. Mark Says:
    November 7th, 2004 at 9:55 am

    You can stop hotlinkers with Apache mod_rewrite explained here.
    Have you thought of storing your valuable data (scores, usernames etc) in a nice MySQL table and encrypting it? If they choose to hack the database login, download the encrypted data and unencrypt it then they obviously need to get out more!

  8. john Says:
    February 1st, 2007 at 7:19 am

    For hotlinking, check this url: http://www.namepros.com/code/106681-protect-your-flash-files-hotlinking-specially.html

  9. Ammar Mardawi Says:
    December 22nd, 2007 at 2:50 pm

    To protect your SWF files from decompilers try out secureSWF from the following link:
    http://www.kindisoft.com/secureSWF/

  10. mavdes Says:
    June 23rd, 2008 at 11:13 am

    i did solve the problem in other way
    check it
    and try to take my swf map file :) if u can or any other can :)

    http://elfekr.net/map

  11. JPags Says:
    June 25th, 2008 at 4:05 pm

    That was too easy. Any HTTP sniffer will give you the address of the files, and then I just got the files from my Web site cache.

    Your SWF is not even scrambled, I can decompile it with SWF decompiler

    You need to be much better than that to stop someone who realy wants you stuff. :twisted:

    John

  12. Roy Says:
    January 6th, 2010 at 9:09 am

    The most important thing is action script... I think the only way to protect it is encryption… There are lots of swf protectors… I am using SWF Protect from dcomsoft ( http://www.dcomsoft.com/ ). Looks good for me… And may be this is what you are loking for…

Leave a Reply