Theft and Antitheft

Picture this: You find a Web site that has dozens of cool Web games. You are browsing through the game list when suddenly you see … one of yours! Sound unlikely? It's not in fact, this has happened to me several times.

You have worked very hard to create something you are proud of. You should spend a little extra time taking steps to help prevent its being stolen. Listed below are the three major vulnerabilities of your SWF files and what you can do to eliminate them.

Vulnerability: Downloading the SWF

Someone can download your SWF file or copy it from his browser's cache to his own hard drive. He can then play the game on his own computer or upload it to his own server for other people to play. This is the most common SWF theft problem.

Deterrent(s)

There is nothing you can do to prevent someone from taking the SWF file. But you can do several things to help prevent this game from working properly when downloaded.

_url

This is a property that has been in Flash since version 4 and has never gotten much attention. I'd now like to give it the attention it deserves. This little guy can help you in a tremendous way: It returns the absolute path to the SWF itself. For instance, if the SWF file is being run from the location http://www.electrotank.com/minigolf.swf, then the _url property returns http://www.electrotank.com/minigolf.swf as a string. For example:

 myURL=_url;  

This line of code sets a variable whose value is the absolute path to the SWF file. Now let's see how this is going to help you protect your game.

 1   myURL=_url;  2   okDomain="www.electrotank.com" 3   if (myURL.indexOf(okDomain) != -1) { 4      _root.gotoAndStop("game screen") 5   } else { 6      _root.gotoAndStop("warning message"); 7   } 

Line 2 above sets a string called okDomain, whose value is a single domain that is allowed access to the file. Then, on line 3, the indexOf string method is used to see if the allowable domain is part of myURL. If it's being run from the correct server, the game goes to the frame labeled game screen; otherwise it goes to the frame labeled warning message. If someone (illegally) downloads a SWF file that has this sort of script in it, he will not be able to view the content properly. Mission accomplished!

Multiple Files

Structuring your game to use multiple files is a natural sort of theft protection. This good coding practice makes it easier for you replace your content, and harder for someone to take it. For instance, let's say you have a jigsaw puzzle that loads in images dynamically. A thief can easily read the HTML in your Web page to find the name of your SWF file, but how will this person know the names of your image files? In Entry 3 below, I'll list one way for a person to find out these filenames, but the fact that there are multiple files provides a level of protection that will deter most nefarious types.

Vulnerability: Embedding the SWF through HTML

A person can write an HTML page that embeds your SWF file even though it's on another server. When visited, this HTML file loads the SWF, and viewers of the page will think the content belongs to the owner of this site.

Deterrent

Sadly, there is not a good solution to prevent this. Technically, your files are not being stolen. One common technique people use to circumvent this problem is to rename their files frequently. This can be a hassle, but it works. If Web sites are pointing to your games and you rename your file(s), those Web pages will no longer show your file. The administrator of that Web site will have to look through your HTML again to find the new name. If you find a Web site that consistently updates its own pages every time you rename your files, you may want to try contacting the owner's ISP (Internet service provider information on this is listed later in this appendix).

Vulnerability: Expose the ActionScript

A hacker can download your SWF files and open them with software designed to read ActionScript. With this software, your code is exposed, as are the names of files that you may be loading in. This can be a huge issue if you have trade secrets or just plain don't want to give away your code. Also, an advanced hacker can use a program that will allow him or her to edit binary files, such as a SWF. That means the hacker can remove the protections you had in your file, such as the _url property protection, and then resave it.

Deterrent

There is nothing that you can do to keep a serious villain from reading the ActionScript in your file. But there is something that will make you smile and the evil-doer grimace: obfuscation. To obfuscate something means to make it confusing or hard to understand. An obfuscator is an application that will take your file, read through every bit of code, and replace the code names with gibberish. The ActionScript still works it just uses oddly named variables and other references. Here is an example of a function that has been obfuscated.

 1   function F_]}•êaTÖ (ÈŒüm_P, Á_Qîî, F, O1/4C_,         mù__, Fü_O, Fü__) { 2        var eval ("ÈX_"); 3        var eval ("_O"); 4        var eval ("_m"); 5        var eval ("_§"); 6        var eval ("På"); 7        var eval ("..._"); 8        var eval ("P"); 9        var eval ("m"); 10       var eval ("b_]_P"); 11       var eval ("È") = new Array (); 12       eval ("b_]_P") = 0.0174532925199433; 13       eval ("På") = Math.sin(eval ("Á_Qîî") * eval ("b_]_P")); 14       eval ("..._") = Math.cos(eval ("Á_Qîî") * eval ("b_]_P")); 15       eval ("È")[0] = new Array (); 16       eval ("È")[1] = new Array (); 17       eval ("È")[2] = new Array (); 18       eval ("È")[3] = new Array (); 19       var W = 0; 20       while (W < 4) { 21           eval ("_O") = eval ("ÈŒüm_P")[W][0]; 22           eval ("_§") = eval ("ÈŒüm_P")[W][2]; 23           eval ("_m") = (-eval ("ÈŒüm_P")[W][2]) * eval ("På"); 24           eval ("_§") = eval ("_§") * eval ("..._"); 25           eval ("ÈX_") = F / (eval ("_§") + F); 26           eval ("È")[W][0] = eval ("O1/4C_") + (eval ("ÈX_") *               eval ("_O")); 27           eval ("È")[W][1] = eval ("mù__") - (eval ("ÈX_") *              eval ("_m")); 28           W++; 29       } 30       eval ("F_]fgôü_H")("ôü_H0", eval ("È")[0][0], eval          ("È")[0][1], eval ("È")[1][0], eval ("È")[1][1]); 31       eval ("F_]fgôü_H")("ôü_H1", eval ("È")[1][0], eval          ("È")[1][1], eval ("È")[2][0], eval ("È")[2][1]); 32     eval ("F_]fgôü_H")("ôü_H2", eval ("È")[2][0], eval        ("È")[2][1], eval ("È")[3][0], eval ("È")[3][1]); 33     eval ("F_]fgôü_H")("ôü_H3", eval ("È")[3][0], eval        ("È")[3][1], eval ("È")[0][0], eval ("È")[0][1]); 34     eval ("F_]fgôü_H")("é__PPÑôü_H", eval ("O1/4C_") - eval        ("Fü_O"), 35 eval ("mù__"), eval ("O1/4C_") + eval        ("Fü_O"), eval ("mù__")); 35     this.eval ("Úü____")._x = eval ("O1/4C_"); 36     this.eval ("Úü____")._y = eval ("mù__"); 37     this.eval ("Úü____")._xscale = 40; 38     this.eval ("Úü____")._yscale = 40 * eval ("På"); 39  } 

Can you understand what the function above was designed to do? Probably not, and that's the point! Not only is it almost impossible to understand, but if you pasted this into the Actions panel and tried to create a SWF, Flash would give you an error. There is an amazing obfuscator created by Robin Debreuil specifically for Flash, available at www.debreuil.com/vs/. At the time this book was written this obfuscator only worked with Flash 5, but a Flash MX version was in the works. So chances are that a Flash MX version is at the above URL waiting to obfuscate something for you.

The battle of software theft has been around for a long time and may never go away. If security is an important issue to you, I recommend that you stay informed about the latest developments in security holes and enhancements. A good way to do this is to subscribe to popular Flash mailing lists, or to frequent message boards (see Appendix E for recommendations). If you keep up-to-date on these issues, you'll be safe from most casual hackers.