Gaming Your Way

May contain nuts.

SICO

As regular readers will know, we've been done over with a hacked version of "Law of the West". Instead of just bitching about it, we've decided to be pro-active.

This is going to take a number of forms, one of which is SICO, or "Source In, Crap Out".
We looked at what encryption and obfuscator software there is out at there, and came across irrFuscator. It looks pretty cool, and at 69 euros isn't going to to break the bank, but it also looked like it was something we could do ourselves without too much effort.
Where SICO fails compared to irrFuscator is that from what I can tell it takes the whole project and messes it up, so public functions ( And therefore getters / setters ) get screwed with too, whereas our project just takes one file and so has to leave anything which could be called from a different class alone.
Also it converts strings, but it looks costly. Looking at the example on their page, "end" gets converted to irrcrpt(23, "uzd."). That kinda looks like a static class is added to the project with a method called irrcrpt, which takes the first value as the "key", and I guess it's just a simple XOR with the string value.
Fine for scrambling a filename, but I think it would be too harsh [ In performance terms ] to do that to every string in the game, so it's easy enough to just add a method in like that by hand for your filenames / passwords / cheat codes etc.

( In case this reads like I'm just bashing irrFuscator, I'm really not. It's better than SICO, I'm just pointing out the differences ).

So what can our baby do ? Here's the loader class we use for it:

package Classes {  
    import flash.events.Event;
    import flash.net.URLLoader;
    import flash.net.URLLoaderDataFormat;
    import flash.net.URLRequest;
    
    public class IO {

//---------------------------------------------------------------------------------------
// Properties
//---------------------------------------------------------------------------------------
        private var loader:URLLoader;
        private var callBack:Function;
        
//---------------------------------------------------------------------------------------
//Constructor
//---------------------------------------------------------------------------------------
        public function IO(){
/*
Null constructor, we don't need to do anything here
*/

        }

//---------------------------------------------------------------------------------------
// Public
//---------------------------------------------------------------------------------------
        public function toString():String {
            return "IO";
        }        

//---------------------------------------------------------------------------------------
        public function loadScript(filename:String,callBackArg:Function):void{
            callBack=callBackArg;
            
            loader = new URLLoader();
            loader.dataFormat=URLLoaderDataFormat.TEXT;
            loader.addEventListener(Event.COMPLETE, xmlLoaded);

            var request:URLRequest = new URLRequest(filename);
            loader.load(request);
        }

//---------------------------------------------------------------------------------------
// Private
//---------------------------------------------------------------------------------------
        private function xmlLoaded(eventArg:Event):void{
            var source:String=eventArg.target.data;
            callBack(source);
        }

//---------------------------------------------------------------------------------------
    }
}

And here's what it looks like after being run through SICO:

package Classes {  
    import flash.events.Event;
    import flash.net.URLLoader;
    import flash.net.URLLoaderDataFormat;
    import flash.net.URLRequest;
    
    public class IO {

        private var _V64K0q:URLLoader;
        private var _87qjufb1lsM:Function;
        
        public function IO(){
        }

        public function toString():String {
            return "IO";
        }        

        public function loadScript(M85u8En4i:String,_87qjufb1lsMArg:Function):void{
            _87qjufb1lsM=_87qjufb1lsMArg;
            
            _V64K0q = new URLLoader();
            _V64K0q.dataFormat=URLLoaderDataFormat.TEXT;
            _V64K0q.addEventListener(Event.COMPLETE, _v1zr6rD62q);

            var kDu541CN2C5:URLRequest = new URLRequest(M85u8En4i);
            _V64K0q.load(kDu541CN2C5);
        }

        private function _v1zr6rD62q(_wVl6q:Event):void{
            var n1XScOB03y:String=_wVl6q.target.data;
            _87qjufb1lsM(n1XScOB03y);
        }
    }
}

Pretty mashed up. There are still some quirks to it which need ironing out, and it's not got a list of reserved words or anything that cool, but that code is nasty once run through it.

Next we need to actually make some sort of front-end for it, ideally using Air to get to play with that, more possibly with Zinc to make it easier, and then decide what to do with it. It won't ever be for sale, it may be a case of we just give it to friends and let it spread gradually like that, we're not sure yet, but it will be given away. There's no point bitching about hacking, and then coming up with something that makes our stuff safe and screw everyone else.

And that's part 1 ( Or 0.5 ) of our push to try and get the community as a whole being a bit more protected, there is more to come. Olli and I have had some long chats the past couple of days. We both came to the conclusion that yeah, having hacked games floating around sucks, but there are some things which are more acceptable than others.
If LoW had been hacked to use the hi-score component of the system it's been hacked for ( Some "shovelware portal in a box" system ) and everything else had been left intact, then we can swallow that. Just. The game gets spread so the sponsors happy, we get our credit out so it's not too bad for us, the ad gets seen etc. It's not that bad. It's only when the game is just ripped of everything like that we get pissy.

Part of this process of stopping it is to actually get involved with the boards that link these games, for fear of sounding like a politician, it's about education. A lot of sites with hacked games on are run by decent people, just trying to make a couple of quid, and not really knowing about any harm they could be causing 'cause they never ever have any contact with a developer.
Flash games are percieved as such a throw away commidity that the line between IP theft and hosting becomes very blurred. A lot of people who run boards wouldn't dream of hosting mp3's, but see Flash in a totally different light.

We really fucking resent having to spend time on things like this, but if we're in the position of toying with ads and sponsorship as well as the client based work, then we need to protect our IP. Like we all do.

There's more coming,

Squize.

Comments (4) -

  • Jeff Fulton

    7/7/2008 10:14:21 PM |

    This looks pretty good so far. I don't know if you are going to see the comment I wrote in the other thread, so here it is:
    nGFX. Count 8bitrocket in for what ever you may need. I'm a little confused as to what software you WERE using to encrypt / obfuscate and how they were about to remove your stuff. Did they juts go in the library and change the logo clips to blanks? Were you guys using AS3 or AS2? Were any files loaded in externally?

    Would gamejacket and or the new Mochi systems have helped - as there file remains on their servers. Or would the little SH*T have just found the version on those servers (especially gamejacket) and have downloaded and ripped through that one. If you are coordinating your effort on Flashkit, let me know. i don't have time to visit that sait much anymore, but will if you are amassing an audience and attack plan there.

  • Squize

    7/8/2008 9:55:24 AM |

    Thanks for the post mate.

    I'll have to let Olli reply about what he used to encrypt it and what exactly the script kiddie did.

    I don't think GJ is that secure. To upload a game you have to have code in there as a security check, but it's far from intertwined into the game as a whole, and using something like liveHTTPHeaders ( Which is a God send if you're doing any server side stuff like hi-score tables ) you can find the original swf with no effort at all.
    I know mochi are offering encryption, but then you're tied to their hosting ( Like gameJacket I know ) and if it gets really popular it wouldn't surprise me if decompilers actually started "supporting" it.

    We're not really planning on pushing this through FK just yet, we're more than happy to keep things low profile until we've got some good stuff in place, which we'll always filter out here first.
    From our point of view, it's much easier to say release a workable version of SICO here and let our regular visitors take advantage of that, then post it to FK and have the hail of public bug reports and bitching.

    Thanks for the continued support mate, I will be calling in some code testing favours with you guys :)

  • Panayoti

    7/8/2008 5:04:14 PM |

    Let me know if I can assist at all. I do enough freaky AS3 dark magic stuff that I can put it through some fancy test cases.

  • Jeff Fulton

    7/8/2008 6:13:07 PM |

    Squize, send out a version when you are ready and we'll bang away at it. I know Gamejacket/Mochi aren't too secure, but at least the original file isn't sent out. But anyone can check their cache and pull out the good one to mess with, so we need much stronger protection anyway. The Mochi encryption looks good, and yes, obviously to have to reply on their hosting. I always use SwfEncrypt, but it seems that Olli used that and he was still hacked. That's sad. I like SICO though and it could be promising!

Comments are closed