site lock question

[sandy234]

I use GM and it automatically obfuscates the code. However even after that i can still see the website names in the code.

So is there a proper way to actually sitelock html5 games

[alex_h]

I think this has been asked before and the simple answer is that no there isn't.

 

If you wanted to you could write a very simple algorithm to encode and decode a URL, so that the string that gets hardcoded in your game is not so instantly recognisable.

 

then when you want to use it you run the string through the decoder function first. That way the recognisable url is never visible to a cursory glance at your code.

 

But at the end of the day you are still pissing into the wind since your whole code is available for close inspection, including the decoder algorithm.

 

So you'd just be wasting your time really.

[sbat]

I would add that in portal Flash world coded sitelock is mostly required to comply with primary license condition. Viral Flash games are making money, because people grab them and spread to thousands of hosts. So it is important to prevent such accidental grab of "non-exclusive" game. 

 

As you know even in Flash it does not stop determined cracker - nothing would stop 7k74 and other Chineese portals, for examples. Besides, even in Flash you cannot stop hotlinking (thus many Armor sitelocks are "spreading" quite well). 

 

In HTML5 world this viral spread just don't happen. So I don't even put sitelock code into my games. If big customer takes it by mistake, I'd send them polite mail, they will comply and I might even have a business opportunity with them. Shady portal will crack it anyway.

[sandy234]

i Guess its better not to bother with it. but atleast in flash they have mochi which protects thier code very well. We dont have anything like that in html5 here

[sbat]

i Guess its better not to bother with it. but atleast in flash they have mochi which protects thier code very well. We dont have anything like that in html5 here

 

Mochi? No - it does not even obfuscate the code. It simply loads an SWF from their server (from another small, presumably not even obfuscated SWF), using simple encrypting algrorithm. http://hackabee.blogspot.ru/2010/11/what-is-in-mochicrypt-secret-encryption.html

 

it used to be trivial to decompile. Maybe things changed since 2010, but I highly doubt it. 

 

SecureSWF is better and would put off casual cracker. But determined portal will still be able to find a place with a sitelock instructons just fine (directly in bytecode debugger, without reconstructing full AS3 original code).

[YellowAfterlife]

The primary problem with trying to sitelock the game is that the attacker doesn't even need to understand most of your game. They only need to modify the bit particularly responsible for sitelock. And while in Flash fancy things can be done to obscure the game and make it harder to recompose after modifying, in HTML5 there aren't many ways to go with this.

Moreover, since GameMaker uses pretty strict code generation patterns, with enough knowledge it would be also possible to deobfuscate all built-in function names and resource order. Ultimately down to generating project files from obfuscated JS. It's primarily a matter of time and someone's interest, you could say.

[Phil]

Analytics should help track down unauthorised hosting.

[joannesalfa]

I've seen a service which offers site lock for HTML5 apps https://jscrambler.com/

[Raiper34]

Clay.io has got same service

[Victor]

Analytics should help track down unauthorised hosting.

I was thinking this.

 

Putting no sitelock but an ofuscated analytics and noone would revise the code, but you can track who steal it.

[Paul-Andre]

If you put analytics, the thief would see that there are requests going out to your analytics server.

[Victor]

You can't hide everything.

A clear sitelock URL is easier to find than an external Analytics request.

You can code the game so it doesn't work if the analytics doesn't respond with a HTTP 200 OK. The ofuscating code would do it hard to remove.

 

Anyway, you only can try to do it difficult. If a skilled enough programmer want to crack your game, he'll do.

[SoundsLikeJord]

Has anyone else here used https://jscrambler.com/? It looks like a good candidate but I'm wondering if anyone has experience using their service.

[Silen]

In GameMaker you can encode string with URL using built-in functions.

[Phil]

I have been giving this some more thought, in addition to analytics, which may or may not be detected, you could check the characters of the url string. For example, if your host is http://myhost.com, you could check if character 9 is = y and character 13 is = t. You may also want to check if the url string starts http:// or just www. Just an idea. 

[Vlad]

How to get a domain name of the top level window?

 

When I try to get domain by use window.top.location.hostname, I got security error:

Uncaught SecurityError: Blocked a frame with origin "http://my_game.com" from accessing a frame with origin "http://top_level.com". Protocols, domains, and ports must match.

[qdrj]

 

How to get a domain name of the top level window?

 

When I try to get domain by use window.top.location.hostname, I got security error:

Uncaught SecurityError: Blocked a frame with origin "http://my_game.com" from accessing a frame with origin "http://top_level.com". Protocols, domains, and ports must match.

 

I suppose that you want to restrict loading your game through iFrame? Try this code:

function inIframe () {    try {        return window.self !== window.top;    } catch (e) {        return true;    }}

[Vlad]

thank you for the example of code.

 

But often sponsor add game by use iFrame. And I can't add limitation for iFrames.