Tracking & Protection of your games

[SolarJS]

EDIT:

6 reasons to NOT use JSCRAMBLER (after massive testing):

http://www.html5gamedevs.com/topic/5807-best-way-to-hide-javascript-code/?p=65903

 

And a shocking JScrambler performance test:

 

http://jsperf.com/jscrambler/5

________________________________________________________________________

 

 

I am just curious, how do you guys track where and how often your games are played? 

 

Also, which kind of protection, if any, do you use to protect / obfuscate your code? I wonder if there's a useful solution whithout harming performance too much...

[Stephan]

I am considering to use JScrambler for a part of my code in the next project. I have no idea of the impact of this on the performance but I think it should be ok as long as you leave the game engine itself in its original state. 

[SolarJS]

I thought so too, but it has a noticeable impact on performance. I get constant 60fps on an iPad2 with the original non-minified/non-obfuscated engine. After JScrambler it drops down to 48-50fps and GC is higher

[Stephan]

Thanx for this info, it's very useful indeed.

I intend to obfuscate just a very small essential part of the app that isn't called frequently during the game. I will let you know my findings after I benched it.

[SolarJS]

So, nobody protect his code or is tracking his games?!???

[harrywatson]

Why do you want to hide the code? Who's going to steal it?

One of the best ways to learn is looking at what other people have done.

Don't you want to share your knowledge? Do you think you are so good

that people will take everything from you and then overtake you?

What are you scared of? I'd be delighted if someone looked at my code.

(and surprised).

 

Here's a previous post link that might help you decide how to track your game progress...

 

http://www.html5gamedevs.com/topic/7130-how-many-times-has-my-game-been-played/

 

If you want some further help I will even send you the code.

[SolarJS]

Because I put a lot of effort in it and build my own engine which can run even fast 2,5D arcade games on mobile at 60fps using simple canvas rendering. As far as I see it, it's a one of a kind thing out there. And I want to protect this advantage.

 

Sorry, I must have written it wrong. I meant track your games using tracking modules. Some kind of alternative to Flurry for HTML5. I want to track mainly on servers I do not control.

 

EDIT: Since I answered only your unedited post, here is the follow up:

Your link does not provide an answer I was looking for (see explanation above).

[harrywatson]

Now I've trawled around looking for answers because I'm curious - how to hide code client side.

 

Upshot of my studies is that you can't. You can obfuscate or disable right click, or for security

place an index.html file in each folder and use.. 

<meta http-equiv="refresh" content="0; url=http://escapefan.com/">

That will take anyone trying to look at any of my folders to escape fan.com, where I spend too much time.

Good for security, but it doesn't solve the problem. From what I've been reading it seems you can make it

more difficult.

 

But anyone who is daft enough to look at code knows how to find it.

 

Now when you 'view source' you get a link to the code.....

<script src="http://code.createjs.com/createjs-2013.12.12.min.js"></script>

Correct me if I'm wrong but this is where the browser displays the script you are running

and you just click on it to see it.

 

So.

 

Could there be a way to stop the browser showing that script link using a server side script?

 

YES!    But I don't know what it is. PHP?

            <?phpfunction spamcheck($field){if (eregi("to:",$field) || eregi("cc:",$field)){	return TRUE;}else{	return FALSE;}}if (isset($_REQUEST['email'])){$mailcheck = spamcheck($_REQUEST['email']);if ($mailcheck==TRUE){echo "Invalid input.";}else{	$name = $_REQUEST['name'];	$email = $_REQUEST['email'];	$subject = $_REQUEST['subject'];	$message = $_REQUEST['message'];	mail("an-email@address", "Subject: $subject", 	$message, "From: $email"); 		echo "Thanks. We'll be in touch soon.";}}else{echo "<center style='margin-top: 800px;'><form method='post' action='contact.php'>		<table>	<tr><td>Name:</td><td><input type='text' name='name'></td></tr><tr><td>Email:</td><td><input type='text' name='email'></td></tr><tr><td>Subject:</td><td><input type='text' name='subject'></td></tr><tr><td>Message:</td></tr><tr><td colspan='2'><textarea name='message' rows='15' cols='40'></textarea></td></tr><tr><td><input type='submit' /></td></tr></table></form></center>";}?>

That works beautifully right click and no code where the form is. So it's using PHP to create the html and take it away.

Still not an answer but might help with the question. 

[SolarJS]

Thanks for your help. I know it's not possible to prevent people to look at the script (for example you can simply bypass all javascript protections to hide your scritp by simply installing a proxy).

 

I mainly want to obfuscate and to make it unreadable in order to make the code extremely hard to understand. This is just to keep 99% away. Those who could have written it anyway can't be blocked. It's all a matter of time and knowledge you have to invest to understand it. And this barrier I want to rise

 

I first thought jscrambler would to the job, but it has a noticeable impact on performance, unfortunately...

[harrywatson]

The only other thing I can think of, is to tweak your naming conventions and use your code

comments as a diversion.

//The space ships are created here//so don't write the code here for the space ships - make it in another file//link code snippets small and widevar momo = new dog(); //so momo isn't momo and dog isn't dog the user will see a cat maybedog.x = 0;dog.y = 0;

It would be a lot of work, I know I'd find it difficult to work out.

If I were to do it I would make an encryption on paper ...  Dog (name) will = cat (name)

1 will = 7, hat will = shoe. Then I'd make long helpful looking comments.

Such as; //Remember the dog function 'MUST' be placed in the 'head' section

of your html file...

and of course that would be wrong.

 

Then you could leave your code as clear as day to yourself, but not make sense

initially, to those that read code. No performance lag. Just a thought. =>

 

Call your images folder 'PHPincludes'. etc

[harrywatson]

Also - I haven't tried this - YET.

 

Put a whole lot of dead misnamed links in your html file.

<?php $ head = [null];$ head = ['refresh.content.src'];?><!--So make it up, and lots of it--><script src="gameFile/gallery.js"></script><script src="goofys-revenge/functions.js"></script><script src="Central-file/IMAGES.js"></script>

Hang on I'll just try it.......

yep - the dead links seem to work perfect...

Should slow 'em down heaps, the more unique names the better.

It won't matter if your html file is 5mtrs long, computer/browser will

grab the right link and give the 'right clicker' on the wrong link

a 'no such file on this server' message.

 

Should slow down the 'cruisers' - like me. 

[Ryan]

I'm also wondering this. How much time should you invest in trying to protect your code? At the end of the day, if someone really wants to get it, there will be a way. Also keep in mind that anyone who takes the time to steal your game was never going to by a license from you anyway. Those two types of people don't mix. It doesn't take away from the frustration of having your work stolen though.

 

As mentioned in the thread, I only know of https://jscrambler.com and it's not a cheap option for casual devs.

 

I'll keep on the look out and post here if I find anything.

[Gio]

First of all, if you really want to protect your code, do so server side. It really isn't very difficult, and it's the only safe way.

Having said that, regarding client-side techniques to make it harder for people to look at your code... I'd like to share a trick that we've been using for some time. It's just this script for prompt.js that I made specifically for WADE users, but could obviously be done for any other framework as well.

This is something you'd use in conjunction with other techniques, such as minifying your code and using eval rather than script tags to make it harder to debug (little used technique that actually helps a lot).

So the idea is that you can minify your code, and this will make it less readable. However, all the calls to the underlying framework are still very readable. Our script will scan your code, find all the calls to WADE functions, and replace their names with numbers. This actually has a positive impact on performance.

For example:

wade.loadScene() may be replaced with wade[2]()
wade.fadeOutLayer() may be replaced with wade[7]()

and so on. The things is, the numbers are different for each project, so there is no easy way to link numbers to function names. Of course there is a bit of obfuscated code that internally links numbers to names, but to the best of my knowledge it's never been de-obfuscated yet. And even when it is de-obfuscated, it will take me 10 minutes to change the obfuscation technique in the script. Also, the obfuscation script is open source and users are encouraged to tinker with it and personalize the obfuscation method.

I think the bottom line is: use your own custom obfuscation technique, and get it to a point where it takes you much less effort to change it, than it would take an attacker to figure it out.

[enriqueto]

We use jscrambler and it works alright, haven't noticed any impact on performance as far as I know.

 

Protection is key if you sell non exclusive licenses and don't want to see your game going virally everywhere

[SolarJS]

@harryWatson

Thanks for your effort. Maybe it's a component to add too.

 

@FyreTale

This is not to protect from potentioal customers, but mainly from these ripping sites etc.

 

@Gio

I think I will follow this road too.

 

@RavalMatic

I saw a strong performance hit, especially on Android stockbrowsers.

 

View also here to 6 reasons against it:

http://www.html5gamedevs.com/topic/5807-best-way-to-hide-javascript-code/?p=65903

 

And a performance real life test:

http://jsperf.com/jscrambler/5

[enriqueto]

it may be, I usually use the option "Source code optimization" instead of "Source code protection" and then "sitelock". That may be the reason why I haven't noticed performance hits.