SolarJS Posted October 23, 2014 Share Posted October 23, 2014 EDIT:6 reasons to NOT use JSCRAMBLER (after massive testing):http://www.html5gamedevs.com/topic/5807-best-way-to-hide-javascript-code/?p=65903 And a shocking JScrambler performance test: http://jsperf.com/jscrambler/5________________________________________________________________________ I am just curious, how do you guys track where and how often your games are played? Also, which kind of protection, if any, do you use to protect / obfuscate your code? I wonder if there's a useful solution whithout harming performance too much... Quote Link to comment Share on other sites More sharing options...
Stephan Posted October 23, 2014 Share Posted October 23, 2014 I am considering to use JScrambler for a part of my code in the next project. I have no idea of the impact of this on the performance but I think it should be ok as long as you leave the game engine itself in its original state. Quote Link to comment Share on other sites More sharing options...
SolarJS Posted October 23, 2014 Author Share Posted October 23, 2014 I thought so too, but it has a noticeable impact on performance. I get constant 60fps on an iPad2 with the original non-minified/non-obfuscated engine. After JScrambler it drops down to 48-50fps and GC is higher Quote Link to comment Share on other sites More sharing options...
Stephan Posted October 23, 2014 Share Posted October 23, 2014 Thanx for this info, it's very useful indeed.I intend to obfuscate just a very small essential part of the app that isn't called frequently during the game. I will let you know my findings after I benched it. Quote Link to comment Share on other sites More sharing options...
SolarJS Posted October 25, 2014 Author Share Posted October 25, 2014 So, nobody protect his code or is tracking his games?!??? Quote Link to comment Share on other sites More sharing options...
harrywatson Posted October 27, 2014 Share Posted October 27, 2014 Why do you want to hide the code? Who's going to steal it?One of the best ways to learn is looking at what other people have done.Don't you want to share your knowledge? Do you think you are so goodthat people will take everything from you and then overtake you?What are you scared of? I'd be delighted if someone looked at my code.(and surprised). Here's a previous post link that might help you decide how to track your game progress... http://www.html5gamedevs.com/topic/7130-how-many-times-has-my-game-been-played/ If you want some further help I will even send you the code. Quote Link to comment Share on other sites More sharing options...
SolarJS Posted October 27, 2014 Author Share Posted October 27, 2014 Because I put a lot of effort in it and build my own engine which can run even fast 2,5D arcade games on mobile at 60fps using simple canvas rendering. As far as I see it, it's a one of a kind thing out there. And I want to protect this advantage. Sorry, I must have written it wrong. I meant track your games using tracking modules. Some kind of alternative to Flurry for HTML5. I want to track mainly on servers I do not control. EDIT: Since I answered only your unedited post, here is the follow up:Your link does not provide an answer I was looking for (see explanation above). harrywatson 1 Quote Link to comment Share on other sites More sharing options...
harrywatson Posted October 30, 2014 Share Posted October 30, 2014 Now I've trawled around looking for answers because I'm curious - how to hide code client side. Upshot of my studies is that you can't. You can obfuscate or disable right click, or for securityplace an index.html file in each folder and use.. <meta http-equiv="refresh" content="0; url=http://escapefan.com/">That will take anyone trying to look at any of my folders to escape fan.com, where I spend too much time.Good for security, but it doesn't solve the problem. From what I've been reading it seems you can make itmore difficult. But anyone who is daft enough to look at code knows how to find it. Now when you 'view source' you get a link to the code.....<script src="http://code.createjs.com/createjs-2013.12.12.min.js"></script>Correct me if I'm wrong but this is where the browser displays the script you are runningand you just click on it to see it. So. Could there be a way to stop the browser showing that script link using a server side script? YES! But I don't know what it is. PHP? <?phpfunction spamcheck($field){if (eregi("to:",$field) || eregi("cc:",$field)){ return TRUE;}else{ return FALSE;}}if (isset($_REQUEST['email'])){$mailcheck = spamcheck($_REQUEST['email']);if ($mailcheck==TRUE){echo "Invalid input.";}else{ $name = $_REQUEST['name']; $email = $_REQUEST['email']; $subject = $_REQUEST['subject']; $message = $_REQUEST['message']; mail("an-email@address", "Subject: $subject", $message, "From: $email"); echo "Thanks. We'll be in touch soon.";}}else{echo "<center style='margin-top: 800px;'><form method='post' action='contact.php'> <table> <tr><td>Name:</td><td><input type='text' name='name'></td></tr><tr><td>Email:</td><td><input type='text' name='email'></td></tr><tr><td>Subject:</td><td><input type='text' name='subject'></td></tr><tr><td>Message:</td></tr><tr><td colspan='2'><textarea name='message' rows='15' cols='40'></textarea></td></tr><tr><td><input type='submit' /></td></tr></table></form></center>";}?>That works beautifully right click and no code where the form is. So it's using PHP to create the html and take it away.Still not an answer but might help with the question. SolarJS 1 Quote Link to comment Share on other sites More sharing options...
SolarJS Posted October 30, 2014 Author Share Posted October 30, 2014 Thanks for your help. I know it's not possible to prevent people to look at the script (for example you can simply bypass all javascript protections to hide your scritp by simply installing a proxy). I mainly want to obfuscate and to make it unreadable in order to make the code extremely hard to understand. This is just to keep 99% away. Those who could have written it anyway can't be blocked. It's all a matter of time and knowledge you have to invest to understand it. And this barrier I want to rise I first thought jscrambler would to the job, but it has a noticeable impact on performance, unfortunately... Quote Link to comment Share on other sites More sharing options...
harrywatson Posted November 1, 2014 Share Posted November 1, 2014 The only other thing I can think of, is to tweak your naming conventions and use your codecomments as a diversion.//The space ships are created here//so don't write the code here for the space ships - make it in another file//link code snippets small and widevar momo = new dog(); //so momo isn't momo and dog isn't dog the user will see a cat maybedog.x = 0;dog.y = 0;It would be a lot of work, I know I'd find it difficult to work out.If I were to do it I would make an encryption on paper ... Dog (name) will = cat (name)1 will = 7, hat will = shoe. Then I'd make long helpful looking comments.Such as; //Remember the dog function 'MUST' be placed in the 'head' sectionof your html file...and of course that would be wrong. Then you could leave your code as clear as day to yourself, but not make senseinitially, to those that read code. No performance lag. Just a thought. => Call your images folder 'PHPincludes'. etc Quote Link to comment Share on other sites More sharing options...
harrywatson Posted November 1, 2014 Share Posted November 1, 2014 Also - I haven't tried this - YET. Put a whole lot of dead misnamed links in your html file.<?php $ head = [null];$ head = ['refresh.content.src'];?><!--So make it up, and lots of it--><script src="gameFile/gallery.js"></script><script src="goofys-revenge/functions.js"></script><script src="Central-file/IMAGES.js"></script>Hang on I'll just try it.......yep - the dead links seem to work perfect...Should slow 'em down heaps, the more unique names the better.It won't matter if your html file is 5mtrs long, computer/browser willgrab the right link and give the 'right clicker' on the wrong linka 'no such file on this server' message. Should slow down the 'cruisers' - like me. Quote Link to comment Share on other sites More sharing options...
Ryan Posted November 6, 2014 Share Posted November 6, 2014 I'm also wondering this. How much time should you invest in trying to protect your code? At the end of the day, if someone really wants to get it, there will be a way. Also keep in mind that anyone who takes the time to steal your game was never going to by a license from you anyway. Those two types of people don't mix. It doesn't take away from the frustration of having your work stolen though. As mentioned in the thread, I only know of https://jscrambler.com and it's not a cheap option for casual devs. I'll keep on the look out and post here if I find anything. Quote Link to comment Share on other sites More sharing options...
Gio Posted November 6, 2014 Share Posted November 6, 2014 First of all, if you really want to protect your code, do so server side. It really isn't very difficult, and it's the only safe way.Having said that, regarding client-side techniques to make it harder for people to look at your code... I'd like to share a trick that we've been using for some time. It's just this script for prompt.js that I made specifically for WADE users, but could obviously be done for any other framework as well.This is something you'd use in conjunction with other techniques, such as minifying your code and using eval rather than script tags to make it harder to debug (little used technique that actually helps a lot).So the idea is that you can minify your code, and this will make it less readable. However, all the calls to the underlying framework are still very readable. Our script will scan your code, find all the calls to WADE functions, and replace their names with numbers. This actually has a positive impact on performance.For example:wade.loadScene() may be replaced with wade[2]()wade.fadeOutLayer() may be replaced with wade[7]()and so on. The things is, the numbers are different for each project, so there is no easy way to link numbers to function names. Of course there is a bit of obfuscated code that internally links numbers to names, but to the best of my knowledge it's never been de-obfuscated yet. And even when it is de-obfuscated, it will take me 10 minutes to change the obfuscation technique in the script. Also, the obfuscation script is open source and users are encouraged to tinker with it and personalize the obfuscation method.I think the bottom line is: use your own custom obfuscation technique, and get it to a point where it takes you much less effort to change it, than it would take an attacker to figure it out. SolarJS 1 Quote Link to comment Share on other sites More sharing options...
enriqueto Posted November 6, 2014 Share Posted November 6, 2014 We use jscrambler and it works alright, haven't noticed any impact on performance as far as I know. Protection is key if you sell non exclusive licenses and don't want to see your game going virally everywhere Quote Link to comment Share on other sites More sharing options...
SolarJS Posted November 6, 2014 Author Share Posted November 6, 2014 @harryWatsonThanks for your effort. Maybe it's a component to add too. @FyreTaleThis is not to protect from potentioal customers, but mainly from these ripping sites etc. @GioI think I will follow this road too. @RavalMaticI saw a strong performance hit, especially on Android stockbrowsers. View also here to 6 reasons against it:http://www.html5gamedevs.com/topic/5807-best-way-to-hide-javascript-code/?p=65903 And a performance real life test:http://jsperf.com/jscrambler/5 Quote Link to comment Share on other sites More sharing options...
enriqueto Posted November 8, 2014 Share Posted November 8, 2014 it may be, I usually use the option "Source code optimization" instead of "Source code protection" and then "sitelock". That may be the reason why I haven't noticed performance hits. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.