0

So my game has around 300+ images and they are all loaded from a subdomain inside a SWF file. Now what they do is they use "inspect element" using the chrome browser and go to network and open them in a new tab for the images they want. They can't right click and save image as in SWF webpage because its a SWF file browser based game.

What I wanted to know is if we can block them viewing the files on our website somehow but still allow them to be loaded into the game? I'm not sure if this can be done by only allowing our main domain to get files from the subdomain and not allow people to just visit http://sub.mydomain.com/image.png and save the image.

winhowes
  • 7,845
  • 5
  • 28
  • 39
TheGod39
  • 453
  • 2
  • 5
  • 7
  • If you are in control of that subdomain a quick and easy way might be to restrict the access to the images based on your (swf) domain. They will be visible when your swf tries to "view" them but will be blocked by the server for any other access. If you are on a *nix server you have to look for "htaccess". This looks promising: http://stackoverflow.com/questions/10236717/htaccess-how-to-prevent-a-file-from-direct-url-access (replace localhost with your domain). Altough the image will still end up in user's cache and can be obtained from there – Philarmon May 02 '16 at 11:11

2 Answers2

0

Because of how the internet works it's technically impossible. When someone visits your site, their browser makes a request which gets back an image. So at that point the image is sitting on their computer somewhere and most likely temporarily. So by seeing the image they have "downloaded it".

That being said, you can make things more difficult (security by obscurity) by doing things like:

  1. Requiring a custom user agent (depending on how you get the images for your game though, this might be hard).
  2. Only return the image if a certain header is sent along (a more generalized version of #1).
  3. Create a map of one-time keys to each image. The key must be present in the request (either as a header or query param). Every time an image is requested, the key would change so they couldn't just copy the link into a new tab in their browser.
  4. Use obfuscated JavaScript to create the image using svgs - no image files to download.
  5. Only return images if the HTTP method is POST or something other than GET. In fairness, this one's a bit weird (though all of these are), so I wouldn't recommend it.
  6. Rename the image file every time it's loaded (similar to the key concept).

At the end of the day though these are just barriers, a determined user can still get the image and almost any user can just screenshot the image. So it probably isn't worth your time.

winhowes
  • 7,845
  • 5
  • 28
  • 39
0

One way could be to obfuscate the bytes of images. This means deliberately mixing up the bytes and then have your game SWF load the bytes, refix them and display output.

Since the images are only viewable when your SWF app "fixes" them during runtime, anyone just getting the image file via URL ends up with a corrupt image. Now the only way to fix is to know exactly what your game code is doing to those bytes to make them displayable.

Very Basic Example :
Write a program that given a file's bytes will take 10 bytes & reverse order them, keep next 10 bytes normal (ie: skip them), reverse order the next 10 and skip next 10 and etc etc. Save the image to server. Now your SWF is programmed to know to reverse-order every 10 bytes (making already reversed back to normal order), skip 10 and and so on. It does this after loading said image bytes. Instead of the usual load bytes, decode format and show pixels (which would fail), it should instead load bytes, fix the messed-up bytes, then decode and show pixels.

The opening first 10 bytes of a PNG look like this : 89 50 4E 47 0D 0A 1A 0A 00 00
but if you reverse them they look as 00 00 0A 1A 0A 0D 47 4E 50 89. Now try to open a PNG file with those (reversed) first 10 bytes and every program will tell you this is an invalid image. Content thief is left frustrated.

That alone might help you but some may figure it out if they know PNG bytes. It would be clever to vary which amount of bytes get obfuscated and how often, thus the pattern is not easily obvious.

VC.One
  • 14,790
  • 4
  • 25
  • 57
  • That's a cool idea, although the files are harder to mantain :) – Philarmon May 02 '16 at 11:06
  • @Philarmon, Thanks. Hard maintenance how? He can just keep original copies offline (backups) and only put the obfuscated-bytes PNGs on the game server. Anyways I thought he was a Flash coder so could have used AS3 & AIR to target a folder and his code would auto obfuscate each found PNG file, later he could upload all the edited content to game server. By making his own app/tool that he points to a folder and it does its job, he would have a protection system. Just clear the folder and put new ones in there & run the tool whenever needed then upload results to server. – VC.One May 02 '16 at 13:57