Web Deployment: How do you protect your assets?

??????

Diabolical Codemaster
Veteran
Joined
May 11, 2012
Messages
6,464
Reaction score
3,018
First Language
Binary
Primarily Uses
RMMZ
As the title says, I'm wondering how you protect your game assets/files when you deploy your game to a web server?

For example, perhaps you have some strange loading method that is able to hide variables from the global scope. A simple example of this might be hosting your game at mysite.com/realgame, but users have to go to mysite.com/play to play the game, where the /play route uses an iframe to embed the content from the /realgame route.

You could go a step further and then have the embedded /realgame route only accessible from the ip address that your website is located, so that people cant manually load up the /realgame route.

This simple method stops the $gameXXX and $dataXXX variables from being accessible within the global scope, so if someone was playing your game (at the /play route) and opened the console to try 'hack' gold or w.e for their player, the variables just wouldnt be defined in that scope, cause they are in the scope of the iframe element. (of course there are ways to extract such information, but that requires a substantial jump in knowledge compared to typing $gameParty.gainGold() or whatever).

So, what kind of methods do you use? Have you tried the above method? Has it worked well for you? Do you have additional steps to protect files? Tell me your secrets!! <3
 

DoubleX

Just a nameless weakling
Veteran
Joined
Jan 2, 2014
Messages
1,712
Reaction score
869
First Language
Chinese
Primarily Uses
N/A
While probably not feasible in MV and even anywhere yet(at least in the foreseeable future), I've thought of the following setup years before(nothing to do with MV at that time):
1. All the player gets from the server is the already rendered graphics markup(something like a highly compressed and obfuscated HTML), meaning that the client can only actually render that markup into final graphics on the screen
2. All the player feeds to the server is the raw keyboard/mouse inputs(pressed keys, clicked mouse buttons, raw mouse movements, etc), and everything else besides capturing raw inputs will be processed by the server

In theory, 1 can be done by purely server-side rendering, but of course the performance will suffer critically even if both the server and client machines are extremely powerful, because this setup demands the already rendered graphics markup to be sent per frame to ensure players won't get any extra information.
Similarly, 2 can be done by sending raw player inputs to the server per frame, but of course the server will have to process all those inputs within a frame, or player input lag would be too much(nowadays any lag above 10ms can already receive player complaints).

I've come up with this idea originally for an imaginary setup to make games that are nearly impossible to cheat(I had CS:GO in mind back then) under the premise that there's no cheating when there's no unfair information(of course the server security must still be on the highest level or player can just hack it instead), but unfortunately, the performance penalty of this setup is just too severe to be even possible lol
 
Last edited:

Ossra

Formerly Exhydra
Veteran
Joined
Aug 21, 2013
Messages
1,076
Reaction score
845
First Language
English
Primarily Uses
RMMV
I have tinkered around with a few casual obfuscation and anti-cheat methods. One is simply cramming all of the main code into a single file and enclosing that code within an anonymous function so as to seal away direct access to game constants ($gameVariables, etc). Then I used Google Closure to compress everything into an unreadable mess.

Within that mess I have also placed a small, obfuscated piece of code that will check to see what the current URL the game is being played at. Whenever the game is being played locally (via NWJS or phone app) or the URL does not match, a timer is set for roughly five minutes. Once that timer is reached, one of the game constants is set to null. This will continue until the game crashes. Since the error is actually caused by the lack of access to a variable, property, or so on that was stored in the constant, the error message that is displayed will reveal nothing about the sabotaging code which caused the error in the first place. I also sprinkle in several un-obfuscated and partially obfuscated pieces of code that do similar time sabotaging to waste the time of anyone attempting to strip out the protections. Basically I attempt to make it more trouble than it is worth to snag the game.

But really, an experienced and/or determined person will slip through those simple protections rather quickly. I wanted to protect against the low-effort people that grabbed up a game to shove out onto a phone app or another web site.
 

??????

Diabolical Codemaster
Veteran
Joined
May 11, 2012
Messages
6,464
Reaction score
3,018
First Language
Binary
Primarily Uses
RMMZ
Yea the performance hit of such a setup would certainly be pretty high, but i'm sure the large companies can do such things. I mean, look at the game streaming services available that use server based machines with multiple high end graphics card setups to provide a full virtual gaming machine to the end user. Like, if you had that as the backend, it wouldn't be as much of an issue, but lets face it, that's just not viable for a small time developer at all.

With my suggestion it would at least stop the newbs for a little while. Its not perfect by any means, but if there was some ways that could assist, then perhaps we could come up with a fair method for giving a little boost in security.

For example, if your graphical and audio files are encrypted in some good way, then its only really the code that needs protecting. Maybe there would be some way to write a web assembly module that is able to handle the loading of files without exposing the file routes etc to the users client directly, probably not, but there has to be something that people can be doing to protect their assets at least a little.

edit:
@Ossra that is at least something!! Every little thing helps really. And there might be a combination of techniques that just makes it not worth the hassle for most people who want to try. how would that help with plugins though? are those able to also be added into this one large file? what about plugin parameters and user configuration and such?
 
Last edited:

Kupotepo

Fantasy realist/ Forum Reactor‍/ Advocatus Diaboli
Veteran
Joined
Jul 5, 2017
Messages
1,816
Reaction score
1,820
First Language
Thai
Primarily Uses
RMMV
Here is the great posted about this, he said just like you said in the exchange of performance of the computers read the data. Not reading though that confused code lol.


Also I am wondering what the encryption algorithm the rpg maker used? Something like this I mean Advanced Encryption Standard (AES) or Rivest-Shamir-Adleman (RSA).
 
Last edited:

??????

Diabolical Codemaster
Veteran
Joined
May 11, 2012
Messages
6,464
Reaction score
3,018
First Language
Binary
Primarily Uses
RMMZ
Some interesting discussions there. ty for the links :)
 

Users Who Are Viewing This Thread (Users: 0, Guests: 2)

Latest Threads

Latest Posts

Latest Profile Posts

Just got two Switch E-Shop 20$ gift cards... Is 3D All-Stars worth it? Or should I get something like Celeste? I'd love to know your opinion!
I’m looking at the MZ full body images and I think Priscilla is taller than Reid...
Ami
--- Music Selection ---

M.Archer: It's Music Station,You can Change the Music as you like.
F.Healer: i want to hear the Romantic Music.
M.Fighter: Then,i want the Hard-Rock one!
(the Troll Song has played)
M.Archer: Hey,i hear this Music.
F.Healer: It's popular from Internet Music,i wonder who change it?
Hero: I change it.
Entire Party: YOU????
Had a soda for the first time in two months at my nephew's birthday party...it's amazing how once you are no longer addicted to soda, they actively taste like poison when you try to drink them. Couldn't even finish it.

Forum statistics

Threads
103,039
Messages
996,875
Members
134,514
Latest member
TheGeneral50
Top