Protecting source

[jar4563]

Hi

I wanted to ask a question regarding publishing your game, do you guys use obfuscating or something like that when releasing your games? Or will you just go open source hoping no one steals your game?

I'm concerned about this because if I am to sell a game someday it seems it needs some kind of protection (Because it's in javascript)

 

thx for your thoughts 

 

Edited July 21, 2020 by jar4563

[b10b]

You asked this last year?  Again my recommendation would be to search the forums for "obfuscation", there are some good replies from multiple people with links to tools and techniques.  If you really need to protect your IP you'll need to think differently to slapping on some obfuscation at the end.

 

Or ... if someone steals your game maybe consider it a compliment?  I'm complimented daily, especially on Facebook.

[jar4563]

3 minutes ago, b10b said:

You asked this last year?  Again my recommendation would be to search the forums for "obfuscation", there are some good replies from multiple people with links to tools and techniques.  If you really need to protect your IP you'll need to think differently to slapping on some obfuscation at the end.

 

Or ... if someone steals your game maybe consider it a compliment?  I'm complimented daily, especially on Facebook.

 

wow didn't even remember being here last year lol. (Sorry about that!)

 

will try searching the forum

thx

 

Edited July 21, 2020 by jar4563

[jar4563]

While there's many obfuscators out there is there one that can go through all your code files and create obfuscated versions in another folder of them?

you know automated process so you don't have to copy&paste each file contents to get it obfuscated/minimized

Edited July 21, 2020 by jar4563

[b10b]

1 hour ago, jar4563 said:

While there's many obfuscators out there is there one that can go through all your code files and create obfuscated versions in another folder of them?

you know automated process so you don't have to copy&paste each file contents to get it obfuscated/minimized

I guess you're not using a "bundler" already?  Worth looking into that first, e.g. Webpack?  Then adding a plugin to obfuscate or "uglify" is easy enough.  I don't use this stuff much anymore so I'll just drop some links:

https://webpack.js.org/

https://webpack.js.org/plugins/uglifyjs-webpack-plugin/

[jar4563]

16 hours ago, b10b said:

I guess you're not using a "bundler" already?  Worth looking into that first, e.g. Webpack?  Then adding a plugin to obfuscate or "uglify" is easy enough.  I don't use this stuff much anymore so I'll just drop some links:

https://webpack.js.org/

https://webpack.js.org/plugins/uglifyjs-webpack-plugin/

 

hmm why is it that it requires node? I would prefer something easier to get started with as I have never used Node. It sounds complicated... or is it what all js scripters use?

[jar4563]

 

Found this tool from google: https://developers.google.com/closure/compiler/?csw=1  

 

any one use it?

 

just need batch script or something to go through all the files

 

Edited July 22, 2020 by jar4563

[b10b]

4 hours ago, jar4563 said:

hmm why is it that it requires node? I would prefer something easier to get started with as I have never used Node. It sounds complicated... or is it what all js scripters use?

I understand a reluctance towards dependencies, but Node probably isn't the enemy on that front.  Consider the amount of tooling it brings for a single install, and most of that tooling is powered by or leverages Javascript (so less need for "batch" scripts etc).  It's probably one of the strongest and versatile dependencies to embrace (as a Javascript developer).

Closure is also cool, and can play nicely with Node - there are Node packages to manage its install and interface with it - some packages require it as a dependency to do what they set out to do.

[jar4563]

35 minutes ago, b10b said:

there are Node packages to manage its install and interface with it

 

Well you got me interested in it. pain to use though as i don't really know what to look for and I think npm just got stuck lol

[b10b]

Just now, jar4563 said:

I think npm just got stuck lol

lol some might say welcome to npm, others might say look at yarn.  Anyways ... this is a recurring theme of the often crazy world of Javascript development ... a seemingly endless rabbit warren of fixes to fix other fixes ... 

I prefer to use Haxe instead.

[jar4563]

i may not be 100% clear on what Haxe does (converting from one language to another?) but I'd like to stay web browser compatible with JS

[b10b]

On 7/23/2020 at 6:54 AM, jar4563 said:

i may not be 100% clear on what Haxe does (converting from one language to another?) but I'd like to stay web browser compatible with JS

Understandable, Haxe (a language and transcompiler) is multi-purpose so may appear overkill for a simple browser project (which Haxe also does extremely well).

But - back to original question about protecting source - consider that Haxe compiles and bundles JS into a single file by default, no bundler needed, and then with a simple compiler command can uglify it (using Closure lib or the Uglify node lib).  Plus all "source" is protected to a degree because the original is never published, so the competitive advantage of fast evolution is kept offline.  Furthermore, if you really want to show off, because of the inherent transcompiling / isomorphic nature, chunks of the game logic can be remoted and become server authoritative, thereby *genuinely protecting* the secret-sauce. 

 Before I get flamed for my fanboy post, I will add much of this can be done with modern JS ... just with more dependencies and update pita imo.

[jar4563]

18 hours ago, b10b said:

Furthermore, if you really want to show off, because of the inherent transcompiling / isomorphic nature, chunks of the game logic can be remoted and become server authoritative, thereby *genuinely protecting* the secret-sauce. 

I have heard about this before. Does it in JS mean that first JS connects to the server and then the server sends more JS code to client which client then executes? Thus not having the code in client files

and the code can only be catched by some kind of network packet sniffer?

Edited July 25, 2020 by jar4563
elaboration

[b10b]

12 hours ago, jar4563 said:

Does it in JS mean that first JS connects to the server and then the server sends more JS code to client which client then executes?

JS client connects to the server, usually sending some parameters, the server issues a response based on those parameters (and sometimes an ongoing state).  That response is not normally code to be executed by the client, but more normally a data response (like any other typical function).  That data modifies client state, influencing view, user input, and subsequent method calls (either local or remote).

It's not a magical protection solution on its own because the data returned from a remote function still lands at the client and can be manipulated there.  Server-authoritative is achieved if the primary state is maintained on the server and the client becomes a secondary state - perhaps just reflecting the view and listening to inputs.  I'm at risk of trivialising what can often be a fascinating system-design challenge ... most web apps will use remote methods, whereas it's less common in web games.

[jar4563]

I'm trying to use the google closure compiler but ran into a problem

I have this class:

 

class ArrayCleanUp extends EventTarget 
{

constructor(array,obj)
{
 super();
 this.array = array;
 this.obj = obj;
}

cleanup()
{
 //console.log("CLEANING UP");
 deleteFromArray(this.array,this.obj);
}

}

function sendCleanupEvent(elem)
{
var eventName = "GameCleanup";

const event = new Event(eventName);

// Listen for the event.
elem.addEventListener(eventName, function (e) 
{

e.target.cleanup();

}, false);

// Dispatch the event.
elem.dispatchEvent(event);

};


// The call:
sendCleanupEvent(new ArrayCleanUp(projectiles,this));

 

But when running the obfuscated code I get this error:

 

Uncaught TypeError: Failed to construct 'EventTarget': Please use the 'new' operator, this DOM object constructor cannot be called as a function.
    at new ArrayCleanUp (alltest.js:12)
    at Projectile.deleteObj (alltest.js:41)
    at Object.updateBattle [as update] (alltest.js:47)
    at updateCanvas (alltest.js:68)

 

And this is the obfuscated code:

 

var ArrayCleanUp=function(a,b){var c=EventTarget.call(this)||this;c.array=a;c.obj=b;return c};$jscomp.inherits(ArrayCleanUp,EventTarget);ArrayCleanUp.prototype.cleanup=function(){deleteFromArray(this.array,this.obj)};function sendCleanupEvent(a){var b=new Event("GameCleanup");a.addEventListener("GameCleanup",function(c){c.target.cleanup()},!1);a.dispatchEvent(b)}

 

Same beautified:

 

var ArrayCleanUp = function(a, b) {
    var c = EventTarget.call(this) || this;
    c.array = a;
    c.obj = b;
    return c
};
$jscomp.inherits(ArrayCleanUp, EventTarget);
ArrayCleanUp.prototype.cleanup = function() {
    deleteFromArray(this.array, this.obj)
};

function sendCleanupEvent(a) {
    var b = new Event("GameCleanup");
    a.addEventListener("GameCleanup", function(c) {
        c.target.cleanup()
    }, !1);
    a.dispatchEvent(b)
}

 

 

Anyone know what's wrong?

Edited August 9, 2020 by jar4563
More code