Hacker News new | past | comments | ask | show | jobs | submit login
Browser Games Aren't an Easy Target (jakob.space)
106 points by jsnell 11 days ago | hide | past | web | favorite | 50 comments

> So I went back to the debugger and placed some breakpoints around where the WebAssembly module is loaded, realizing that its only purpose is to deobfuscate the JavaScript that eventually makes it into that "SOURCE" pseudo-file I saw earlier. [...]

> So… the WebAssembly is essentially generating JavaScript on-the-fly. Of course, all renditions of the code do the same thing, but the variable names are changing. [...]

> So it seems the WebAssembly module is doing some sort of tampering checking, [...]

I remember various discussions when WASM was specced about the danger of WASM blobs being used for code obfuscation.

The fears were dismissed with the argument that WASM is easy to decompile and that there is a textual representation to preserve "view source" functionality.

And yet, as soon as WASM is practically usable, we get this - an application that uses WASM solely because it is hard to inspect in the browser.

JavaScript has it covered pretty well.


jsfuck is hardly obfuscation: remove the first 828 bytes (for "eval(") and the last 3 bytes (for ")()"), and then execute the remaining string, and that gives you the original source code.

You would need to be able to dynamically find that 828, I think it is entirely trivial to have a jsfuck2 that produces a non deterministic "eval(" structure of arbitrary length.

Javascript can be obfuscated too. What is the difference?

Yeah, it would seem that JS can be sufficiently obfuscated already.

Well, someone went to the trouble of writing a Rust binary just to hide the game code, when they could have used standard JS obfuscation instead. This suggests to me that WASM has some properties that make reverse-engeneering harder than obfuscated JS could do alone.

This would give some validity to the fears of WASM becoming the "new Flash" that were voiced when it was still in development.

> new Flash

... but Flash was easy to reverse too, just download the .swf file and use one of many tools to reverse engineer it. It's probably why there are so many "hacked" flash games available if you search for them.

I never really found any of those tools. Granted I could have looked harder. Perhaps I was looking in the open source world too much and they usually came as binaries?

To be fair, they probably have more practical reasons for using Rust than simply to obfuscate the code.

Why should someone be forced to make their IP "open" just because someone else on the internet feels entitled to read and potentially copy/modify/... their code?

Because the code is being executed on my machine, with my data, using my online identity.

Until now, the general understanding for the web platform was that code that runs on a user's machine is also inspectable by that user. A large number of browser functions are developed with that understanding in mind.

You can argue that this practice should be changed, but that would be a rather fundamental change to the way the web works and the advantages and disadvantages should be discussed.

As a practical point: I don't condone cheating in multiplayer games, but the exact same obfuscation techniques that a game might use for legitimate reasons are also available to malware. If you make a general rule that programs should be hands-off to everyone except the devs (and browsers should change their tools accordingly), the same benefits will be given to malware.

> Because the code is being executed on my machine, with my data, using my online identity.

You chose to execute someone else's code by visiting their website. The mere act of voluntarily executing someone else's code doesn't entitle you to it's source. Feel free to not visit the site, and looking at the top Alexa sites, your insistence of code audit-ability would leave you with very few viable, high quality choices.

> general understanding for the web platform was that code....

Untrue. It just so happened that the early web was a collection of static documents, and js was a hack to add some trivial functionality. Only recently has the web turned into a full fledged app development platform.

> fundamental change to the way the web works ....

Again, this is an anachronistic view of the web. We're well past a collection of static documents

> the same benefits will be given to malware ...

Goes without saying that technology can and will be used for good and bad. While one can legislate to discourage the bad, simply demanding code to be open sourced, as an argument for deterrence is unture, inaccurate and hampers innovation.

In summary: No one is entitled to someone else's web app code.

> You chose to execute someone else's code by visiting their website.

I block JS by default until I get at least a basic understanding what the site wants to do. So I explicitly choose not to execute their code before I have some reason to trust the site.

> Untrue. It just so happened that the early web was a collection of static documents, and js was a hack to add some trivial functionality.

And yet every browser has a "view source" button and extensive developer tools to give users the ability to both inspect as well as change what the website is doing. Not to mention extension ecosystems that are all about tampering with website code.

> ...and hampers innovation.

Given how the web platform is still going strong after 30 years and in fact is one of the dominant and fastest-innovating software ecosystems today, it evidently didn't.

Actually, "view source" can be a driver of innovation by giving novices an easy way so see and experiment with real-world code and a way for the broader community to quickly learn from each other's mistakes: https://blog.codinghorror.com/the-power-of-view-source/

> I block JS by default until I get at least a basic understanding what the site wants to do. So I explicitly choose not to execute their code before I have some reason to trust the site.

But then the only difference is unobfuscated wasm vs unobfuscated javascript. In both cases an obfuscation can easily hide the scary bits anyway.

The presence of "View Source", or extensions, or the ability to modify js is not evidence backing "All web apps need/were-meant to be open source".

Just to be clear, you can pick any x86 binary and disassemble it to x86 assembly, and if you know your way around gdb, single step and view registers,etc. This is not evidence of "all programs were meant to be open source, else we'd not have disassemblers and debuggers"

And lastly, how you choose to enable/disable js is of zero relevance to arguments for/against open sourcing web apps.

I also take a weird pleasure in running `scanmem` on some of these io games (not the multiplayer ones) and just messing with the values so that I can win everything.

I know a lot of time and effort goes into game development, and that I should take the time to appreciate the rhythm of the story and the nuances of the gameplay... but I am an addict.

I don't casually play games. I'm all in, or not at all. I will play day and night until a game is finished and then I will move on with my life. As an adult with a full time career I can't do these marathon sessions anymore, and so cheating is a great means for me to accelerate through a game, tick the mental block of completion, and then be refreshed Monday morning with my mind focused on work.

It's cool, you're just playing a different game.

It's slightly annoying that when I create a new game (for the browser) or think of ideas for games I inspect things through the lens of cheat-enabling. It happens to the point that I dismiss ideas based on the fact that there is no viable way for me to stop cheating when it leverages it. The funny thing is that I did most of what I could (source-like networking) and basically no one plays my games so the risk of cheaters spoiling it for everyone is super slim. I wonder if it ever makes sense to think in those categories or am I just paranoid.

Why do you say "for the browser"? Unless you are working on a system with a ludicrous amount of effective DRM (which I hope we all hate for other reasons, and which means we are only really talking about consoles: the closest casual gaming platform you are going to get to "locked down system owned by the manufacturer" is an iPhone, and in practice they don't go quite far enough), players are always going to be able to modify your code: you can't prevent a user "cheating" (which I put in quotes, as I feel like you need to really question whether the environment you set up where that matters isn't somehow itself broken; maybe you are already doing that by "source-like networking", but I don't know the terminology context).

The only way to stop players from cheating in a multiplayer game is to make the server the authoritative source for any information you want to stop players from messing with.

If it's a single player game, then who cares?

The games are multiplayer and the server is authoritative. That doesn't mean the games can't be played with cheats, eg. wall-hack, auto-aim, etc.

Yeah, you need to have another (more invasive/fragile) solution for things that involve scripting input like auto-aim. Wallhacks can be prevented by not sending location data for units that players shouldn't be able to see though.

that does kinda feel like premature optimisation. First make a game. Second make a game that people want to play. Third make a game that people want to hack. Then maybe look at stopping them from doing that.

Hard to resist that nagging thought, though.

Knowing and designing around the unavoidable wave of cheaters is extremely important when building online games.

If you build a multiplayer game then come back to "deal with cheaters" only a few months before launch (or heaven forbid, after launch) you're probably going to end up taking the easy route by using invasion ~~spyware~~ DRM solutions, which don't stop cheaters once it's broken. To contrast, designing the game around cheaters means you might actually implement sane networking design, such as nearly everything being server-authoritative, aka. "never trust the client". If your client is broken in to, the best your cheaters can do is script the game (scripting cheats are currently the only ones available for Dota2 and probably League of Legends) or see a small amount of information that's otherwise unknown (for dota 2 you can see which enemy illusions are fake, for example).

Of course this approach can be taken too far, eg. in Call of Duty: Modern Warfare (the new one) sometimes your camera positioning can lag due to packet loss; this probably stops some aimbots but things like camera orientation probably shouldn't be handled server-side.

And, as with premature optimisation, mantras don't communicate any of the subtleties around the fact that many concerns can influence your code at the same time.

On the other hand people don't like playing a multiplayer game when other people are badly hacking.

Very enjoyable read. It was especially interesting seeing the obfuscation techniques the devs had created to prevent cheating using WebAssembly.

Alas, we killed Flash. It's undeniable that that technology enabled a Cambrian explosion of creativity.

I put most of the blame on Adobe, they handled Flash and the related technologies as Flex/AIR badly. I think if they wuld have start from scrtch with an open source implementation of the player it would have had a better success, at tat time the only alternative was Java applets or Silverlight.

I liked the idea you had Flash off by default and you enable it only for the page or section of page you liked, I am running now Vivaldi with Javascript off by default because we have a even more garbage experience now with JS, like on BBC news with JS off the links are broken (wtf the web developers can't even create a working link without JS)

What makes you think it isn't a requirement coming from their superiors?

There are many reasons your link may not work. Why do you assume incompetence?

Because the link opens a different news, you click on article A but it opens article B,also the pages work without JS(except the videos or fancy image galleries) only the navigation seems to be broken . A competent developer will show you a blank page and explain that you need to enable Java Script(it could be also not testing the webpage with JS off combined with using JS to layout stuff).

The problem is not JS the language but how it is abused and similar to Flash you get people installing plugins or turning it off in settings and white-listing JS on necessary pages, in my case I will not read the article most of the time or use a private window.

>A competent developer will show you a blank page and explain that you need to enable Java Script

I completely disagree with this, if I'm understanding you correctly. As someone who disables Javascript, I don't want you to purposely break a page that previously worked (in the sense of being able to read the content of the article) simply because a portion of it which I might not even use doesn't work.

The fully competent solution would be to use progressive enhancement[1] (i.e., use functioning anchor elements initially, and use Javascript to add the Javascript-only functionality on top of the HTML solution).

If you don't have time for that, the somewhat-competent solution for alerting non-technical users that Javascript is disabled would be to add a banner at the top of the page (like Stack Exchange does) stating that some features will be broken without Javascript.

[1] https://en.wikipedia.org/wiki/Progressive_enhancement

I agree, the blank page with JS is required should be the least thing they can do instead of some pages where you just get a loading animation. In this case the page appears to work but the links are broken so you can read the titles but frustratingly you are directed to a different article.

Never attribute to malice what can be adequately explained by stupidity

... or corruption. ;)

So you are saying that their superiors are incompetent. Or the superior’s superiors are incompetent. And that seems true enough?

I'm surprised someone hasn't made a flash-equivalent framework/environment for html5 or webassembly yet.

With the programming language Haxe and the library OpenFL you can actually create "flash" games for HTML5 using the old school flash API and everything.

We have, with Construct 3 (https://www.construct.net)

Recent addition of our timeline editor means we think it ticks all the boxes as a replacement.

I wouldn't have thought to look there. I'm sure there's many ex-flash devs who would be happy to check it out if they knew.

Any ideas on how best to reach them?

I know lots of indies that hang out on twitter, maybe some appropriate replies or hashtags for people searching?

There's also a handful of forums, gamedev.net tigsource and others.

StackOverflow is a common place to search for answers, if you can find questions asked about "what can I use instead of flash" without coming across as an advertisement.

Can you create graphical assets within engine in Construct (vector or raster) or do you need to import them?

Yes, within Construct 3 you are able to create your graphical assets. Here's a demonstration of someone adding a sprite to their game which shows the interface for drawing the raster sprite: http://www.youtube.com/watch?v=gVGOYvZxlqk&t=3m8s

Yes you can create them within the editor, and we've recently added support for importing SVG's.

Yeah, Flash created a golden age of indie animation and gaming. Although I think Macromedia has more to do with that than Adobe. Macromedia Flash was both affordable and easily pirateable, putting it in the hands of millions of budding artists.

Then Adobe bought it and duct-taped it to the Creative Suite and switched to a subscription-based business model.

Have you heard of Hordes.io? It's an advanced multiplayer .io game.

A very decent breakdown of some more modern obfuscation and deobfuscation techniques. It's nice to see some Rust getting used as well, I wonder if it's made things easier or more difficult for the krunker.io dev in the long-run.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact