I'm looking to get back into doing some work with Fusion. I am wondering the current state of security of MFAs embedded in the final products? I would like to do some work with the relay client, in particular. Are things like encryption keys at risk if there are known exploits to extract MFA files?
The Security of MFAs
Welcome to our brand new Clickteam Community Hub! We hope you will enjoy using the new features, which we will be further expanding in the coming months.
A few features including Passport are unavailable initially whilst we monitor stability of the new platform, we hope to bring these online very soon. Small issues will crop up following the import from our old system, including some message formatting, translation accuracy and other things.
Thank you for your patience whilst we've worked on this and we look forward to more exciting community developments soon!
Clickteam.
A few features including Passport are unavailable initially whilst we monitor stability of the new platform, we hope to bring these online very soon. Small issues will crop up following the import from our old system, including some message formatting, translation accuracy and other things.
Thank you for your patience whilst we've worked on this and we look forward to more exciting community developments soon!
Clickteam.
-
Well, from what I know, no file from current build can be decompiled and may never will, specially the ones from 2.5+.
Another thing is that the ones that can be decompiled (old builds), they have never figured out how to remove/open a password protected group of events (specially the ones closed before exporting).
Other things to add is that custom icons, alt/global values/strings/flags and comments are also impossible to recover, so you may use that in your advantage.
You can also rename some of the extensions you're using, specially the ones for encryption, you should rename the file both in Extensions and Data\Runtime for it to work correctly, and make sure they match.
(Check Unicode folder as well, and if you're exporting for other platform, change those as well. Please make a backup before messing with that tho) -
I'm thinking of another solution:
you create an empty extension (with the sdk). this extension does not need to have an action, just to be unique, undistributed and present in your mfa.
let's say that I manage to get my hands on your mfa, but that my cf2.5 does not have this extension: I would have a message "failed to open document"I'm thinking of another solution:you create an empty extension (with the sdk). this extension does not need to have an action, just to be unique, undistributed and present in your mfa.let's say that I manage to get my hands on your mfa, but that my cf2.5 does not have this extension: I would have a message "failed to open document"
-
I don't think that would work. When I've not had an extension present, I've been able to open the MFA just by copying the file of some other extension and renaming it to the missing extension.
-
I don't think that would work. When I've not had an extension present, I've been able to open the MFA just by copying the file of some other extension and renaming it to the missing extension.
Then Fusion will crash due to incorrect internal A/C/E ID and extension ID.
-
Then Fusion will crash due to incorrect internal A/C/E ID and extension ID.
Like I said, I've actually tried it, and it didn't crash. Perhaps running the MFA would crash, but that's not relevant to this context.
-
Like I said, I've actually tried it, and it didn't crash. Perhaps running the MFA would crash, but that's not relevant to this context.
it depends, if ext has editor behaviours it will crash when open, and definitely will crash in event page.
-
I mean I guess you could just figure out what you otherwise irrelevant 'secret code' you need to insert into that extension to make it crash if someone tried to bypass it without the extension. Doesn't have to be full blown cryptographically secure
-
it depends, if ext has editor behaviours it will crash when open, and definitely will crash in event page.
Again, I've done it, and it didn't crash. Why keep telling me it's going to crash if I've actually tried it and seen with my own eyes that it doesn't? But it's a moot point anyway, because the suggestion here was to make an empty extension. Presumably, an empty extension wouldn't have any editor behaviours. So using an empty extension as a last line of defense against hackers who are sophisticated enough to have already decompiled the MFA - though it's a nice idea in theory - probably isn't a good idea.
-
Sorry for double post but in particular, this is in response to releases like
EDIT: link has been removed
(Sorry if this is against the forum rules but security should be discussed.)
AFAIK the tool you mentioned is not able to correctly decompile apps built with the 2.5+ DLC.
-
Glad to hear that
-
Just brainstorming here, and I feel like I might've pitched this somewhere else but can't say for certain, but what about a password protection feature for MFAs? For example, just before you create your "final" build, just add a password to the MFA and then build. Then if the MFA is opened the password is required to open it? This might not work if somehow an exe/apk were decompiled though.
The downfall with this would be if someone forgets their password - there would be no "forgot password" option. But, that person could add the password before building, then complete the build, then remove the password requirement and save the MFA again, I guess.
-
AFAIK the tool you mentioned is not able to correctly decompile apps built with the 2.5+ DLC.
Thanks for the information. I do have the 2.5+ so hopefully this is a somewhat safer development platform.
Love the idea with password protecting the whole MFA itself. Hoping to see more in terms of security added to CTF.
-
Thanks for the information. I do have the 2.5+ so hopefully this is a somewhat safer development platform.
Love the idea with password protecting the whole MFA itself. Hoping to see more in terms of security added to CTF.
Just a precision, what is causing issues with the decompiler you mentioned is the events, they might be able to extract images and sounds anyway.
I wish the guys behind these decompilers would use their skills to make extensions for the product instead of losing them building a tool that will be used by 99% of people to try to steal the work of others (instead of allowing you to recover a MFA from your own EXE as they usually pretend).
PS: we could password-protect the content of EXE files, but this would be probably a loss of time as the protection would be weak (as the key must be stored in the EXE) and this would considerably increase the loading times if you need to encrypt images and sounds.
-
PS: we could password-protect the content of EXE files, but this would be probably a loss of time as the protection would be weak (as the key must be stored in the EXE) and this would considerably increase the loading times if you need to encrypt images and sounds.
That makes sense, and doesn't surprise me. I have a secondary idea, but this is more complex.
Fusion already has a product/serial number; would it be possible to create a security feature that requires an MFA be opened with the serial number it was created with? If someone tried to open an MFA with a copy of Fusion with any serial other than the one it was created with, it refuses to open. I guess the only way this could work, in theory, is if that serial were somehow stored into the MFA, which could create further issues for us when working against the talented hackers. Unless it were possible to only store a small portion of the serial and then it looked for an external license file?
I'm just brainstorming here, so you may find way more flaws with that than I can think of.
-
Well, it could store a hash of the serial... Then people wouldn't be able to steal the serial. But Steam version doesn't have a serial, so it would need something else...
Participate now!
Don’t have an account yet? Register yourself now and be a part of our community!
