Clickteam Decompiler

0 views

Skip to first unread message

Paul

unread,

Aug 3, 2024, 4:26:55 PM8/3/24

to tochunkutzlect

Don't have an account yet? Then register once and completely free of charge and use our wide range of topics, features and great options. As a registered member on our site, you can use all functions to actively participate in community life. Write posts, open topics, upload your pictures, put your videos online, talk to other members and help us to constantly improve our project and grow together! So, what are you waiting for? Become a part of us today!

To get support for a technical issue such as installing the software, to query a purchase that you've made/would like to make, or anything other than using our software, please visit our Customer Service Desk:

This decompiler generates MFA's for Fusion 2.0, it doesn't support features of 2.5 but yes it can be used to extract info from your EXE. We have modified the EXEs in the builds 284 and 285 so that this can't happen anymore. They have adapted the decompiler, it can still generate MFAs, but they crash. We'll try other things in next updates.

So, this decompiler can't generate working MFAs from EXE's built with the latest versions of Fusion 2.5 anymore, but yes it can be used to extract info from your EXEs, so if you have sensitive data you should hide them, for example in embedded files (via the binary files tab in the Data Elements editor), and encrypt them.

That was patched a while back ago.
When they managed to decompile FNAF the only manged to extract a couple of images and some badly damaged icons,
As far I know, it was not possible to extract any data or alter the game in anyway.

I'm working on a "financial" app, that works with paypal/ stripe/ and bitcoin protocole
I have all sensitive data directly in the mfa, like API keys, vendor keys of users, bitcoins private keys, and the user agent that is alone to access the php folders....
the app communicate with the server through https, but the datas are in addition crypted with aes
I have a part of algorythms to genearte crypt keys...

Errr, guy, no offense, but seriously you can't write a financial application that contains sensitive data like vendor keys or bitcoin private keys, with any software, this is not secure at all. Unless I've misunderstood something...

Even without this decompiler, if you run any EXE through a debugger you can look at the content of the memory, intercept the loading routines, intercept http calls, etc. You can make this harder by using EXE protection software but for each EXE protection software there are hacker tools too. If your app contains sensitive data, any (good) hacker who wants to find it will find it.

So it's better if the sensitive data are external to the application (in a file sent separately, or data that the user has to manually enter, etc). Well, maybe you already do this or maybe your app is safe enough, but it doesn't seem to be what you are saying.

I have a lot of personal algorythm... I use AES, Https, crypt all my files, store it in a certain order... when I send POST There is a "checker" to verify that the sender is the application, there is too a lot of "scenario"...

I made all my possible to keep my app more secure as possible and complex to debugging/ scan/ but if mfa are decompilable or https post and custom global string easy readable.... then it's a big problem...

the debugger don't made me worry because the process are so complex that even if they can read a part of memory, the processes are too complex and to restore all procedures, it will be too complicated.

Now, that I am considering Global string as unsafe, I'll made even more complex to read them, I'll certainly will create a part of subapp that will generate the sensitive dat during the runtime following a very complex procedure.

I personally highly recommend you write anything that handles sensitive data in C++. Make an extension and then call it in CF. Ideally also protect the functions in the extensions that handle the encryption with something like VMProtect as extensions can be reversed just like a DLL. Any encryption done with a public API or a simple XOR function wouldn't take long for someone to reverse. However I've had functions protected with VMProtect in other C++ projects that hackers have had a hard time getting passed (Although given enough motivation its still possible).

I think I'll write a process that will create the key during the runtime, so that no one can understand it / very hard to debugging
So long nobody could decompile the apk / exe to an readable mfa, then normaly it's secure

I've personally not seen a decompiled CF EXE but it sounds like they would be able to see events involved in doing the encryption. So it wouldn't matter how complex it was in CF. they could pretty much get the source code. It's a similar situation with C# too. You can pretty much return those EXE's to source code unless they are obfuscated and working from somewhat of a source code compared to ASM makes the job 100 times easier.

But if your worry is debugger then theres a number of ways to complicate and confuse a user from debugging the code. what you've done is quite simple. You could add some bit wise XOR and NOT and shifting in there too.

I couldn't find a decompiler that works with EXE's generated with the latest build, but I'm sure that if good hackers are determined to extract any info from your EXE they'll be able to do it with some effort. Especially if you also release an APK as APKs are even more difficult to protect.

You just put a break point in the event loop and check the variables, you can see your secret key building step by step. Of course it's not written "THIS IS A SECRET KEY" in the debugger, so they might not know what it is.

Making a private extension would help, as they would need to look at the code in the extension. This won't discourage a real hacker, but will discourage the "basic" ones who call themselves hackers because they have found a decompilation tool on the Internet.

To protect your data you can also use a public/private key system. I.e. your data are pre-encoded with a private key (that is not stored in the application), users have to enter a public key and you decode the data with their key. The hackers would need a key if they have to decrypt your sensitive data. This doesn't prevent them from using a debugger, but at least they can't use your app without a key.

-->> I must complicated the procedure that generated the data
-->> I must create an private extension that work with that datas
-->> even with that I must create a pair public/private as last security

If I create my "private extension", do the hackerB that open the "decompiled mfa" (if it will be possible) have a "failed to open the document" in his CF2.5 when open it ?
Should I mask all my comments/global string name to not give clues for give clues to hackerA?

If they decompile the APK, they won't have the mfx of the extension. Even if they get the .mfx from the EXE they won't be able to use it in the editor as runtime extensions don't work in the editor, so in theory they can't load the decompiled MFA. They can do it with other ways though, but even in this case they won't see the names of the actions/conditions/expressions of your extension in the event editor, this makes things more complicated if they want to understand what you do.

Visual Studio 15 Community Edition, it's free. You have to use the Fusion25SDK to make your extension (and the Fusion 2.5 Android SDK for the Android version). Maybe you should "hire" a true developer for this? As this is going to be a bit complicated if you are not a programmer.

with all what we discuss, + the security I still have, that will be very hard to hack (+VMProtect that Danworth explain above)
With all that bunch of different security process, I will get a high secure soft normally (even if should always watchful/ wakeful/ vigilant)

I don't have enough money to hire a devlopper, so I I should create it myself. The CF 2.5 SDK extension kit help is very good documentated, and it seems much less complicated than I imagined at the beginning,

1- I stay alone to keep my secret
2- I save money (that I have not anyway)
2- I will be able to create my own extension, this will make my usage of CF2.5 more powerfull and I will give my public extension to the community.

You could add another buffer into this. You could get the app to parse a new 'salty key' from a server, which it would download every time it's launched and it would be truly random. You can then perform a double-handshake when you send any other data to ensure it all matches up.

This is the game's code file, it's "compiled" wich pratically means it's hidden, to change it or even understand it you need a decompiler and the knowledge of what code language the game (or atleast, the file) was written in.

GameMaker (GM) is a game engine currently being developed by YoYo Games, with a wide extension of features. It is a popular choice at MFGG and has surpassed the Clickteam products as the most popular game-making program. As of GameMaker: Studio, it can export not only to Windows, but also to OS X (formerly known as Mac OS X), Ubuntu, Windows 8, iOS, Android, Windows Phone, HTML5, and more. There are also export modules for PlayStation 3/4, Vita, and Xbox One, although these are only usable for their respective licensed developers.

GameMaker runs off its own specific programming language, called the Game Maker Language (GML). GML is a programming language similar to Java syntax wise, but highly simplified. There is an alternative method of programming, consisting of "Drag-and-Drop" actions. While simpler to use, DnD is usually much more limited than strict GML, and its use is typically discouraged.