twine 2: how to publish story as HTML such that the html file cannot be loaded in twine by anyone

twinesims

I know preventing an HTML file to be viewed is a very cumbersome and unreliable.

I am creating simulations as a tool to facilitate classroom training. This is paid. I dont want my corporate users to save the HTML file on their machine and figure out that it is created in twine, and then open it in twine and start customizing it and using it for long term and thus exclude me from the process.

How can I publish the story as HTML file such that this published html file cannot be opened in twine. So essentially stripping out the twine metadata.

Please help.

greyelf

A Story HTML file is basically a HTML/Javascript based web-application, and the passage data (your naming the 'twine metadata') contained with the story HTML is used by the story format's Javascript engine to dynamically create the HTML output of each passage as it is viewed by the end-user.

Like most HTML/Javascript single file web-applications, if you allow the end-user access to the file then they also have access to the source code.

You have a number of options:

1. Use a license / contract to restrict what the end-user is allowed to do to the application.

2. Convert the Story HTML file into a different type of application.

This can be done using a tool like NW.js / node-webkit which packages the Story HTML file within a PAK file that is access via an executable. The PAK files is basically an archive file which the end-user can still open to access the HTML source code, although some have stated that it can be encrypted but I have found no documentation explaining that feature.

3. Don't build your application using HTML/Javascript based technologies.

Claretta

greyelf wrote: »

This can be done using a tool like NW.js / node-webkit which packages the Story HTML file within a PAK file that is access via an executable. The PAK files is basically an archive file which the end-user can still open to access the HTML source code, although some have stated that it can be encrypted but I have found no documentation explaining that feature.

I encrypted the following twine story to demonstrate.

https://www.dropbox.com/s/iynih40xcosyig1/app.exe?dl=1

I didn't package all the needed nw.js files with it so it won't run on double click unless you put it in the same directory as a nw.js download from http://nwjs.io/ . It's just the default Twine story - if you want to confirm it works, download a version of nw.js, copy app.exe into the nw.js extracted directory and run app.exe. However, trying to read the html file inside app.exe should be restricted.

Claretta

BTW, if a nw.js download is not what you're after, you can make an online version of a Twine story that probably cannot be fed back into Twine.

To do this you need to to run them through Unity using Cradle: https://github.com/daterre/Cradle

Cradle takes Twine stories and converts them into Unity script. You can then publish them with unity back into HTML5 to make an online file that probably cannot be fed back into Twine. I haven't tested it, but I doubt Twine could read the output once it's been put through Unity, since Unity has its own compilation process to make HTML5 games.

Alternatively, you can also make a native downloadable app that has whatever encryption Unity uses.

The drawback to this is you need to learn a bit about Unity to make the game, as it doesn't simply emulate Twine, but rather converts it to a format that can be used in conjunction with Unity scripts.

greyelf

Claretta wrote: »

I encrypted the following twine story to demonstrate.

I did not say it can't be done, I said I have not found any node-webkit related documentation describing the feature nor were you able to supply any links to such documentation when I asked last time. Without documentation it is difficult to know under what situations the solution will work and what the limitations are.

As an example you can pre-jit-compile the byte-code used in a NW.js project for a particular chip-set which makes the result very difficult to reverse engineer but doing so can have the side-effect of slowing the running of the application down, so the added security comes with the cost of a slower running application.

Claretta

Well basically it's just normal zip file password encryption.

greyelf

Claretta wrote: »

Well basically it's just normal zip file password encryption.

How does the executable created/used by NW.js know the password you used to encrypt the PAK file?

The PAK file will need to be decrypted (into memory/temporary storage) by the executable at run-time so that it can access and run the HTML code within it.

Claretta

It doesn't know the password. I don't define it anywhere but during the zipping. I also don't use a PAK file. It's just a zip file as per these instructions: https://videlais.com/2014/08/26/twinetuesday-packaging-twine-with-node-webkit/

I'm not entirely sure how it works, and it likely has limitations. However, no security is 100% perfect, so I'm just happy to be able to protect against casual copying. The bar for what I need security for is quite low - I just don't want people to easily be able to copy sound assets and/or tweak game variables. If they want to spend hours cracking their own individual copy of the game, that's fine by me, because most people won't bother with the effort. I just don't want it to be a free for all with no hurdles.

TheMadExile

Claretta wrote: »

It doesn't know the password. I don't define it anywhere but during the zipping. […]

I'm not entirely sure how it works, and it likely has limitations. […]

NW.js doesn't do anything magical in regards to opening the application ZIP file. Meaning that it, literally, cannot retrieve files from ZIP archives which are actually password protected without the password and, probably, without special coding on your end as, AFAIK, that's not a feature they offer.

I find it more likely that you're not actually doing what you think you're doing. I'm not trying to be insulting, but what you're describing is literally magic.

Case in point, the example app.exe you posted does not run/show your test.html. It only shows the default, application-less NW.js window. It's also mispackaged, so even if NW.js could decrypt the files, it wouldn't work anyway—the package.json must be in the root of the package, your example's is in the test subdirectory.

Just to be sure NW.js isn't doing something magical, however, I tested an encrypted archive and NW.js was not able to decrypt the package files, as expected. (Note: You must be careful to ensure that you do not leave any of the unencrypted package files loose were NW.js might find them. This is extremely important as NW.js tries very hard to find a valid package manifest. Even if you explicitly specify a package, manually or bundled within the executable, if it doesn't find a valid manifest within those locations it will scan its local directory for one. If it does find one, then it will run it—without even complaining about the missing manifests in the other locations.)

Once you've ensured that NW.js cannot find a package other than the specific one you specify, if you run nw.exe on an encrypted ZIP archive manually:

nw.exe encrypted-app.zip

You should receive an error complaining about a missing manifest—since it was not able to successfully extract package.json.

In the same vein, if you run a bundled app—i.e. you've appended the encrypted ZIP archive to nw.exe:

encrypted-app.exe

You should get an application-less NW.js window—i.e. a window showing the default NW.js page with NW.js build info in the bottom right corner. This is because it could not retrieve a valid manifest from the ZIP appended to the executable, so it assumes there simply wasn't one. You only get the missing manifest error if you specify a package manually.


PS: Again, I'm not trying to be insulting. However, you simply cannot be doing what it is that you think you are.

PPS: You're also including several files in the application package that don't belong in there—i.e. icudtl.dat, nw.pak, nw_100_percent.pak, nw_200_percent.pak, nw_elf.dll, nw_material_100_percent.pak, nw_material_200_percent.pak. Some of them should be part of your distribution, but they shouldn't be part of the application package.

Claretta

Ah yes, thanks for the test. You're right and I found the error. What happened is that nw.js searched for an unencrypted file to use instead. As such, yes my original post here was incorrect. And no offence taken - it was good knowledge to have.

As an alternative, you can wrap a nw.js exe in an Enigma Virtual Box.http://enigmaprotector.com/ (the nw.js website even describes the process)

You might be able to use that to protect the exe.

You can still obfuscate the html file if you need a bit of a hurdle.

TheMadExile

Well, simply using NW.js, or Electron, and bundling the package into the executable is a fair bit of obfuscation in and of itself. I'd wager that the vast majority of end-users won't have a clue how to get at your package's resources. So, you still have that going for you.

And as far as hardcore crowd goes, I'd say that most indie developers shouldn't waste time trying to thwart them, as it's a waste of your time, energy, and resources—you're never going to stop them anyway and are unlikely to slow them down much without spending far more money than you probably have available.

twinesims

thanks everyone one for the suggestions. i will go through them and implement as appropriate.