Flash [AS3] Obfuscators?

Forum|Forum|17 years ago
August 23, 2008
5 replies
1397 views

Hello,

I'm sure most of you are already aware that by default, SWF projects created by Flash can be easily reversed back into their original design resources (sounds, graphics, etc.) and ActionScript 3.0 code. It is very annoying to have a project that you have worked so hard on stolen after someone takes 2 seconds to run your SWF through a decompiler 😞 I have found that there are 3rd party (non-adobe) solutions that will obfuscate the AS3 code to make it more difficult for these disassemblers to obtain the code. Does anyone have information on how these Obfuscation techniques work? I am interested in building an open source obfuscator that can be used by all Flash developers -- not just the ones who are willing to shell out $x hundred to protect their work. Please provide any links you have pertaining to how Flash Obfuscation works, examples. Also, Adobe still offers the Flash specification (ie. ActionScript Byte Code) online don't they? I always have trouble finding what I want in their knowledge base.

Thanks,
Mike

ActionScript

This topic has been closed for replies.

kglad

Community Expert

are you sure there's no way to have a key that's available to the swf (in say, a database) but not available otherwise?

the database query script could check that it's being called by the swf loaded from the server containing the query script.

kglad

Community Expert

"Sure, I could code up an SWF thats encrypted and decrypts itself before running, but that would require the SWF to know the key to decrypt and therefore once the decompilers knew where to find the key, the security would be eliminated and the SWF would be slowed down in it's execution."

i haven't seen any decompilers that can accept a key to decrypt code and it's not conceivable that a compiler could decrypt code without knowing the encryption scheme, as well as that key(s).

M

MikeSDCAAuthor

Known Participant

quote:

Originally posted by: kglad
i haven't seen any decompilers that can accept a key to decrypt code and it's not conceivable that a compiler could decrypt code without knowing the encryption scheme, as well as that key(s).

Yes, I was pointing out that there is no security in this approach for the key would need to be accessible to the flash player to decrypt. If the player can decrypt it then so can a "hacker". It would only be a short matter of time before the disassembler companies began incorporating the logic (which would be plainly visible since Flash Player would need it unencrypted) into their disassembler applications. I am convinced I have outlined the only viable solution (with regards to maintaining the business logic on server that the flash swf queries).

M

MikeSDCAAuthor

Known Participant

Thanks to everyone who has provided some feedback.

This past weekend I tried out a Flash decompiler and a Flash "encrypter". I built a simple project in Flash 9 and exported it to SWF. I then saved two copies of this file. The first copy I ran through Amayeta 5.2 SWF Encrypter using its "most secure" setting. The second copy I left untouched. I then used SOThink SWF Decompiler on the untouched copy and it produced a .FLA from the .SWF that was nearly identical to my original swf -- the code variables were named generically, but the structure of the program was identical and it was very simple to read.

I then attempted to decrypt the "encrypted" SWF and again a nearly identical .FLA file was produced --- the only thing the Amayeta "Encrypting" software did was change the function name to unicode. Woohoo, that was worthless.

I don't dispute that there is value in Flash developers discussing their techniques and learning from one another, however I am afraid of the people that steal someone elses work and pass it off as their own -- particularly in Flash applications I have seen friends who have developed very useful tools only to have them decompiled, screens altered, and then companies in China resell the stolen software as theirs.

Of course I'm not claiming that Obfuscation is a serious solution to the problem -- the only true solution would be real encryption, but then no end users would be able to access the software. Sure, I could code up an SWF thats encrypted and decrypts itself before running, but that would require the SWF to know the key to decrypt and therefore once the decompilers knew where to find the key, the security would be eliminated and the SWF would be slowed down in it's execution :(

I have decided the best way to block Flash pirates is to make your SWF highly dependable on a server that "has the brains". This way the Flash acts mostly as a "dumb terminal" so while the pirates can steal my Flash graphics code, they will have no way of accessing the important algorithms. This is a less than desirable solution but I fear it is the only way that some true security can be rendered.

Mike

P

Peter Lorent

Inspiring

I fully agree with you. But unfortunately, even if you obfuscate the code, it just gets a little harder to reverse engineer a project. It sucks but there just isn't much you can do.

A

Andrei1-bKoviI

Inspiring

I don’t have any intention to offend anybody. I just hope I am not the only one who thinks this way.

In addition to the fact that true Flash obfuscation/encryption is not possible at this point, I believe that it is overkill and a waste of time to focus on it at all. I love Flash and ActionScript but, at the risk of being accused to be a "non-patriot" and having no pride in my work, I would like to exclaim "Who cares!"

Flash development needs two major components: knowledge of the language and imagination. One doesn't work well without another. Also, no matter how extensive ActionScript becomes it has a limited set of tools and capabilities and can be absorbed by any human being in a relatively short period of time. In the majority of cases it is good enough to just look at what a particular Flash application does visually to make a very good guess of how things are accomplished (and how to make them better) - you don't need to dig into the code to make the thing of your own. It is faster and more efficient to write your own code than spend numerous hours trying to get into someone else's head. At some point of the learning curve programming becomes a craft and results are limited to one's imagination, trained eye and analytical abilities - similar to how hummer or saw used by a carpenter.

It takes a very experienced and good programmer to figure out how 50 classes interoperate. And it doesn't matter if the code is obfuscated or not - it is almost the same amount of work to comprehend either. The only circumstances under which I see a good programmer would be doing that is for forensic purposes. To those who don't know Flash and ActionScript and hope to "steal" the code of a sophisticated application in order to claim the rights I would like to say "Good luck! And thank you so much for thinking that I have done something that is worth more than watching Ugly Betty rerun!" If such a person has a tenacity - s(he) will become a very good coder "stealing" the thing and move into a category of creators third way through the deconstruction (most probably without theft).

I understand why Microsoft, Apple, Adobe, etc. are protecting their code. Their code is a sole base for making billions. How many Flash applications are out there that serve as a sole base of a business model (like an operating system)? Zero! We are developing programs that are small, in most cases decorative, parts of a more complex set of operations. Not unimportant parts – but not the ones that have longevity or bare a gene of deal breaking.

A

Anonymous

Andrei1, for the situations you describe, I agree with you. But for something like an online game or other hacker target (note the rise of RIAs on the web), obfuscation becomes a good tool. It won't stop everyone, but it will deter casual decompiling.

I've not tried this one (yet), but it looks nice: http://www.ambiera.com/irrfuscator/index.html

J

JohnFour

Known Participant

Hey Mike!

Great idea! I don't know a lot about this kind of thing but i wonder whether you can keep the actionscript etc. in a separate file and protect that file from use from anything other than the swf? Just an idea. If i see anything i'll let you know.

John

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded