0

it is possible to protect a .swf file from decompilation?

i've been reading about compiling class libraries in a .swc file for distribution without revealing the code - possibly selling it. however, there are .swf decompilers you can use to expose the code, and a .swc file is simply a .zip archive, so changing myswc.swc to myswc.zip will reveal the .swf files of the library.

just curious, mostly.

Chunky Chunk
  • 16,553
  • 15
  • 84
  • 162

2 Answers2

3

You can't. Don't believe those swf protector/encryptors. Both the content of a swf and a swc need to be readable by the AVM2 so it can't be compressed or encrypted or anything. Bottom line is that you can't really protect your as3 code from being reverse engineered.

dotminic
  • 1,135
  • 2
  • 14
  • 28
  • 2
    @__dominic. I agree that no tool can make a swf *impossible* to be reverse engineered. But a good obfuscator will make the task much harder. In many cases, it will make reverse engineering the swf harder or more costly than writting the code from scratch in the first place. That's the point of obfuscators, I think. – Juan Pablo Califano Aug 01 '10 at 21:29
  • Juan Pablo Califano, can you recommend a method for obfuscation? – Chunky Chunk Aug 02 '10 at 11:07
  • Obfuscation does not work either! You just can't encrypt/obfuscate your code for the simple reason that if your code is unreadable, how is AVM going to understand it ? Encryption/obfuscation tools are a scam. There's no way the code can be compiled, turned into bytecode and then read by a VM if its encrypted. And "obfuscating" it won't work either, all those tools do, is add some unused junk code and make your swf/swc heavier. Trust me on this one, I wrote a little decompiler tool for myself and tested it with "protected" swf or swc files, and I got the source code without any trouble. – dotminic Aug 02 '10 at 18:56
  • @__dominic. Reading your comment, I don't think you paid much attention to what I wrote. I've written a tool to translate bytecode to something more high-level a while ago. Not compilable Actionscript, but rather some intermediary ad hoc language with assignments, conditionals and loops so you can follow code without having to mentally keep track of the stack's state. It was a couple of years ago, for educational reasons, mostly. I'm by no means an expert on the field, though, but I think I have some knowledge of the basics. – Juan Pablo Califano Aug 03 '10 at 01:42
  • @__dominic. For the record, I'm not in favor of using decompilers myself. You can check out some points I've made here (if you indulge the self reference: http://stackoverflow.com/questions/1259821/any-reverse-engineers-have-experience-with-secureswf/1263788#1263788). That said, even the most trivial "protection" can make reversed code not directly compilable or a very hard to follow mess. A very old but effective trick used by some obfuscator (can't remember which one) was renaming public identifiers using non printable chars. – Juan Pablo Califano Aug 03 '10 at 01:43
  • @__dominic. As dumb as it sounds, it means the code will not compile right away (unless the tool that decompiles it makes up some legal name for these) but even then it will make it hard to make any sense out of it. And of course there are other more advanced and sofisticated technics. At some point, all of them can be worked around. But it takes time and effort. And in most cases, it's more time and effort than re writting the code yourself (assuming you want to "steal it"). So that's the point I was making. – Juan Pablo Califano Aug 03 '10 at 01:43
  • @TDI1978. At work we use some source code obfuscator for one of our libraries. Again, I'm not a big fan of these tools, but I guess if I were to "steal" this code and had to make sense out of the decompiled result, I'd probably write the code myself from scratch. Will check the name of the tool tomorrow (this one is a bit tedious to use in that it doesn't have a command line interface, so you cannot automate it in your build). I've also used (because I was asked) SecureSWF, by Kindisoft (http://www.kindisoft.com/). It's quite configurable and I think it's the best one of the few I've tried. – Juan Pablo Califano Aug 03 '10 at 01:51
  • @TDI1978. This is the source code obfuscator I mentioned. http://www.tokaos.com/. Not sure if it will be good for "general use" (at work we're using it for some libraries / swc) – Juan Pablo Califano Aug 03 '10 at 18:47
0

I am flash game developer i use Flash Secure Optimizer from http://www.eramsoft.com

jonas
  • 1