Decompilers are a real worry for people who create Flash content. You can put a lot of effort into creating the best game out there, then someone can steal it, replace the logo and put it on their site without asking you. How? Using a Flash Decompiler. Unless you put some protection over your SWF it can be decompiled with a push of a button and the decompiler will output readable source code.
In this tutorial I will demonstrate a technique I use to protect code and assets from theft.
Editor’s Note: Thanks to Vaclav for use of his lock icon. Visit Psdtuts+ to see how he made it..
Before We Begin
I used a small project of mine to demonstrate how vulnerable SWFs are to decompilation. You can download it and test yourself via the source link above. I used Sothink SWF Decompiler 5 to decompile the SWF and look under its hood. The code is quite readable and you can understand and reuse it fairly easily.
What Can We do About it?
I came up with a technique for protecting SWFs from decompilers and I’m going to demonstrate it in this tutorial. We should be able to produce this:
The code that is decompiled is actually the code for decrypting the content and has nothing to do with your main code. Additionally, the names are illegal so it won’t compile back. Try to decompile it yourself.
Before we get going, I want to point out that this tutorial is not suitable for beginners and you should have solid knowledge of AS3 if you want to follow along. This tutorial is also about low level programming that involves bytes, ByteArrays and manipulating SWF files with a hex editor.
Here’s what we need:
- A SWF to protect. Feel free to download the SWF I’ll be working on.
- Flex SDK. We will be using it to embed content using the Embed tag. You can download it from opensource.adobe.com.
- A hex editor. I’ll be using a free editor called Hex-Ed. You can download it from nielshorn.net or you can use an editor of your choice.
- A decompiler. Whilst not necessary, it would be nice to check if our protection actually works. You can grab a trial of Sothink SWF Decompiler from sothink.com
Step 1: Load SWF at Runtime
Open a new ActionScript 3.0 project, and set it to compile with Flex SDK (I use FlashDevelop to write code). Choose a SWF you want to protect and embed it as binary data using the Embed tag:
[Embed (source = "VerletCloth.swf", mimeType = "application/octet-stream")] // source = path to the swf you want to protect private var content:Class;
Now the SWF is embedded as a ByteArray into the loader SWF and it can be loaded through Loader.loadBytes().
var loader:Loader = new Loader(); addChild(loader); loader.loadBytes(new content(), new LoaderContext(false, new ApplicationDomain()));
In the end we should have this code:
package
{
import flash.display.Loader;
import flash.display.Sprite;
import flash.system.ApplicationDomain;
import flash.system.LoaderContext;
[SWF (width = 640, height = 423)] //the dimensions should be same as the loaded swf's
public class Main extends Sprite
{
[Embed (source = "VerletCloth.swf", mimeType = "application/octet-stream")]
// source = path to the swf you want to protect
private var content:Class;
public function Main():void
{
var loader:Loader = new Loader();
addChild(loader);
loader.loadBytes(new content(), new LoaderContext(false, new ApplicationDomain()));
}
}
}
Compile and see if it works (it should). From now on I will call the embedded SWF the “protected SWF”, and the SWF we just compiled the “loading SWF”.
Step 2: Analyze the Result
Let’s try to decompile and see if it works.
Yey! The assets and the original code are gone! What’s shown now is the code that loads the protected SWF and not its content. This would probably stop most of the first-time attackers who are not too familiar with Flash but it’s still not good enough to protect your work from skilled attackers because the protected SWF is waiting for them untouched inside the loading SWF.
Step 3: Decompressing the SWF
Let’s open the loading SWF with a hex editor:
It should look like random binary data because it’s compressed and it should begin with ASCII “CWS”. We need to decompress it! (If your SWF begins with “FWS” and you see meaningful strings in the SWF it’s likely that it didn’t get compressed. You have to enable compression to follow along).
At first it might sound difficult but it’s not. The SWF format is an open format and there is a document that describes it. Download it from adobe.com and scroll down to page 25 in the document. There is a description of the header and how the SWF is compressed, so we can uncompress it easily.
What is written there is that the first 3 bytes are a signature (CWS or FWS), the next byte is the Flash version, the next 4 bytes are the size of the SWF. The remaining is compressed if the signature is CWS or uncompressed if the signature is FWS. Let’s write a simple function to decompress a SWF:
private function decompress(data:ByteArray):ByteArray
{
var header:ByteArray = new ByteArray();
var compressed:ByteArray = new ByteArray();
var decompressed:ByteArray = new ByteArray();
header.writeBytes(data, 3, 5); //read the uncompressed header, excluding the signature
compressed.writeBytes(data, 8); //read the rest, compressed
compressed.uncompress();
decompressed.writeMultiByte("FWS", "us-ascii"); //mark as uncompressed
decompressed.writeBytes(header); //write the header back
decompressed.writeBytes(compressed); //write the now uncompressed content
return decompressed;
}
The function does a few things:
- It reads the uncompressed header (the first 8 bytes) without the signature and remembers it.
- It reads the rest of the data and uncompresses it.
- It writes back the header (with the “FWS” signature) and the uncompressed data, creating a new, uncompressed SWF.
Step 4: Creating a Utility
Next we’ll create a handy utility in Flash for compressing and decompressing SWF files. In a new AS3 project, compile the following class as a document class:
package
{
import flash.display.Sprite;
import flash.events.Event;
import flash.net.FileFilter;
import flash.net.FileReference;
import flash.utils.ByteArray;
public class Compressor extends Sprite
{
private var ref:FileReference;
public function Compressor()
{
ref = new FileReference();
ref.addEventListener(Event.SELECT, load);
ref.browse([new FileFilter("SWF Files", "*.swf")]);
}
private function load(e:Event):void
{
ref.addEventListener(Event.COMPLETE, processSWF);
ref.load();
}
private function processSWF(e:Event):void
{
var swf:ByteArray;
switch(ref.data.readMultiByte(3, "us-ascii"))
{
case "CWS":
swf = decompress(ref.data);
break;
case "FWS":
swf = compress(ref.data);
break;
default:
throw Error("Not SWF...");
break;
}
new FileReference().save(swf);
}
private function compress(data:ByteArray):ByteArray
{
var header:ByteArray = new ByteArray();
var decompressed:ByteArray = new ByteArray();
var compressed:ByteArray = new ByteArray();
header.writeBytes(data, 3, 5); //read the header, excluding the signature
decompressed.writeBytes(data, 8); //read the rest
decompressed.compress();
compressed.writeMultiByte("CWS", "us-ascii"); //mark as compressed
compressed.writeBytes(header);
compressed.writeBytes(decompressed);
return compressed;
}
private function decompress(data:ByteArray):ByteArray
{
var header:ByteArray = new ByteArray();
var compressed:ByteArray = new ByteArray();
var decompressed:ByteArray = new ByteArray();
header.writeBytes(data, 3, 5); //read the uncompressed header, excluding the signature
compressed.writeBytes(data, 8); //read the rest, compressed
compressed.uncompress();
decompressed.writeMultiByte("FWS", "us-ascii"); //mark as uncompressed
decompressed.writeBytes(header); //write the header back
decompressed.writeBytes(compressed); //write the now uncompressed content
return decompressed;
}
}
}
As you probably noticed I’ve added 2 things: File loading and the compress function.
The compress function is identical to the decompress function, but in reverse. The file loading is done using FileReference (FP10 required) and the loaded file is either compressed or uncompressed. Note that you have to run the SWF locally from a standalone player, as FileReference.browse() must be invoked by user interaction (but the local standalone player allows to run it without).
Step 5: Uncompressing the Loading SWF
To test the tool, fire it up, select the loading SWF and choose where to save it. Then open it up with a hex editor and scrub through. You should see ascii strings inside like this:
Step 6: Analyze Again
Let’s return back to step 2. While the decompiler didn’t show any useful info about the protected SWF, it’s quite easy to get the SWF from the now uncompressed loader; just search for the signature “CWS” (if the protected SWF is uncompressed search for “FWS”) and see the results:
What we found is a DefineBinaryData tag that contains the protected SWF, and extracting it from there is a piece of cake. We are about to add another layer of protection over the loading SWF : Encryption.
Step 7: Encryption
To make the protected SWF less “accessible” we will add some kind of encryption. I chose to use as3crypto and you can download it from code.google.com. You can use any library you want instead (or your own implementation, even better), the only requirement is that it should be able to encrypt and decrypt binary data using a key.
Step 8: Encrypting Data
The first thing we want to do is write a utility to encrypt the protected SWF before we embed it. It requires very basic knowledge of the as3crypto library and it’s pretty straightforward. Add the library into your library path and let’s begin by writing the following:
var aes:AESKey = new AESKey(binKey);
var bytesToEncrypt:int = (data.length & ~15); //make sure that it can be devided by 16, zero the last 4 bytes
for (var i:int = 0; i < bytesToEncrypt; i += 16)
aes.encrypt(data, i);
What’s going on here? We use a class from as3crypto called AESKey to encrypt the content. The class encrypts 16 bytes in a time (128-bit), and we have to for-loop over the data to encrypt it all. Note the second line : data.length & ~15. It makes sure that the number of bytes encrypted can be divided by 16 and we don’t run out of data when calling aes.encrypt().
Note: It’s important to understand the point of encryption in this case. It’s not really encryption, but rather obfuscation since we include the key inside the SWF. The purpose is to turn the data into binary rubbish, and the code above does it’s job, although it can leave up to 15 unencrypted bytes (which doesn’t matter in our case). I’m not a cryptographer, and I’m quite sure that the above code could look lame and weak from a cryptographer’s perspective, but as I said it’s quite irrelevant as we include the key inside the SWF.
Step 9: Encryption Utility
Time to create another utility that will help us encrypt SWF files. It’s almost the same as the compressor we created earlier, so I won’t talk much about it. Compile it in a new project as a document class:
package
{
import com.hurlant.crypto.symmetric.AESKey;
import flash.display.Sprite;
import flash.events.Event;
import flash.net.FileReference;
import flash.utils.ByteArray;
public class Encryptor extends Sprite
{
private var key:String = "activetuts"; //I hardcoded the key
private var ref:FileReference;
public function Encryptor()
{
ref = new FileReference();
ref.addEventListener(Event.SELECT, load);
ref.browse();
}
private function load(e:Event):void
{
ref.addEventListener(Event.COMPLETE, encrypt);
ref.load();
}
private function encrypt(e:Event):void
{
var data:ByteArray = ref.data;
var binKey:ByteArray = new ByteArray();
binKey.writeUTF(key); //AESKey requires binary key
var aes:AESKey = new AESKey(binKey);
var bytesToEncrypt:int = (data.length & ~15); //make sure that it can be divided by 16, zero the last 4 bytes
for (var i:int = 0; i < bytesToEncrypt; i += 16)
aes.encrypt(data, i);
new FileReference().save(data);
}
}
}
Now run it, and make an encrypted copy of the protected SWF by selecting it first and then saving it under a different name.
Step 10: Modifying the Loader
Return back to the loading SWF project. Because the content is now encrypted we need to modify the loading SWF and add decryption code into it. Don’t forget to change the src in the Embed tag to point to the encrypted SWF.
package
{
import com.hurlant.crypto.symmetric.AESKey;
import flash.display.Loader;
import flash.display.Sprite;
import flash.system.ApplicationDomain;
import flash.system.LoaderContext;
import flash.utils.ByteArray;
[SWF (width = 640, height = 423)] //the dimensions should be same as the loaded swf's
public class Main extends Sprite
{
[Embed (source = "VerletClothEn.swf", mimeType = "application/octet-stream")]
// source = path to the swf you want to protect
private var content:Class;
private var key:String = "activetuts";
public function Main():void
{
var data:ByteArray = new content();
var binKey:ByteArray = new ByteArray();
binKey.writeUTF(key); //AESKey requires binary key
var aes:AESKey = new AESKey(binKey);
var bytesToDecrypt:int = (data.length & ~15); //make sure that it can be divided by 16, zero the last 4 bytes
for (var i:int = 0; i < bytesToDecrypt; i += 16)
aes.decrypt(data, i);
var loader:Loader = new Loader();
addChild(loader);
loader.loadBytes(data, new LoaderContext(false, new ApplicationDomain()));
}
}
}
This is the same as before except with the decryption code stuck in the middle. Now compile the loading SWF and test if it works. If you followed carefully up to now, the protected SWF should load and display without errors.
Step 11: Look Inside Using a Decompiler
Open the new loading SWF with a decompiler and have a look.
It contains over a thousand lines of tough looking encryption code, and it’s probably harder to get the protected SWF out of it. We’ve added a few more steps the attacker must undertake:
- He (or she) has to find the DefineBinaryData that holds the encrypted content and extract it.
- He must create a utility to decrypt it.
The problem is that creating a utility is as simple as copy-pasting from the decompiler into the code editor and tweaking the code a little bit. I tried to break my protection myself, and it was quite easy – I managed to do it in about 5 minutes. So we’re going to have to take some measurements against it.
Step 12: String Obfuscation
First we’d put the protected SWF into the loading SWF, then encrypted it, and now we’ll put the final touches to the loading SWF. We’ll rename classes, functions and variables to illegal names.
By saying illegal names I mean names such as ,;!@@,^#^ and (^_^). The cool thing is that this matters to the compiler but not to the Flash Player. When the compiler encounters illegal characters inside identifiers, it fails to parse them and thus the project fails to compile. On the other hand, the Player doesn’t have any problems with those illegal names. We can compile the SWF with legal identifiers, decompress it and rename them to a bunch of meaningless illegal symbols. The decompiler will output illegal code and the attacker will have to go over the hundreds of lines of code manually, removing illegal identifiers before he can compile it. He deserves it!
This is how it looks before any string obfuscation:
Let’s start! Decompress the loading SWF using the utility we created before and fire up a hex editor.
Step 13: Your First Obfuscation
Let’s try to rename the document class. Assuming you’ve left the original name (Main), let’s search for it in the uncompressed loader SWF with a hex editor:
Rename “Main” to ;;;;. Now search for other “Main”s and rename them to ;;;; too.
When renaming make sure that you don’t rename unnecessary strings or the SWF will not run.
Save and run the SWF. It works! And look what the decompiler says:
Victory!! 
Step 14: Renaming the Rest of the Classes
Keep renaming the rest of your classes. Choose a class name and search for it, replacing it with illegal symbols until you reach the end of the file. As I said, the most important thing here is to use your common sense, make sure you don’t mess your SWF up. After renaming the classes you can start renaming the packages. Note that when renaming a package, you can erase the periods too and make it one long illegal package name. Look what I made:
After you finish renaming the classes and the packages, you can start renaming functions and variables. They are even easier to rename as they usually appear only once, in one large cloud. Again, make sure you rename only “your” methods and not the built-in Flash methods. Make sure you don’t wipe out the key (“activetuts” in our case).
Step 15: Compress the SWF
After you finish renaming you would probably want to compress the SWF so it will be smaller in size. No problem, we can use the compressing utility we created before and it will do the job. Run the utility, select the SWF and save it under another name.
Conclusion: Have a Final Look
Open it one last time and have a look. The classes, the variables and the method names are obfuscated and the protected SWF is somewhere inside, encrypted. This technique could be slow to apply at first, but after a few times it takes only a few minutes.
A while ago I created an automatic utility to inject the protected SWF for me into the loading SWF, and it worked fine. The only problem is that if it can be injected using an automatic utility, it can be decrypted using another utility, so if the attacker makes a utility for that he will get all your SWF easily. Because of this I prefer to protect the SWFs manually each time, adding a slight modification so it would be harder to automate.
Another nice application of the technique is Domain locking. Instead of decrypting the SWF with a constant string you can decrypt it with the domain the SWF is currently running on. So instead of having an if statement to check the domain, you can introduce a more powerful way to protect the SWF from placement on other sites.
Last thing, you may want to replace the encryption code with your own implementation. Why? We invested efforts in making the crypto code illegal, but the code we use is from a popular open source library and the attacker could recognize it as such. He will download a clean copy, and all the obfuscation work is rendered unnecessary. On the other hand, using your own implementation will require him to fix all the illegal names before he can continue.
Other Protection Methods
Because SWF theft is a big problem in the Flash world, there are other options for protecting SWFs. There are numerous programs out there to obfuscate AS on the bytecode level (like Kindisoft’s secureSWF). They mess up the compiled bytecode and when the decompiler attempts to output code it will fail, and even crash sometimes. Of course this protection is better in terms of security but it costs $$$, so before choosing how to protect your SWF consider the amount of security needed. If it’s about protecting a proprietary algorithm your 50-employee Flash studio has been developing for the past two years, you may consider something better then renaming the variables. On the other hand if you want to prevent the kiddies from submitting false high scores you may consider using this technique.
What I like about this technique is the fact that your protected SWF is left untouched when run. AS obfuscation tampers with the byte code and it could possibly damage the SWF and cause bugs (although I haven’t encountered any myself).
That’s all for today, hope you enjoyed the tutorial and learned something new! If you have any questions feel free to drop a comment.
Enjoyed this Post?
Subscribe to our RSS Feed, Follow us on Twitter or simply recommend us to friends and colleagues!
By Nikita Leshenko
Premium Members
Source Files, Bonus Tutorials & More for all relevant Tuts+ sites in one subscription. Join Now
Related Posts
Premium Membership
Source Files, Bonus Tutorials & More for all relevant Tuts+ sites in one subscription
How to Write Great Copy for the Web
Add great content to your web projects with this easy to read guide to writing great web copy. Develop the skills to give your work a more professional edge.
Graphic Volcano - More
Active Basix
Just getting started? Start with our basix tutorials on the fundamentals. View All Basix Tutorials
Other Plus Sites ...
aetuts+ audiotuts+ vectortuts+ tuts+ phototuts+ cgtuts+ nettuts+ psdtuts+ activetuts+ mobiletuts+Create a Tutorial, Get Paid!
Have something to teach the world? Want to earn money doing it? Tutorials, screencasts, and articles published here on Activetuts+ are largely contributed by readers just like you! We'll pay you great money for good content. Find Out More
Very good to know!!
Absolutely Brilliant! An Outstanding Tut.
But I can not understand, when your changing the Hex value, why does it still run? yes, you said the compiler wont compile it, but the player will run it.
But how?
for example, you did
thetext.text = “ABC”;
and you changed the hex, now it’s:
thetext.%!@$! = “ABC”;
I would love for you to clear this out.
Your from Israel?
I never knew we got super flash Dev’s.
Waiting for more great tuts as this, certainly from you
Hi
It works because FP doesn’t do any text parsing when executing bytecode. When we say find propery “qwerty”, it finds a property where the first symbol is “q”, the second is “w”, the third is “e” and so on…
So when we say find property “@#$” (by modifying the binary), it doesn’t notice any difference, it just finds a propery where the first symbol is “@”, the second is “#” and the this is “$”.
On the other hand the compiler must do some fancy parsing, it can’t accept any symbol and something like asd.$;,;@# = 40; will screw everything up.
Heeey Nikita… I like your article…
Could you please let me know how can I contact you to discuss the swf protection topic? Will let you know the details later.
mailbox – alex.nadtoka@gmail.com
З.Ы. Do you speak Russian? Your surname sounds like Ukrainian .
Very good tutorial.
Excellent code and tip, I never hear about this technique to protect the code.
Awsome!!!!
Ian, it is prolly because the names are constant, although illegal for the compiler
they are still the same, so if you created a method %#%, and use “%#%”, every time you wish to use it, the player can interpret it as any other method, it will only be impossible to recompile.
(remember, you embed it as binary data)
Great tutorial Nikita, although I’m not really into flash at the moment.
It was very comprehensible and detailed, but I would like to hear more of what happens “backstage”, I gave my best shot to answer Ian, but I’m sure there is more happening under the surface there.
great tutorial
Haven’t been using Flash for that long, but I can tell that this will be very helpful in the future
I can’t believe that this isn’t standard inside of adobe’s workflow to protect swf files.
But then again, adobe is king on earth, they live inside their own world.
I can safely say this might be THE best tutorial so far.
This is one of the most valuable items you need to know when working on a high end level.
Very nice work
I hope flash guys will not be able to break it…
Briefly read the tutorial, looks very good, will definately be trying this to protect my swfs!
Thanks!
Finally a tutorial on this issue!
Amazing tutorial, will do it with all my production swfs.
Wow, never heard of these techniques :O
Thanks so much, very informative
!
Come on guys I know all of you have decompiled , copied, or used someones work somewhere along the line and called it your own.
Great Tutorial!
this technique for protecting SWFs from decompilers is very needed. Thanks for demonstrate it in this tutorial. I am enjoyed to learn this tutorial. Again thanks
Great tutorial
Excellent Tutorial!
This is one of the better methods I’ve seen out there. Good work.
One thing that’s very important for people to know about hand-editing bytecode is that when you change the name of a class, method or variable, you have to change it to something with the same number of characters as the original.
Also, the example code encryption and compaction code won’t work right off the bat because you can’t call FileReference methods without them being triggered by a MouseEvent.
The topic of swf encryption has always interested me.
But I wonder… What kind of impact would it have on SEO?
In other words, how can google index text inside your swf if it is encrypted?
Wow… Article is great! My congratulations
I am not a programmer but what about action script version 2.0 ? You could make similar topic for 2.0 version as well. It is still very popular.
@Bartosz Oczujda
SEO and flash is a different topic, I think. Google the topic and you will find the ways which are used to index flash.
thank
i regularly use sothink decompiler to snag hard to find vector logos and whatnot. it’s also a valuable tool to learn how things work. i don’t think there’s any foul to using the software for learning purposes.
however, thank you for the tut on how to prevent others from stealing altogether.
@Alex
Well maybe you don’t know but Google is able to index text which is inside your SWF file.
And my question is if I employ the technique from this tutorial or encrypt my SWF with some commercial software will google still be able to index my text?
Can somebody answer that?
@Bartosz Oczujda
Yes I knew that Google is able to index SWF files. Here is what I found. It may be interesting for you
http://www.beussery.com/blog/index.php/2008/10/google-flash-seo/
P.S. Just want to help you.
Thanks Alex, this lik is very useful
@Bartosz Oczujda
Text and ActionScript code are not related, so there should be no problems.
You can check your SWF using some Flash decompiler. For example, I am using
“Flash Decompiler Trillix” from Eltima.
In flash decompiler you will see that Text and ActionScript code are separated. Above obfuscation methods are used for ActionScript only. So there is nothing to worry about. This what I am talking about.
Thanks.
Hi
Thanks to write this Artical
I want to do this in my Project but i am beginner for AS3
I really don’t know to start the code write in which software which u have done.
Please help me how to start first thing can u give me some Guidance regarding this
that’s not good protection if cracker knows somethink about coding, reverse engineering etc. but it2s good for lamers
i downloaded Final.swf and opened with swf decompiler. it’s obfuscated.. thats good..
but when i tried to find swf files in ram which are created by flashplayer, your file is there.. and it takes less than 2 minutes.
http://rapidshare.com/files/349857604/ram.swf
regards..
yep I noticed this flaw too ,there isn’t a really good way to protect a SWF
I did some research about “spreading” the SWF around the RAM but I didn’t come up with anything convenient, it was too complex too apply.
But you just inspired me to investigate more on that subject..
Wow, that is fascinating. I didn’t know you could do that. Thanks for sharing
Bartosz, it does not make much sense to rely on Google to index text in your flash projects anyway. If your project uses information from a dynamic source, or otherwise uses actionscript to display the text, Google indexing will not work. You should always create a noscript / no-flash version of websites you are trying to optimize.
oyunlar1 does appear to have gotten to the source. Oops.
I think the right thing to do was to obfuscate original SWF, then attacker would have no way to obtain readable code, at least. By teh way, I used your utility code to make obfuscation procedure a bit more automated, see the link.
Awesome, looking into it right now!
Thanks for the Tutorial.
there is no way you can rely protect your code in AS , because of how it works , now of course , you can make hard time for hackers , but i’ve been hacking for years now , c and c++ code , and hacking as3 is just a breeze for me , again , it is because of how the flash player works.
If you have rely sensible code , make it server side with remoting.
Don’t forget that these random strings must be same length as original ones. Also you just can’t replace everything you want, there are a lot of strings which matter.
As for this protection technique, just replacing strings is not enough. Usually decryption routines are small and a hacker can just rewrite it looking at code even with meaningless names. ABC obfuscation is much better, digging through obfuscated bytecode is hard.
Nice tutorial!
We currently use secureSWF Professional for all our online Flash projects. It is the only one that really works and is easy to use. We’ve tried all the other software (SWF Protector & SWF Encrypt) before and it didn’t do the job, these were easily defeated by decompilers. We weren’t able to decompile files processed by secureSWF.
Thumbs up for secureSWF Pro!
I do not agree with you. Check this out
http://blog.vortixgames.com/protecting-your-work-2-initial-testing
An interesting post made by one flash developer… He made a comparison of SWF obfuscators and as a result secureSWF was the worst… additionally it broke his game.
hi, what software did you use to dump the .swf file from memory?
thanks
Great tutorial, this is certainly enough to deter a few h4ck3rz
I don’t understand why you’re decompressing and compressing the swf? surely you want to encrypt a compressed swf, rather than compress an encrypted swf?
Sorry, I get it now-you’re decompressing the container so you can obfuscate it.
It’s easier to understand what’s going on when I actually go through the steps myself.
I think it’s an amazing tutorial and very informative. It’s really sad to know so many are in favour of casually decompiling, and I think if you learn to program like this you probably won’t be that innovative anyway!
The saddest part is that occasionally a client from a small business may get abandoned by their flash guru for whatever reason and the site is either lost or has to be decompiled and there are people out there writing software which stops these people being able to get their code (that they paid for!) back.
If you want to secure data, load it into an SWF using a server-side technology, or force people to authenticate before they can access the code, at least that way you have their IP address and user info to trace back if they do steal from you.
Don’t make the files obfuscated using XYZ mega encoder because it costs small businesses money, may harm your code, probably does the file-size no good and at the end of the day is as much a waste of your time as anyone else’s!
Very interesting trick! But sadly it would only be a matter of seconds to break down the encription.
http://jpauclair.net/2010/02/17/one-swf-to-rule-them-all-the-almighty-preloadswf/
Steps1 :
PreloadSWF listen to allComplete event
Step 2:
For ALL “allComplete” event received, save loaderInfo.bytes to disk as fileName.SWF
Step 3:
Load the generated files in SWF Decompiler
Total Time: 1 Minute to decrypt 100% of you files.
Still, the obfuscation is a must and should be the best guess to protect all you SWF!
Hmm, that’s neat
! But have you tried it? It seems to me that loaderInfo.bytes is the loader SWF (with encrypted content), and not the protected SWF. Or am I wrong?
Anyway, I’ll give it a try when I have some time..
Nice blog BTW!
When you receive the allComplete event, the loader info is the SWF that has been parsed by flash player and not the downloaded SWF. Hence, the content of .bytes must be a valid SWF file in order to be parse. It’s all clean from any encryption!
the allComplete will be thrown afer your .loadBytes() (so decryption already occured)
All greetings!
Forgive for clumsy English language, I use the translator. A question following. I need to make file protection (swf).Сначала I do uncompressing a file (by means of utility Compressor.as), further I cipher a file (by means of utility Encryption.as). In the end I use improved the loader (Main.as). As a result of its work the error takes off: “Error #2044: Raw IOErrorEvent:. text=Error #2124: Unknown type of the loaded file.”.
Prompt, what it is necessary to make to avoid an error?
I work with FlashDevelop, FlashPlayer 10, Flex SDK 3.2
That’s probably because the encryption is wrong. I suggest that you isolate it and start encrypting and decrypting small chunks of data and testing if corruption occurs. If it works OK, try encrypting, decrypting and running a SWF. If that works too, try dumping the protected SWF to disk just before it gets loaded and analyse it with a hex editor.
You will probably spot the problem by that time.
Good luck
very usefull thanks
Nice tutorial !!!!!!
Thank you Nikita for sharing this idea with us.
I’ve tried it but after have testing encryption/load/decryption and using some swf’s to testing the encryption/decryption utility, I was stopped by the step 10 of your tutorial because the embedding operation stops and tells me that is: “unable to read transcoding source ‘myEncrypted.swf’”. The same procedure works if I embed a decrypted swf.
Have I miss something?
Resolved. My mistake.
Thanks again for the ideas.
This tutorial is great, though obviously the method can be easily hacked.
What cannot be reversed is the obfuscation of classes, variables method names. I know any hacker could reconstruct the names, but the fact is he would have to understand deeply the obfuscated code to rename making sense.
It would be a great thing if someone did an encoder to change automatically and randomly all the variables and classes. Doing it one by one with an hex editor is a pain in the ass.
If someone knows such a program, please post here!
Nice tutor.
Thanks