ActionScript Protect .swf/.swc Files From Decompilation?

views:

175

answers:

ActionScript Protect .swf/.swc Files From Decompilation?

it is possible to protect a .swf file from decompilation?

i've been reading about compiling class libraries in a .swc file for distribution without revealing the code - possibly selling it. however, there are .swf decompilers you can use to expose the code, and a .swc file is simply a .zip archive, so changing myswc.swc to myswc.zip will reveal the .swf files of the library.

just curious, mostly.

+1 A:

You can't. Don't believe those swf protector/encryptors. Both the content of a swf and a swc need to be readable by the AVM2 so it can't be compressed or encrypted or anything. Bottom line is that you can't really protect your as3 code from being reverse engineered.

__dominic 2010-08-01 12:13:44

@__dominic. I agree that no tool can make a swf *impossible* to be reverse engineered. But a good obfuscator will make the task much harder. In many cases, it will make reverse engineering the swf harder or more costly than writting the code from scratch in the first place. That's the point of obfuscators, I think.

Juan Pablo Califano 2010-08-01 21:29:01

Juan Pablo Califano, can you recommend a method for obfuscation?

TheDarkInI1978 2010-08-02 11:07:00

Obfuscation does not work either! You just can't encrypt/obfuscate your code for the simple reason that if your code is unreadable, how is AVM going to understand it ? Encryption/obfuscation tools are a scam. There's no way the code can be compiled, turned into bytecode and then read by a VM if its encrypted. And "obfuscating" it won't work either, all those tools do, is add some unused junk code and make your swf/swc heavier.Trust me on this one, I wrote a little decompiler tool for myself and tested it with "protected" swf or swc files, and I got the source code without any trouble.

__dominic 2010-08-02 18:56:06

@__dominic. Reading your comment, I don't think you paid much attention to what I wrote. I've written a tool to translate bytecode to something more high-level a while ago. Not compilable Actionscript, but rather some intermediary ad hoc language with assignments, conditionals and loops so you can follow code without having to mentally keep track of the stack's state. It was a couple of years ago, for educational reasons, mostly. I'm by no means an expert on the field, though, but I think I have some knowledge of the basics.

Juan Pablo Califano 2010-08-03 01:42:44

@__dominic. For the record, I'm not in favor of using decompilers myself. You can check out some points I've made here (if you indulge the self reference: http://stackoverflow.com/questions/1259821/any-reverse-engineers-have-experience-with-secureswf/1263788#1263788). That said, even the most trivial "protection" can make reversed code not directly compilable or a very hard to follow mess. A very old but effective trick used by some obfuscator (can't remember which one) was renaming public identifiers using non printable chars.

Juan Pablo Califano 2010-08-03 01:43:20

@__dominic. As dumb as it sounds, it means the code will not compile right away (unless the tool that decompiles it makes up some legal name for these) but even then it will make it hard to make any sense out of it. And of course there are other more advanced and sofisticated technics. At some point, all of them can be worked around. But it takes time and effort. And in most cases, it's more time and effort than re writting the code yourself (assuming you want to "steal it"). So that's the point I was making.

Juan Pablo Califano 2010-08-03 01:43:46

@TDI1978. At work we use some source code obfuscator for one of our libraries. Again, I'm not a big fan of these tools, but I guess if I were to "steal" this code and had to make sense out of the decompiled result, I'd probably write the code myself from scratch. Will check the name of the tool tomorrow (this one is a bit tedious to use in that it doesn't have a command line interface, so you cannot automate it in your build). I've also used (because I was asked) SecureSWF, by Kindisoft (http://www.kindisoft.com/). It's quite configurable and I think it's the best one of the few I've tried.

Juan Pablo Califano 2010-08-03 01:51:58

@TDI1978. This is the source code obfuscator I mentioned. http://www.tokaos.com/. Not sure if it will be good for "general use" (at work we're using it for some libraries / swc)

Juan Pablo Califano 2010-08-03 18:47:37

i used SWF Protector http://www.dcomsoft.com/ , it encrypts ActionScript classes

Fuko 2010-08-02 07:53:02

That tool is a scam.

__dominic 2010-08-02 18:56:29

Can anyone please tell me how to extract the contents of swc library?

itzmepri 2010-08-02 09:05:54

As stated in the question, its a zip file. But you should ask this as a separate question - not as an answer, because it is not.

Amarghosh 2010-08-02 09:47:41

@itzmepri. The easiest way: 1) rename `whatever.swc` to `whatever.zip`. 2) Unzip `whatever.zip`. 3) You'll get a `catalog.xml` file with some linkage info plus a `library.swf` with the actionscript compiled byte code. Obviously you don't need to rename your swc if the program you use for unzipping doesn't care about extensions. I mentioned renamig because on Windows, with Winzip or Winrar, you'll get the option to unzip when right clicking on the file if the file ends with `.zip`.

Juan Pablo Califano 2010-08-03 02:06:11

ansaurus

tags:

views:

answers:

ActionScript Protect .swf/.swc Files From Decompilation?

related questions