Home » Flash & Action Script, Flex, Programming Techniques » How to Protect your SWF (AS2 or AS3). Prevent SWF Decompile using SWF Protector

3

Being a flash programmer, I have always had this concern. The way a flash application works differs from a php application. We don’t really need to worry about protecting the PHP code because the code is interpreted in the server and only the html codes are sent to the client browser. But a Flash engine basically lies in the user browser and the AS2 or AS3 codes are rendered in the user Browser. Though a Flash application is compiled in to a compact SWF file which is served to the user, this file contains all the codes we have written, thus making it easy for hackers or other developers to steal codes from our SWF application. And the Actionscript code is the most important part of any Flash/Flex application.

I normally share codes I write with the developer community. But there are occasions when I don’t want others to see the source code of my application. This could be when I have concerns over the security of my application or when it is a proprietary application built for a customer.  But unfortunately stealing the source code of a Flash SWF application is very easy. With reverse engineering technologies gaining popularity day by day among the Flash development communities, protecting the Actionscript code is a big problem. There are plenty of SWF decompilers like Sothink available in the market making it easy for anyone to decompile an SWF file fetched from a browser and see the whole source code written for the application.

This is when we need to really think about code security and protecting our source codes from being stolen. There are some flash protector applications available and I tried SWF Protector from DComSoft. It works out really well. The application is available for Windows, Mac and Linux. Protecting an SWF application using the SWF Protector is really easy. Add your SWF files to the SWF Protector and click on the Protect All button. The SWF Protector uses different algorithms for AS2 and AS3 versions. For AS2, it uses “Mix Script” and “Mask Script” methods which basically mix up functions, arguments and variables names, so it becomes difficult for understanding after de-compilation. For AS3, the code can be “Protected” which modifies the scripts in such way that SWF files can play in Flash player, but cannot be decompiled, or “Obfuscated” which renames variable and other objects in the code making it impossible to compile the code further.

There is another method to protect your SWF code without using any application. That is by creating a loader SWF which will embed the actual SWF as a byteArray and it can be loaded using Loader.loadBytes().

When someone tries to decomplile an SWF file which is protected using SWF Protector the code would look something like this.

do {
// unexpected jump
} while (true);
// swfAction0xAD hexdata 0x52,0x17,0x99,0x02,0x00,0x39,0x00,0x9A,0x01,0x00,0x00,0x99... // Unknown action
}
"holder1".holder1.loadMovie();
// unexpected jump
/* Error1016 */
// unexpected jump
do {
(this);// not popped
if (true) {
// unexpected jump
} while (this);
(this);// not popped
// unexpected jump
}
}
}
Set("\x0B\x1A\x13\x16", true);
} while (true);

Now you say, would this be useful for someone? No, of course!

The SWF Protector is not free but comes with a small price tag. But it’s more than worth the money you pay and better than concerning over the security of your code. You can get more information or buy this tool from http://www.dcomsoft.com

3 Comments

  1. hashem says:

    I have used Flash Secure Optimizer from eramsoft.com it is cheap and perfect

  2. Olivia says:

    By the way, hashem. Why have you used “Flash Secure Optimizer” by eramsoft if there available FREE solutions from DComSoft software? here http://www.dcomsoft.com/
    SWF Compressor-Decompressor
    SWF Optimizer

  3. In Firefox you have the standard silver toolbars where the address bar and file/edit bars are there is the silver background. How do you customize and change that around?.

Leave a Reply

Page optimized by WP Minify WordPress Plugin