Grand Theft Flash: the Flash thieve problem

Alexandre Chevalier is the marketing specialist at DCom Soft, Inc., the company who developed the well known SWF Protector I reviewed in this post.

With the release of version 3.0, (I am testing it right now, expect a full review in a couple of days) Alexandre explains us the Flash thieve problem:

« Nowadays SWF security is a crucial problem. Internet made it easy to steal SWF templates (games, websites, ets) and other compiled Flash applications.

If we look deeper in the problem, we find that ActionScript code (which is code, compiled into byte code within SWF files) is the most important part of any Flash/Flex interactive application. So, for sure, flash developers require protection tools like SWF Protector.

From the other side, we can see that from day-to-day reverse engineering technologies more and more grow their popularity among the Flash communities. And this is a big problem I think. There are much more people that buy Flash Decompilers like Trillix from Eltima or Sothink from Sourcetec, then those who interesting in flash security and buying Flash Protector like SWF Protector from DComSoft.

Probably many of you don’t even know the ways to steal or protect Flash and that this problem is persisting and it is much closer to you that you think. It is right behind you! I will try to enlighten you about this issue.

I have several years of working experience in popular USA based web hosting company and do know something about website security and various vulnerabilities. As I already mentioned in the beginning of the story nowadays “stealing flash templates and games” is a pretty easy task and here is what I have discovered recently.

Lets find some popular Flash stock or market place. For example BuyStockFlash.

  • open it in browser and then find some good game or flash template
  • next step will be to open preview page
  • in Internet browser you can choose the option to see HTML “Source code”, run it
  • now you can find there a link to swf file
    (example – /all_files/preview/BigStockFlash-3439/pongV5.swf )
  • after that rewrite it adding the actual domain name like this
    http://www.buystockflash.com/all_files/preview/BigStockFlash-3439/pongV5.swf
  • load it in browser and voila, now you can download it directly to your computer
  • swf file could be simply downloaded using “Save as” option in Internet browser and decompiled using any Flash Decompiler like Sothink Flash decompile or Trillix SWF Decompiler

So, you are working hard to make some innovative and unique game. Then publish it on some Flash market like BuyStockFlash to get some revenue for it. And what could be next? I will tell you… later someone less intellectual less gifted then you, some flash developer just steals it and use for his own purposes. This way is not just some unique, it happens pretty often. If you need real facts so take a look at this topic:

Owner of the site and Flash game developer proved that his game was stolen for Chinese Olympic Games web site.

Now lets talk about the options for protecting Flash applications from SWF decompilers. I would like to tell you about the most interesting and important of them.

ActionScript code obfuscation. This method is mixing up functions, arguments and variables names, so it becomes difficult for understanding after decompilation. This is where you can use SWF Protector from DComSoft. It has 4 unique algorithms: “Mix” and “Mask” for ActionScript version 2.0, “Protect” and “Obfuscate” for ActionScrip 3.0.

“Mask script” is an effective method to conceal code and doesn’t lead to file size increase.
“Mix script” mixes the source code. This method is rather effective, but leads to file size increase. That is why SWF Protector offers an option to set the intensity of this method. In Simple mode the intensity for AS 2.0 files is 50% by default.

“Protect” method modifies the scripts in such way that SWF files can play in Flash player, but cannot be decompiled. Popular Flash decompilers just crash.
“Obfuscate” method renames variables and other objects. It doesn’t protect file from decompilation, but makes the code impossible to use for further compilation.

On our squidoo page you can find how to use SWF Protector and how to protect your actionscript code.

Fully functional version is available for 39.95 only!

Load SWF at Runtime. This is pretty popular protection method among the developers. All that needs to be done is embed an SWF as a ByteArray into the loader SWF and it can be loaded through Loader.loadBytes().

Encryption. There are lots of libraries that provide different cryptographic algorithms for data encryption. To make your code looking more secure you may try this method as well. I suggest to use “as3crypto” library which able to encrypt and decrypt binary data using a key. It can be downloaded from code.google.com. But, please, try to understand that actually this way is more looking like one more “scary” obfuscation method, because the key is included inside the SWF and some crackers that familiar with cryptography will be able to decrypt the code.

Server-side Protection. On the server side you can easily protect your swf by using htaccess URL rewrite and hotlink preventing rules that will hide/mask the URL to your SWF. “.httaccess” is default name of a directory-level configuration file that allows decentralized management of web server configuration. Check the htaccess documentation and communities for more details regarding the rules which can be applied. This will work only for Linux based Apache web server. Please be aware that htaccess rules depending on server side configuration and version of Apache web server. Here are few interesting topics for you:

http://httpd.apache.org/docs/2.0/howto/htaccess.html
http://www.dagondesign.com/articles/hotlink-protection-with-htaccess/
http://ryanfait.com/resources/protect-flash-files-from-download/
http://blog.strictly-software.com/2009/01/isapi-url-rewriting-hot-linking.html

If you are running IIS (Windows web server), much the same can be accomplished using commercial software such as ISAPI Rewrite. »

Get the most popular Phaser 3 book

Through 202 pages, 32 source code examples and an Android Studio project you will learn how to build cross platform HTML5 games and create a complete game along the way.

Get the book

214 GAME PROTOTYPES EXPLAINED WITH SOURCE CODE
// 1+2=3
// 100 rounds
// 10000000
// 2 Cars
// 2048
// A Blocky Christmas
// A Jumping Block
// A Life of Logic
// Angry Birds
// Angry Birds Space
// Artillery
// Astro-PANIC!
// Avoider
// Back to Square One
// Ball Game
// Ball vs Ball
// Ball: Revamped
// Balloon Invasion
// BallPusher
// Ballz
// Bar Balance
// Bejeweled
// Biggification
// Block it
// Blockage
// Bloons
// Boids
// Bombuzal
// Boom Dots
// Bouncing Ball
// Bouncing Ball 2
// Bouncy Light
// BoxHead
// Breakout
// Bricks
// Bubble Chaos
// Bubbles 2
// Card Game
// Castle Ramble
// Chronotron
// Circle Chain
// Circle Path
// Circle Race
// Circular endless runner
// Cirplosion
// CLOCKS - The Game
// Color Hit
// Color Jump
// ColorFill
// Columns
// Concentration
// Crossy Road
// Crush the Castle
// Cube Jump
// CubesOut
// Dash N Blast
// Dashy Panda
// Deflection
// Diamond Digger Saga
// Don't touch the spikes
// Dots
// Down The Mountain
// Drag and Match
// Draw Game
// Drop Wizard
// DROP'd
// Dudeski
// Dungeon Raid
// Educational Game
// Elasticity
// Endless Runner
// Erase Box
// Eskiv
// Farm Heroes Saga
// Filler
// Flappy Bird
// Fling
// Flipping Legend
// Floaty Light
// Fuse Ballz
// GearTaker
// Gem Sweeper
// Globe
// Goat Rider
// Gold Miner
// Grindstone
// GuessNext
// Helicopter
// Hero Emblems
// Hero Slide
// Hexagonal Tiles
// HookPod
// Hop Hop Hop Underwater
// Horizontal Endless Runner
// Hundreds
// Hungry Hero
// Hurry it's Christmas
// InkTd
// Iromeku
// Jet Set Willy
// Jigsaw Game
// Knife Hit
// Knightfall
// Legends of Runeterra
// Lep's World
// Line Rider
// Lumines
// Magick
// MagOrMin
// Mass Attack
// Math Game
// Maze
// Meeblings
// Memdot
// Metro Siberia Underground
// Mike Dangers
// Mikey Hooks
// Nano War
// Nodes
// o:anquan
// One Button Game
// One Tap RPG
// Ononmin
// Pacco
// Perfect Square!
// Perfectionism
// Phyballs
// Pixel Purge
// PixelField
// Planet Revenge
// Plants Vs Zombies
// Platform
// Platform game
// Plus+Plus
// Pocket Snap
// Poker
// Pool
// Pop the Lock
// Pop to Save
// Poux
// Pudi
// Pumpkin Story
// Puppet Bird
// Pyramids of Ra
// qomp
// Quick Switch
// Racing
// Radical
// Rebuild Chile
// Renju
// Rise Above
// Risky Road
// Roguelike
// Roly Poly
// Run Around
// Rush Hour
// SameGame
// SamePhysics
// Save the Totem
// Security
// Serious Scramblers
// Shrink it
// Sling
// Slingy
// Snowflakes
// Sokoban
// Space Checkers
// Space is Key
// Spellfall
// Spinny Gun
// Splitter
// Spring Ninja
// Sproing
// Stabilize!
// Stack
// Stick Hero
// String Avoider
// Stringy
// Sudoku
// Super Mario Bros
// Surfingers
// Survival Horror
// Talesworth Adventure
// Tetris
// The Impossible Line
// The Moops - Combos of Joy
// The Next Arrow
// Threes
// Tic Tac Toe
// Timberman
// Tiny Wings
// Tipsy Tower
// Toony
// Totem Destroyer
// Tower Defense
// Trick Shot
// Tunnelball
// Turn
// Turnellio
// TwinSpin
// vvvvvv
// Warp Shift
// Way of an Idea
// Whack a Creep
// Wheel of Fortune
// Where's my Water
// Wish Upon a Star
// Word Game
// Wordle
// Worms
// Yanga
// Yeah Bunny
// Zhed
// zNumbers