With the release of version 3.0, (I am testing it right now, expect a full review in a couple of days) Alexandre explains us the Flash thieve problem:
« Nowadays SWF security is a crucial problem. Internet made it easy to steal SWF templates (games, websites, ets) and other compiled Flash applications.
If we look deeper in the problem, we find that ActionScript code (which is code, compiled into byte code within SWF files) is the most important part of any Flash/Flex interactive application. So, for sure, flash developers require protection tools like SWF Protector.
From the other side, we can see that from day-to-day reverse engineering technologies more and more grow their popularity among the Flash communities. And this is a big problem I think. There are much more people that buy Flash Decompilers like Trillix from Eltima or Sothink from Sourcetec, then those who interesting in flash security and buying Flash Protector like SWF Protector from DComSoft.
Probably many of you don’t even know the ways to steal or protect Flash and that this problem is persisting and it is much closer to you that you think. It is right behind you! I will try to enlighten you about this issue.
I have several years of working experience in popular USA based web hosting company and do know something about website security and various vulnerabilities. As I already mentioned in the beginning of the story nowadays “stealing flash templates and games” is a pretty easy task and here is what I have discovered recently.
Lets find some popular Flash stock or market place. For example BuyStockFlash.
- open it in browser and then find some good game or flash template
- next step will be to open preview page
- in Internet browser you can choose the option to see HTML “Source code”, run it
- now you can find there a link to swf file
(example – /all_files/preview/BigStockFlash-3439/pongV5.swf )
- after that rewrite it adding the actual domain name like this
- load it in browser and voila, now you can download it directly to your computer
- swf file could be simply downloaded using “Save as” option in Internet browser and decompiled using any Flash Decompiler like Sothink Flash decompile or Trillix SWF Decompiler
So, you are working hard to make some innovative and unique game. Then publish it on some Flash market like BuyStockFlash to get some revenue for it. And what could be next? I will tell you… later someone less intellectual less gifted then you, some flash developer just steals it and use for his own purposes. This way is not just some unique, it happens pretty often. If you need real facts so take a look at this topic:
Owner of the site and Flash game developer proved that his game was stolen for Chinese Olympic Games web site.
Now lets talk about the options for protecting Flash applications from SWF decompilers. I would like to tell you about the most interesting and important of them.
ActionScript code obfuscation. This method is mixing up functions, arguments and variables names, so it becomes difficult for understanding after decompilation. This is where you can use SWF Protector from DComSoft. It has 4 unique algorithms: “Mix” and “Mask” for ActionScript version 2.0, “Protect” and “Obfuscate” for ActionScrip 3.0.
“Mask script” is an effective method to conceal code and doesn’t lead to file size increase.
“Mix script” mixes the source code. This method is rather effective, but leads to file size increase. That is why SWF Protector offers an option to set the intensity of this method. In Simple mode the intensity for AS 2.0 files is 50% by default.
“Protect” method modifies the scripts in such way that SWF files can play in Flash player, but cannot be decompiled. Popular Flash decompilers just crash.
“Obfuscate” method renames variables and other objects. It doesn’t protect file from decompilation, but makes the code impossible to use for further compilation.
On our squidoo page you can find how to use SWF Protector and how to protect your actionscript code.
Fully functional version is available for 39.95 only!
Load SWF at Runtime. This is pretty popular protection method among the developers. All that needs to be done is embed an SWF as a ByteArray into the loader SWF and it can be loaded through Loader.loadBytes().
Encryption. There are lots of libraries that provide different cryptographic algorithms for data encryption. To make your code looking more secure you may try this method as well. I suggest to use “as3crypto” library which able to encrypt and decrypt binary data using a key. It can be downloaded from code.google.com. But, please, try to understand that actually this way is more looking like one more “scary” obfuscation method, because the key is included inside the SWF and some crackers that familiar with cryptography will be able to decrypt the code.
Server-side Protection. On the server side you can easily protect your swf by using htaccess URL rewrite and hotlink preventing rules that will hide/mask the URL to your SWF. “.httaccess” is default name of a directory-level configuration file that allows decentralized management of web server configuration. Check the htaccess documentation and communities for more details regarding the rules which can be applied. This will work only for Linux based Apache web server. Please be aware that htaccess rules depending on server side configuration and version of Apache web server. Here are few interesting topics for you:
If you are running IIS (Windows web server), much the same can be accomplished using commercial software such as ISAPI Rewrite. »