Update: there is now new version here.
It appears you can actually write one in under XX minutes with almost no knowledge of SWF format and complicated parsing process. I have uploaded proof of concept to wonderfl (under unrestrictive WTFPLv2 license :). Processed with its default settings, my away3d SWF looks like this in Sothink decompiler:
Such a code would not even compile, obviously :) To de-obfuscate it, one would have to actually parse SWF, which is still possible, but ends up with meaningless names that are hard for bad programmers to interprete. Feel free to fix bugs or add features.
I know only this one, but never test it. http://github.com/shapedbyregret/actionscript-3-obfuscator
Thanks for the link, it seems to be AS3, not SWF, obfuscator. What it does is also possible to do with C preprocessor; some people made this tool to ease the pain.
Hi makc3d, surfing the internet I found this, maybe you will like it. http://active.tutsplus.com/tutorials/workflow/protect-your-flash-files-from-decompilers-by-using-encryption/
I actually used some code from that article (and there is credit link in my source). However, I do not agree with the author; he is obfuscating the loader and encrypting embedded SWF, i.e. he relies on encryption – while I think you should obfuscate original SWF, i.e. rely on obfuscation.
Hi makc,
You’re right, you should definitely add some obfuscation to the embedded SWF. The method I described in the tutorial is only one (and fairly basic) layer of protection, and others should be added to.
Hello makc!
I want to thank you for this piece of code once more. It works good (not great, there’re improvements), but I have to tell you that it produces invalid code.
However it’s nice to see that Flash doesn’t care about variable names when the SWF is compiled, so you can easily rename “myVariable” to”‘_-$#%^#$@”.
But these names are not valid as described in the Flash API. The API tells us only to use alphanumeric chars plus an underscore and the dollar sign ( a-z, A-Z, 0-9, _, $).
But as we can see, even if a name is changed to something like “@#$%#$><;" or whatever, Flash just doesn't care and the code still runs fine. That's also a security hole. If you're interested in more information about Flash Players (In)Security, have a look at this video from the German Chaos Computer Club Meeting 12/2009 (it's in English of course): http://events.ccc.de/congress/2009/Fahrplan/events/3494.de.html (see links below).
Best Regards,
Daniel
Re: “these names are not valid as described in the Flash API”
That’s kinda the whole point, otherwise you could just preprocess AS3 files with bunch of defs like
#define myPrettyVariableName _loc_123
prior to compiling it, as discussed in above comments.
Mmm still reconstructable in my opinion. Advanced decompilers will regenerate readable names.
We currently use secureSWF Professional for all our online Flash projects. It is the only one that really works and is easy to use. We’ve tried all the other software (SWF Protector & SWF Encrypt) before and it didn’t do the job, these were easily defeated by decompilers. We weren’t able to decompile files processed by secureSWF.
Thumbs up for secureSWF Pro!
which decompilers regenerate names?
hi,I found you code it’s too slowy.
private function findString(data : ByteArray, string : String) : Boolean {
var i : int = 0;
while (data.bytesAvailable) {
var char : int = data.readByte();
if (char == string.charCodeAt(i)) {
i++;
if (i == string.length) {
// we found match
data.position -= string.length;
return true;
}
} else {
i = 0;
}
}
return false;
}
can you Optimization it?
you could go other way around, loop through swf once and find matching strings in substitution list.
Very interesting. Any hints for protecting/obfuscating images embedded in swf files ?
Not really, but avoiding Loader’s load/loadBytes and working with BitmapData directly might be the way.
Open Source? where can I find the source?
github
nvm found it, thanks!