Open-source SWF obfuscator, anyone?

Update: there is now new version here.

It appears you can actually write one in under XX minutes with almost no knowledge of SWF format and complicated parsing process. I have uploaded proof of concept to wonderfl (under unrestrictive WTFPLv2 license :). Processed with its default settings, my away3d SWF looks like this in Sothink decompiler:

Such a code would not even compile, obviously :) To de-obfuscate it, one would have to actually parse SWF, which is still possible, but ends up with meaningless names that are hard for bad programmers to interprete. Feel free to fix bugs or add features.

13 Responses to “Open-source SWF obfuscator, anyone?”


    • 4 makc3d February 17, 2010 at 22:19

      I actually used some code from that article (and there is credit link in my source). However, I do not agree with the author; he is obfuscating the loader and encrypting embedded SWF, i.e. he relies on encryption – while I think you should obfuscate original SWF, i.e. rely on obfuscation.

      • 5 Nikita Leshenko February 24, 2010 at 21:03

        Hi makc,
        You’re right, you should definitely add some obfuscation to the embedded SWF. The method I described in the tutorial is only one (and fairly basic) layer of protection, and others should be added to.

  1. 6 Daniel February 26, 2010 at 12:59

    Hello makc!
    I want to thank you for this piece of code once more. It works good (not great, there’re improvements), but I have to tell you that it produces invalid code.
    However it’s nice to see that Flash doesn’t care about variable names when the SWF is compiled, so you can easily rename “myVariable” to”‘_-$#%^#$@”.
    But these names are not valid as described in the Flash API. The API tells us only to use alphanumeric chars plus an underscore and the dollar sign ( a-z, A-Z, 0-9, _, $).

    But as we can see, even if a name is changed to something like “@#$%#$><;" or whatever, Flash just doesn't care and the code still runs fine. That's also a security hole. If you're interested in more information about Flash Players (In)Security, have a look at this video from the German Chaos Computer Club Meeting 12/2009 (it's in English of course): http://events.ccc.de/congress/2009/Fahrplan/events/3494.de.html (see links below).

    Best Regards,
    Daniel

    • 7 makc3d February 26, 2010 at 13:05

      Re: “these names are not valid as described in the Flash API

      That’s kinda the whole point, otherwise you could just preprocess AS3 files with bunch of defs like

      #define myPrettyVariableName _loc_123

      prior to compiling it, as discussed in above comments.

  2. 8 John Orange March 18, 2010 at 15:40

    Mmm still reconstructable in my opinion. Advanced decompilers will regenerate readable names.

    We currently use secureSWF Professional for all our online Flash projects. It is the only one that really works and is easy to use. We’ve tried all the other software (SWF Protector & SWF Encrypt) before and it didn’t do the job, these were easily defeated by decompilers. We weren’t able to decompile files processed by secureSWF.

    Thumbs up for secureSWF Pro!

  3. 10 layola May 23, 2010 at 17:00

    hi,I found you code it’s too slowy.

    private function findString(data : ByteArray, string : String) : Boolean {
    var i : int = 0;
    while (data.bytesAvailable) {
    var char : int = data.readByte();

    if (char == string.charCodeAt(i)) {

    i++;
    if (i == string.length) {
    // we found match
    data.position -= string.length;
    return true;
    }
    } else {
    i = 0;
    }
    }
    return false;
    }
    can you Optimization it?

  4. 12 George Profenza January 19, 2011 at 13:45

    Very interesting. Any hints for protecting/obfuscating images embedded in swf files ?


Ask a Question

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Old stuff

February 2010
M T W T F S S
« Jan   Mar »
1234567
891011121314
15161718192021
22232425262728

Oh, btw…


%d bloggers like this: