Hiding your actionscript from hackers

I have created a SWF Obfuscator. Basically it hides your code so no one can crack it and steal all the work you have done.

All they get is some weird jumple of numbers. If you are interested I have put up a temporary place where you can get the code and try it out. Also some pictures show what SWF Decompiler will see.

SWOB v0.51b

BackBayChef

That is pretty cool, what did you use to make it?

I am using flasm to decompile the actionscript and then I wrote a java app that will find all the constants in the flasm dump and they replace the constants with random numbers.

Unfortunately flasm is in c,bison,flex so I cant change his code very easily, so I am working on porting that to java too, to make it XPlatform. Also that will allow me to rename Movie Clips which is a shortcoming of SWOB right now.

But it does better than ASO, because it will hide Objects members
like:

this.something in ASO doesn’t change currently
but in SWOB it will turn into this.a__101010010101000 or something like that.

Let me know if there are any bugs currently.

And thanks for liking it.
–backbaychef

Is this for .as files or for your whole SWF?

Do you mean, does it obfuscate the whole swf, or do you mean do you load in a swf and it obfuscates everything.

Well to answer that, you load the published swf into SWOB and it obfuscates all your actionscript (except for flash tokens like “gotoAndPlay”,“Math.Random()”, etc…) and updates the swf.

It does NOT keep your swf from being loaded into a swf decompiler, it just makes it totally impossible to read your code.

It does NOT obfuscate .as files.

I write my programs completely in .as files, all in one frame and just include them into the swf, so they are definately obfuscated. ALL actionscript in the swf is obfuscated.

enjoy,
–backbaychef

When flash community started, it started whit the purpuse of being an open community, and do you know what is an open community, or you are just playing Bill Gates.

I never care if someone still code, even I don´t care if they copy my projects, and do you know why I think like this, because imitation is the most flatery that someone can make me.

You probably try to attend to some conferences in Barcelona, this year is the year of design. I suggest to you :
Cocos:copias y coincidencias en el diseno y la creacion,
and last but not least,
“Construir en lo Construido”.

um what do you mean an open community ?

Flash isnt open source, macromedia makes money off of us, if you want to make your flash open or if you feel that imitation is the sincirest form of flatery then no one is forcing you to hide your code.

Other people may be paranoid or just dont want anybody to get the code for something that they worked hard on, why do you want to stop them.

Ahhh open community.

Well I program applications with flash and director for a living. Open source doesn’t pay the bills. I also have done some open source programming, and am considering putting SWOB on sourceforge. But that is very different. I can see why I would contribute that to the community, everyone needs it, and nothing does the job right now.

But when I spend months developing a game til 2 in the morning daily, and then some kid comes a long and takes all the code, gives no credit (let alone any money he might make off it) by just decompiling the code WITHOUT my permission… That doesn’t seem like a very open community attitude on the theives part.

You see in the open source community there are different liscences, it’s not all the same thing. Some liscenses give you complete free reign, but most require that what you develop also be open source or non commercial. So what really is the open community frame of mind.

as you mentioned

it´s paranoia.

And that quote, about imitation , it´s not mine, it´s a famous one.

I know that Macromedia mades money, off course, but you, me, others it´s the same. But think what do you lose if someone uses some function that you have write?, tell me please what is the problem.
Teaching others is one of the bestthings that a human can do. How many falsh “gurus” do you see giving or seling their code, so so many, it´s normal and healphy, and you receive money. And you can teach others. Do qyou think that Flash is this days, what it is because of what, because of shering, because of the capabilities, because Macromedia maide it avaiable for everyone.
or better, let me ask you something,

Do you buy all your software?

Paranoia is for mental disorders.

Be happy, live longer.

wtf?

“Paranoia is for mental disorders” - funniest sentence ever, I might put that in my sig.

I think the SWOB is cool - in fact, I have a question about it.

Does this mean that I can finally build password authentication into flash? Before the fear was always that the .swf would be decompiled and the password easily stolen - this seems to fix that, no?

Either way, I think SWOB is great.

to swob or not swob, that is the question.

But jingman introduce a very good question.

It’s obvious, jagunco, that you have never dealt with a case where someone pays you money to construct a flash interface for their site, and within a week or two another company which is “coincidentally” competitive with the first is using the code.

The first company looks at you and wonders if you just gave them the code.

You could also use the obfuscation as a selling point, saying that “hackers can’t steal it without doing a lot of work.”

It’s one thing for someone to “base” a design off of another design, that would justify the “Imitation is the sincerest form of flattery” quotation, but for someone to just lift the code is theft and not imitation.

And, yes, while I have some sympathy for those who really care about their craft enough to steal the tools, I’ll ask you something: When you use software to make money, do you then use the money to buy the software you’re stealing?

If you really want to help the community thrive, you will support the companies who make the tools that build the houses in the community, and you will not pose slanderous remarks about someone’s intent.

If you wish for your code to be open source, then post the .FLA files. If someone thinks they can truly benefit from a SWF file and embellish on it by adding something to it, then they should be able to simply LOOK at the SWF and figure it out on their own, since their intent is to add to it I fail to see why they need the SWF for any reason except laziness and saving effort of rebuilding the code themselves.

Oh, and your comment about flash gurus making money off of their code ironically contradicts your entire point. They are teaching for money. They would not make as much money if all of their secrets were open source. If praystation was open source, how many people would have bought the compilation of all the snippets of code? If you could get every single bit of code for free, who would buy the flash books? Who would go to the seminars if the speeches and lectures were available online for free? Sure, there are other reasons to go: but learning flash wouldn’t be one of them anymore.

Thievery is fine for learning until you realize the long term impact it has on the industry, and until you realize that the quote “Talent borrows, Genius steals” doesn’t refer to an actual theft of something.

*Originally posted by jingman *
**
Does this mean that I can finally build password authentication into flash? Before the fear was always that the .swf would be decompiled and the password easily stolen - this seems to fix that, no?

Either way, I think SWOB is great. **

It deters someone from easily decompiling your code, and with clever variable handling, for instance calling the password variable applejuice and username variable pageup or something, and separating them in the code so that they’re not near each other, it would take a lot of work to steal the password.

But it wouldn’t be impossible. Also, deterrents are sometimes what attract people to attempt to hack… it makes it more of an accomplishment. I’d still recommend going to PHP/MySQL for security.

To be honest about the password protection… I don’t think I could offer more than macromedia is.

From what I understand they are using MD5 encryption for that password, which is the toughest level of encryption we have now. So my scrambling it won’t help much. The only thing I can do is make it harder for them to find and figure out stuff, but if someone takes long enough they can.

I guess you could say that is how I am contributing to the open source community with certain projects of my flash code. If they can figure out what it is doing, they can use it :).

Some thoughts on Open Source and Closed Source.

I believe one cannot exhist without the other (more so open source can’t exhist without closed source). Here are my arguments.

If programming was open source, then any joe schmoe could take some code, not have an inkling as to what it does, and use it. He would charge way less than a person who has spent years learning how to program (and I mean really program, take c/c++ for example: data structures, virtual funtions, COM or XPCOM, Data manipulation, JNI (Java and Native code), DLLs, etc…), and the quality of code starts to break down because the newb doesn’t know how to really manipulate and use it.

Companies don’t need programmers because pieces of code are everywhere and they don’t “need” the expensive programmer to code, so the programmer goes back to flipping bergers. The people who know what to do, and how to do it stop doing it, because really programming is fun and addictive, but I wouldn’t do it if I wouldn’t eventually make money. Now there are a few people out there who would just program for a hobby and do well, but they’d probably be doing cobal or assembly anyway so they are out.

All of a sudden programers are out of the job, the game industry drops (among others). Hardware doesn’t become such a hype any mroe because software isn’t demanding as much from the hardware any more. Hardware gets expensive because they aren’t popping out video cards, cpu’s, and memory like hot cackes anymore. This would limit programmers even more, and the industry would start to suck. This freakin’ forum wouldn’t be here, because who would care.

On the other hand, without open source, newb’s (me included ) wouldn’t know where to begin. Wouldn’t have any real world examples. This freakin’ forum wouldn’t be here, because who would care. Everyone would be too stingy to share any code.

Open Source is meant to be a resource. It is meant to help developers, not replace them. It is meant to help beginners, not be a cruch for them.

I think it is our duty as a community to give code, and sometimes get together and work on projects together, or donate projects. But it is not our duty to give over our lively hood. With out us now, there will be no future for other, and it’s back to burgers.

Amen

–backbaychef

To be honest about the password protection… I don’t think I could offer more than macromedia is.

From what I understand they are using MD5 encryption for that password, which is the toughest level of encryption we have now. So my scrambling it won’t help much. The only thing I can do is make it harder for them to find and figure out stuff, but if someone takes long enough they can.

You misunderstand a bit

What they’re referring to is being able to have a password entry of something in the actionscript itself… like

username = “boss”;
password = “testy”;
if (login_ent.text==“boss” && pass_ent.text=“testy”){
gotoAndPlay(“entry”);
}

all of that would be obfuscated, correct? So you’re making flash more secure… but if someone bothered, they could decompile and deobfuscate

Still useful, and you could hide the pass/login info in the code well enough that it’d take a long time to deobfuscate and make sense of everything, but it’d still be possible.

yeah. There isn’t any software that could deobfuscate this so they would have to do it by hand (this is because I am using random strings). But yes it would be possible. I am working of a string obfuscator that will make it even harder to find out passwords etc. It would do something like this.

password = “somethingsomething”;

and covert that to this:

…
a__010110101010001 = “kj2l3jo9c,knasdflu03nlkbsdf9_jals3jlkkj”;

…
a__101010011101010010 = a__100101100110101.a__101010010110110(a__010110101010001,a__01011010101001011,a__01011010101110110);

And so on. This indirection of course will take a little more time to calculate and increase the files size a couple of k maybe, so I will make this an option.

I have been using SWOB a lot the last week and already have found a few things I want to make nicer. So keep checking for new posts or new versions on my site.

–backbaychef

*Originally posted by lastboss *
**You misunderstand a bit

What they’re referring to is being able to have a password entry of something in the actionscript itself… like

username = “boss”;
password = “testy”;
if (login_ent.text==“boss” && pass_ent.text=“testy”){
gotoAndPlay(“entry”);
}

all of that would be obfuscated, correct? So you’re making flash more secure… but if someone bothered, they could decompile and deobfuscate

Still useful, and you could hide the pass/login info in the code well enough that it’d take a long time to deobfuscate and make sense of everything, but it’d still be possible. **

Bingo, that’s exactly what I’m saying/asking. And yeah I mean, if you make it people will break it, but I think that scrambling like this will prolly be a big deterrent, and for pages that nobody cares about, the chances of a 1337 hacker spending time on it is nill.

well… my opinion is that this kind of thing should be a built-in thingy! You publish the swf, you decode the swf…
If you want a n open source for ppl to study from… post the .fla! Decompiling .swfs is almost ripping!

Cool thing man!

my thoughts exactly. Or even give the .as files.

Thankyou

*Originally posted by backbaychef *
**my thoughts exactly. Or even give the .as files.

Thankyou **

Dude, just wanted to say that I think this is great and I hope you can find the time to continue work on it. I haven’t even had the chance to use it yet but I’m pumped.