I’m curious if any of you have any experience restricting SWF files? I’d like to be able to prevent a user from reading the source code of the page, copying the link to the .swf and pasting it in his browser, and pulling up the SWF outside of the embedded page.
I’ve come up with quite an elaborate scheme to do this here using ColdFusion and a bit of dynamic filtering: http://www.Mannequin3D.com/test.cfm
It’s not a flawless system, however. In some instances the Flash doesn’t load because of a hiccup on the server.
Do any of you know where I can get a decompiler? I hear that you can “rip apart” SWF files and even read the actionscript within them. I desperately want to avoid that. And I’d like to see, first-hand, what one of these can do.
I’ve thought about implementing a script that checks the domain, but that’s not foolproof. If someone can download the SWF from my site, he can decompile it, too.
Are you referring to your 366Kb getFlash.swf? If so, it took me all of a second to click a button and have it sitting on my desktop. I didnt probe for externally loaded movies but if they are there and I wanted them, I’d have em… Sorry.
I dont think your gonna have much luck with protections. If someone really wants to get their hands on it, why even mess around with tracking the source when its already on their machine in their temp internet folder. A simple search of this folder will turn up every swf that the user has cached. Unless you know how to prevent that from happening.
As for decompiling, Im not sure of the official policy of this forum so I wont say names but Ive played around with a couple decompilers as well as a recompiler and havent found a swf file yet that they wouldnt open. The decompilers break it all up into its different elements and include all of the AS and the recompiler can turn a .swf file into a .fla putting all the frames, images, AS, and instance names back to their original form. (more or less)
I tried recompiling six of my own .swf’s to see how accurate it was and all but 2 came out in perfect working order. The other two had a couple misplaced elements and the action script wasnt set right, but it was pretty close. The image quality did seem a bit degraded but for a flash thief thats probably a minor annoyance. The layers are no longer labeled but thats no big deal either. Basically, if you put it on the net, and somebody wants it…well there it is.
(Note) I am by no means a content thief. I just like to learn a little bit about everything. Your websites are safe from me! <polishes halo>
Yup, thats the little monster right there. What I find extremely funny about this program is that it includes a protection feature that works against itself. So if you buy it and use it, no one else can use it against you. Slimy, but pretty smart business wise I guess. People will buy it just to protect themselves from it.
I didn’t pay attention to that feature actually. How does it protect? An additional layer of encryption or someting? But indeed pretty smart business wise.
*Originally posted by ditchhopper *
**Are you referring to your 366Kb getFlash.swf? If so, it took me all of a second to click a button and have it sitting on my desktop. I didnt probe for externally loaded movies but if they are there and I wanted them, I’d have em… Sorry. **
Thanks. I really appreciate you doing this. I don’t think you’ll be able to get your hands on my SWF file now though. I’ve removed any and all caching. (Works in IE, haven’t tested it in other browsers which I’ll do when I get home tonight).
Make sure you remove “getFlash.cfm” from your temporary internet files if you’ve already visited the site.
Thanks
Basically, if you put it on the net, and somebody wants it…well there it is.
I wholeheartedly disagree with this
I suppose I should update this post and let you know what I’ve discovered. Perhaps this is nothing new to most of you; but I feel I should share it anyway and see where it goes. I feel this is a very important issue … Flash Security is a big deal.
I take back everything I said… I was wrong (see posts above)
The biggest problem we have is preventing swf files from caching. We can’t do that. It seems, no matter what we try, that .swf file is going on the client’s machine whether we want it to or not. We’ve tried preventing caching a number of ways using several scripting languages (ColdFusion MX, ASP and PHP). We’ve even tried overwriting the cached file but to no avail. (Macromedia’s suggested method doesn’t work either, surprise, surprise.)
We can hide the SWF in the code… or make it harder to pinpoint either using Javascript (like Macromedia.com does), or by using ColdFusion (you can see my test here.)
But none of this matters because whatever you do, it’s going to end up in the user’s cache.
This really bugs me to no end…
I don’t care that SWF can be decompiled, I do care that I have no control over the cache.
And that’s about it… :hr:
Edit: Feb 20, 2004: Another update. You CAN prevent files going into the cache in both IE and Mozilla. But as pointed out, if someone really really really wants to get your file, they will be able to. They could recompile the browser (Mozilla) to ignore no-cache headers or they could use tcpdump to read the packets that are being sent to the server, pinpoint the SWF and save it to their machine. So nothing is foolproof. The only suggestion is to implement secure actionscript, load it dynamically using loadVars or through remoting which is how I do it.
It’s not even the cache, I used to use “Flash Capture”, where you get a toolbar like the images bar in IE6, and you can right-click any swf in your browser and just hit save… Forget the idea, if you want it displayed, the user has to download it, there was some code tho’ (on Flashkit I believe) that was s’posed to crash ASV (actionscriptviewer), don’t know if it’d still work with the current version, search the forums, there’s quite a long thread somewhere about protection/obfuscation etc…
