Shocked by Doug Mccuue’s post, I decided to have a test on obfuscation and decompiler together, to see how safe my own Flex/Air code bases.
For a long time I was impressed by SWF Encrypt, although it’s not a real encryption, should be something interest if it can obfuscate code well for me.
In AS2 days I used to use the free Flare written by Igor Kogan, it was a great tool to help to search where co-workers hide their code inside FLA files. But now I need a AS3 version it no longer support. I read a post by Lee Brimelow about Sothink decompler several months before, so I would like to give it a try.
SWF Encrypt trial version let me try 25 times, I made a secure swf from my AIR swf file.
Sothink Decompiler can read my origin AIR swf file easily, include almost all assets and code packages. Unfortunately the trial version do not let me check source code.
I found code structure in Sothink quite clear and accurate matching my own code base. I decided to buy it as the price not a problem $79.
From my original AIR swf file, Sothink can read almost all my code, that….hell!
From secure AIR swf file, Sothink again, read most of my code, only several properties and function names hide.
First, the dark side, our code is definitely not safe.
Second, I do not feel SWF Encrypt doing its own job, I hope it can at least change my property/function names so even decompilers can take out all code, still hard to understand. SWF Encrypt really hide several properties/function names, but only very few of them.
Third, I found Sothink useful. Flex framework itself is a giant code base, Sothink decompiler code give some other code we cannot see and realize in MXML files.
Update: finty is right. I forgot Flex compiler can generate source code itself.