AS3 Obfuscation and Decompiler Test

27 Sep, 2008  AIR Runtime, ActionScript 3, Flash CS4, Flex 3

Shocked by Doug Mccuue’s post, I decided to have a test on obfuscation and decompiler together, to see how safe my own Flex/Air code bases.

SWF Encrypt

For a long time I was impressed by SWF Encrypt, although it’s not a real encryption, should be something interest if it can obfuscate code well for me.

Sothink Decompiler

In AS2 days I used to use the free Flare written by Igor Kogan, it was a great tool to help to search where co-workers hide their code inside FLA files. But now I need a AS3 version it no longer support. I read a post by Lee Brimelow about Sothink decompler several months before, so I would like to give it a try.

Test

SWF Encrypt trial version let me try 25 times, I made a secure swf from my AIR swf file.

Sothink Decompiler can read my origin AIR swf file easily, include almost all assets and code packages. Unfortunately the trial version do not let me check source code.

I found code structure in Sothink quite clear and accurate matching my own code base. I decided to buy it as the price not a problem $79.

Result

From my original AIR swf file, Sothink can read almost all my code, that….hell!

From secure AIR swf file, Sothink again, read most of my code, only several properties and function names hide.

Conclusion

First, the dark side, our code is definitely not safe.

Second, I do not feel SWF Encrypt doing its own job, I hope it can at least change my property/function names so even decompilers can take out all code, still hard to understand. SWF Encrypt really hide several properties/function names, but only very few of them.

Third, I found Sothink useful. Flex framework itself is a giant code base, Sothink decompiler code give some other code we cannot see and realize in MXML files.

Update: finty is right. I forgot Flex compiler can generate source code itself.

8 Comments so far »

  1.  

    Doug said

    am September 27 2008 @ 2:32 pm

    Ouch! There’s also some other movement happening with FLV content – check this http://deceptiveresolution.wordpress.com/2008/09/27/i-can-rip-any-bbc-iplayer-amazon-youtube-etc-streaming-flv/

  2.  

    finty said

    am September 28 2008 @ 2:51 am

    “Sothink decompiler code give some other code we cannot see and realize in MXML files”

    adding ‘-keep’ to the command line will generate the AS files created in the flex framework behind the scenes:

    mxmlc -keep

    -you should see a folder called ‘generated’ after you build your project

  3.  

    Chris Charlton said

    am September 28 2008 @ 3:03 am

    Dang. Thanks for the tips.

  4.  

    Matthew said

    am September 28 2008 @ 12:38 pm

    There is no software code encryption. Period. End of story.

    I was looking at this for my own code, albiet, in C# on the .NET platform. I looked at a whole bunch of options, and read a lot of marketing hyperbole.. unfortunately, tests concluded that they didn’t protect anything.

    Unfortunately, one way or another — the code must be interpreted, and that means it gets figured out in memory. That memory can be read. Any application can be de-constructed, especially using things like Flash/C#/Java, anything that’s jitt’ed.

    ASM/C/C++ code may be more difficult to reverse engineer, but even those ‘oldies’ are still not guaranteed protection, though it’s much much more difficult.

    Any program that claims this and that.. is lying.. a highly skilled code-monkey, especially one that specializes in this stuff, can tear apart the byte-code in their sleep.

    The only “sure-fire” (and then, only partially) protection mechanism are remote-services.. where you have your main code-block someplace else, … perhaps accessed through web-services and the like.. is the only way to protect your ‘real’ code.

    • Matthew
  5.  

    Andrew Westberg said

    am September 28 2008 @ 5:39 pm

    @Matthew You’re absolutely correct. There is no 100% foolproof way to protect source code especially in a virtual machine environment. If the virtual machine is hacked, you can modify it to just dump bytecode from anything loaded into memory.

    There are quite a few tricks you can use to protect against the script kiddies who just bought an $80 decompiler though. I gave a talk about this at 360 Flex San Jose (I haven’t seen it up on AMP yet though).

  6.  

    Matthew said

    am September 29 2008 @ 8:04 am

    @Andrew: Now, obfuscating to some extent to foil script-kiddies, definitely does help, by all means. If they can’t understand certain things and are just looking to ‘read, modify, experiment’ then it’s going to get a lot more difficult.. especially with good obfuscation techniques, with some sort of “encryption” on top of that.

    I suppose I should have mentioned, the only things these programs do.. is make casual inspection of code slightly more difficult.

  7.  

    schizo said

    am May 13 2009 @ 1:37 am

    I develop nice tool. SWF Reader is opensource tool to manipulate swf files. SWF Reader can deprotect swf files which are encrypted by SWF Encrypt AS2/AS3 http://www.amayeta.com/ or partly Secure SWF AS3 http://www.kindisoft.com/ You can download it from http://realswfreader.sourceforge.net/

    hompage: konkursy-hack.pl

  8.  

    Baz said

    am July 21 2009 @ 6:42 am

    Used irrfuscator (http://www.ambiera.com/irrfuscator/index.html) to protect my games, looks like it worked: none of my games have been stolen until now.

    Hope it stays this way :-)

Comment RSS

Leave a comment

Name: (Required)

eMail: (Required)

Website:

Comment: