Comments on: AS3 Obfuscation and Decompiler Test

By: Baz

Baz — Tue, 21 Jul 2009 13:42:14 +0000

Used irrfuscator (http://www.ambiera.com/irrfuscator/index.html) to protect my games, looks like it worked: none of my games have been stolen until now.

Hope it stays this way

By: schizo

schizo — Wed, 13 May 2009 08:37:49 +0000

I develop nice tool. SWF Reader is opensource tool to manipulate swf files. SWF Reader can deprotect swf files which are encrypted by SWF Encrypt AS2/AS3 http://www.amayeta.com/ or partly Secure SWF AS3 http://www.kindisoft.com/ You can download it from http://realswfreader.sourceforge.net/

hompage: konkursy-hack.pl

By: Matthew

Matthew — Mon, 29 Sep 2008 15:04:35 +0000

@Andrew: Now, obfuscating to some extent to foil script-kiddies, definitely does help, by all means. If they can't understand certain things and are just looking to 'read, modify, experiment' then it's going to get a lot more difficult.. especially with good obfuscation techniques, with some sort of "encryption" on top of that.

I suppose I should have mentioned, the only things these programs do.. is make casual inspection of code slightly more difficult.

By: Andrew Westberg

Andrew Westberg — Mon, 29 Sep 2008 00:39:48 +0000

@Matthew You're absolutely correct. There is no 100% foolproof way to protect source code especially in a virtual machine environment. If the virtual machine is hacked, you can modify it to just dump bytecode from anything loaded into memory.

There are quite a few tricks you can use to protect against the script kiddies who just bought an $80 decompiler though. I gave a talk about this at 360 Flex San Jose (I haven't seen it up on AMP yet though).

By: Matthew

Matthew — Sun, 28 Sep 2008 19:38:56 +0000

There is no software code encryption. Period. End of story.

I was looking at this for my own code, albiet, in C# on the .NET platform. I looked at a whole bunch of options, and read a lot of marketing hyperbole.. unfortunately, tests concluded that they didn't protect anything.

Unfortunately, one way or another -- the code must be interpreted, and that means it gets figured out in memory. That memory can be read. Any application can be de-constructed, especially using things like Flash/C#/Java, anything that's jitt'ed.

ASM/C/C++ code may be more difficult to reverse engineer, but even those 'oldies' are still not guaranteed protection, though it's much much more difficult.

Any program that claims this and that.. is lying.. a highly skilled code-monkey, especially one that specializes in this stuff, can tear apart the byte-code in their sleep.

The only "sure-fire" (and then, only partially) protection mechanism are remote-services.. where you have your main code-block someplace else, ... perhaps accessed through web-services and the like.. is the only way to protect your 'real' code.

Matthew

By: Chris Charlton

Chris Charlton — Sun, 28 Sep 2008 10:03:37 +0000

Dang. Thanks for the tips.

By: finty

finty — Sun, 28 Sep 2008 09:51:16 +0000

"Sothink decompiler code give some other code we cannot see and realize in MXML files"

adding '-keep' to the command line will generate the AS files created in the flex framework behind the scenes:

mxmlc -keep

-you should see a folder called 'generated' after you build your project

By: Doug

Doug — Sat, 27 Sep 2008 21:32:48 +0000

Ouch! There’s also some other movement happening with FLV content – check this http://deceptiveresolution.wordpress.com/2008/09/27/i-can-rip-any-bbc-iplayer-amazon-youtube-etc-streaming-flv/