Re: [Flashcoders] SWF Decompilers

[Mike Duguid]

yep still works

On 10/28/05, Gregory <[EMAIL PROTECTED]> wrote:
>
>
>
> Question:
> BTW, anyone knows if __bytecode__() is supported in Flash 8 (I'm still
> using MX 2004 Pro)?
>
>
>
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] SWF Decompilers

[James O'Reilly]

Thanks Alias,

You were right about how Flash optimizes the names.  I just ran my swf 
through a non-demo version of Sothink's SWF decompiler and was able to 
see all of my classes exactly as you described.  Truthly, with all of 
the local variable names shortened to _1 and _2 it was very difficult to 
follow and I know the code inside and out.  For most cases that's 
probably enough.


I've tried ASO and couldn't get the swf to run right afterwards because 
of all the name changing so I gave up on it.


I'll take a look the ECMAScriptObfuscator.  I've used something like 
that for JavaScript before so that might be promising.


JOR




Alias wrote:

Ooops, sorry, pressed tab+space too quick there - sent too early. (must
drink less coffee)

My previous mail:
Hi James,

A large portion of your classes will be viewable to a decompiler -
basically, the following WILL be viewable:


//Your class before decompilation

class com.yourdomain.yourpackage.YourClass{
 private var someVar:String;
private var someOtherVar:Number;

public function YourClass{
var someLocalVar1:Number = new Number(1)
var someOtherLocalVar2:String = new String("foo");
}
}


//Your class after decompilation

class com.yourdomain.yourpackage.YourClass{
private var someVar:String;
private var someOtherVar:Number;

public function YourClass{
var _local1:Number = new Number(1)
var _local2:String = new String("foo");
}
}


Essentially, everything apart from local variables (which are optimised at
compile time by the MMC) will stay as they are. The order of your vars might
change, but bascially the structure will still be there.

Depending on the complexity of your app, you might be able to use swf
obfuscators, but if there's a lot of intra-class communication, especially
between different swfs, you might end up banging your head against a wall
for a while trying to get your otherwise functional app to work. Often
things like this["myClip"+i].doSomething() will get messed up, because the
dynamic addressing will get messed up - I haven't tried Nicholas' OBFU,
though, that looks like it might be a good bet. I know Macromedia were
supposed to be funding ASO, but things have been quiet from them lately:
http://www.genable.com/aso/

Personally, I think the way to go is pre-compile-time lexical obfuscators,
because that will give you far more control over exactly what gets
obfuscated. If you're really determined,you could look at using the flash
intrinsics to modify something like Semantic designs' ECMAscript obfuscator:
http://www.semdesigns.com/Products/Obfuscators/ECMAScriptObfuscator.html?Home=DropDown

I'd be interested to know how you get on, obfuscation is quite a popular
(and emotionally charge) topic round here.

HTH,
Alias







On 10/27/05, James O'Reilly <[EMAIL PROTECTED]> wrote:


Question about protecting my swfs.

If I use external AS2 classes and compile my swf, will those classes be
exposed if someone were to decompile my swf with a program like
Sothink's SWF Decompiler or other similar decompiler? It creates a bunch
of empty files, one for each class I have and says that ActionScript is
suppressed in the demo version. I can't tell if they are empty because
it's the demo or if that's because they were external classes.

What good programs might people recommend for obfuscating my swfs?

Is this even neccessary to obfuscate if the code I'm really interested
in protecting is in external classes rather than inside the FLA? Does
the same go for compiled clips or custom UI components?

JOR



___
=== James O'Reilly
===
=== SynergyMedia, Inc.
=== www.synergymedia.net 




--


___
===  James O'Reilly
===
===  SynergyMedia, Inc.
===  www.synergymedia.net

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] SWF Decompilers

[Alias]

Ooops, sorry, pressed tab+space too quick there - sent too early. (must
drink less coffee)

My previous mail:
Hi James,

A large portion of your classes will be viewable to a decompiler -
basically, the following WILL be viewable:


//Your class before decompilation

class com.yourdomain.yourpackage.YourClass{
 private var someVar:String;
private var someOtherVar:Number;

public function YourClass{
var someLocalVar1:Number = new Number(1)
var someOtherLocalVar2:String = new String("foo");
}
}


//Your class after decompilation

class com.yourdomain.yourpackage.YourClass{
private var someVar:String;
private var someOtherVar:Number;

public function YourClass{
var _local1:Number = new Number(1)
var _local2:String = new String("foo");
}
}


Essentially, everything apart from local variables (which are optimised at
compile time by the MMC) will stay as they are. The order of your vars might
change, but bascially the structure will still be there.

Depending on the complexity of your app, you might be able to use swf
obfuscators, but if there's a lot of intra-class communication, especially
between different swfs, you might end up banging your head against a wall
for a while trying to get your otherwise functional app to work. Often
things like this["myClip"+i].doSomething() will get messed up, because the
dynamic addressing will get messed up - I haven't tried Nicholas' OBFU,
though, that looks like it might be a good bet. I know Macromedia were
supposed to be funding ASO, but things have been quiet from them lately:
http://www.genable.com/aso/

Personally, I think the way to go is pre-compile-time lexical obfuscators,
because that will give you far more control over exactly what gets
obfuscated. If you're really determined,you could look at using the flash
intrinsics to modify something like Semantic designs' ECMAscript obfuscator:
http://www.semdesigns.com/Products/Obfuscators/ECMAScriptObfuscator.html?Home=DropDown

I'd be interested to know how you get on, obfuscation is quite a popular
(and emotionally charge) topic round here.

HTH,
Alias







On 10/27/05, James O'Reilly <[EMAIL PROTECTED]> wrote:
>
> Question about protecting my swfs.
>
> If I use external AS2 classes and compile my swf, will those classes be
> exposed if someone were to decompile my swf with a program like
> Sothink's SWF Decompiler or other similar decompiler? It creates a bunch
> of empty files, one for each class I have and says that ActionScript is
> suppressed in the demo version. I can't tell if they are empty because
> it's the demo or if that's because they were external classes.
>
> What good programs might people recommend for obfuscating my swfs?
>
> Is this even neccessary to obfuscate if the code I'm really interested
> in protecting is in external classes rather than inside the FLA? Does
> the same go for compiled clips or custom UI components?
>
> JOR
>
>
>
> ___
> === James O'Reilly
> ===
> === SynergyMedia, Inc.
> === www.synergymedia.net 
>
>
> ___
> Flashcoders mailing list
> Flashcoders@chattyfig.figleaf.com
> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] SWF Decompilers

[Alias]

Hi James,

A large portion of your classes will be viewable to a decompiler -
basically, the following WILL be viewable:


//Your class

class com.yourdomain.yourpackage.YourClass{
private var someVar:String;
private var someOtherVar:Number;

public function YourClass{


}



On 10/27/05, James O'Reilly <[EMAIL PROTECTED]> wrote:
>
> Question about protecting my swfs.
>
> If I use external AS2 classes and compile my swf, will those classes be
> exposed if someone were to decompile my swf with a program like
> Sothink's SWF Decompiler or other similar decompiler? It creates a bunch
> of empty files, one for each class I have and says that ActionScript is
> suppressed in the demo version. I can't tell if they are empty because
> it's the demo or if that's because they were external classes.
>
> What good programs might people recommend for obfuscating my swfs?
>
> Is this even neccessary to obfuscate if the code I'm really interested
> in protecting is in external classes rather than inside the FLA? Does
> the same go for compiled clips or custom UI components?
>
> JOR
>
>
>
> ___
> === James O'Reilly
> ===
> === SynergyMedia, Inc.
> === www.synergymedia.net 
>
>
> ___
> Flashcoders mailing list
> Flashcoders@chattyfig.figleaf.com
> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] SWF Decompilers

[Gregory]

I think all classes will be exposed.
ActionScript Viewer mentioned by John http://buraks.com/asv/ is really
the best one.

So, there are several ways to protect your code:
1)  Obfuscators (utilities or try do it manually)
Viewer Screwer http://www.debreuil.com/vs/ ,
ActionScript Obfuscator http://www.genable.com/aso/

2)  Optimization with Flasm http://www.nowrap.de/flasm/ .
as bytecode itself is changed, it can't be restored in decompiler.
But it is a lo-o-ot of work...

3)  Undocumented __bytecode__() function.


You can choose depending on how "interested" your code is and how much
work you're willing to do.

Question:
BTW, anyone knows if __bytecode__() is supported in Flash 8 (I'm still using MX 
2004 Pro)?


-- 
Best regards,
 Gregory  mailto:[EMAIL PROTECTED]

http://GOusable.com
Flash components development.
Usability services.


  -Original Message-
frcfc> Date: Thu, 27 Oct 2005 20:29:37 -0400
frcfc> From: John Grden <[EMAIL PROTECTED]>
frcfc> Subject: Re: [Flashcoders] SWF Decompilers
frcfc> To: Flashcoders mailing list 
frcfc> Message-ID:
frcfc> <[EMAIL PROTECTED]>
frcfc> Content-Type: text/plain; charset=ISO-8859-1

frcfc> ASV (ActionScript Viewer) is hands down the best utility for looking 
through
frcfc> an SWF - thought I know you're not interested in that really ;)

frcfc> Nothing is safe in your published swf. Bottom line. The components can be
frcfc> looked at with decompilers as well. The only option you might have is
frcfc> obfuscating like you mentioned. And still, that doesn't sound very safe
frcfc> either. At Max last week, at the security discussion, the presenter 
brought
frcfc> up the fact that there are programs that can break the obfuscation as 
well.
frcfc> I don't have any program names that do it, but thats what was said.

frcfc> If you're using FCS, you can possibly have your logic that matters to 
you on
frcfc> the server side and protected. Red5 currently has server side services
frcfc> implemented as well and will offer this type of functionality.

frcfc> hth,

frcfc> On 10/27/05, James O'Reilly <[EMAIL PROTECTED]> wrote:
>>
>> Question about protecting my swfs.
>>
>> If I use external AS2 classes and compile my swf, will those classes be
>> exposed if someone were to decompile my swf with a program like
>> Sothink's SWF Decompiler or other similar decompiler? It creates a bunch
>> of empty files, one for each class I have and says that ActionScript is
>> suppressed in the demo version. I can't tell if they are empty because
>> it's the demo or if that's because they were external classes.
>>
>> What good programs might people recommend for obfuscating my swfs?
>>
>> Is this even neccessary to obfuscate if the code I'm really interested
>> in protecting is in external classes rather than inside the FLA? Does
>> the same go for compiled clips or custom UI components?
>>
>> JOR


___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] SWF Decompilers

[Nicolas Cannasse]

> Question about protecting my swfs.
> 
> If I use external AS2 classes and compile my swf, will those classes be 
> exposed if someone were to decompile my swf with a program like 
> Sothink's SWF Decompiler or other similar decompiler? It creates a bunch 
> of empty files, one for each class I have and says that ActionScript is 
> suppressed in the demo version.  I can't tell if they are empty because 
> it's the demo or if that's because they were external classes.
> 
> What good programs might people recommend for obfuscating my swfs?
> 
> Is this even neccessary to obfuscate if the code I'm really interested 
> in protecting is in external classes rather than inside the FLA?  Does 
> the same go for compiled clips or custom UI components?

You can have a look at http://tech.motion-twin.com/obfu 

Nicolas
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] SWF Decompilers

[John Grden]

ASV (ActionScript Viewer) is hands down the best utility for looking through
an SWF - thought I know you're not interested in that really ;)

Nothing is safe in your published swf. Bottom line. The components can be
looked at with decompilers as well. The only option you might have is
obfuscating like you mentioned. And still, that doesn't sound very safe
either. At Max last week, at the security discussion, the presenter brought
up the fact that there are programs that can break the obfuscation as well.
I don't have any program names that do it, but thats what was said.

If you're using FCS, you can possibly have your logic that matters to you on
the server side and protected. Red5 currently has server side services
implemented as well and will offer this type of functionality.

hth,

On 10/27/05, James O'Reilly <[EMAIL PROTECTED]> wrote:
>
> Question about protecting my swfs.
>
> If I use external AS2 classes and compile my swf, will those classes be
> exposed if someone were to decompile my swf with a program like
> Sothink's SWF Decompiler or other similar decompiler? It creates a bunch
> of empty files, one for each class I have and says that ActionScript is
> suppressed in the demo version. I can't tell if they are empty because
> it's the demo or if that's because they were external classes.
>
> What good programs might people recommend for obfuscating my swfs?
>
> Is this even neccessary to obfuscate if the code I'm really interested
> in protecting is in external classes rather than inside the FLA? Does
> the same go for compiled clips or custom UI components?
>
> JOR
>
>
>
> ___
> === James O'Reilly
> ===
> === SynergyMedia, Inc.
> === www.synergymedia.net 
>
>
> ___
> Flashcoders mailing list
> Flashcoders@chattyfig.figleaf.com
> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
>



--
John Grden - Blitz
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

[Flashcoders] SWF Decompilers

[James O'Reilly]

Question about protecting my swfs.

If I use external AS2 classes and compile my swf, will those classes be 
exposed if someone were to decompile my swf with a program like 
Sothink's SWF Decompiler or other similar decompiler? It creates a bunch 
of empty files, one for each class I have and says that ActionScript is 
suppressed in the demo version.  I can't tell if they are empty because 
it's the demo or if that's because they were external classes.


What good programs might people recommend for obfuscating my swfs?

Is this even neccessary to obfuscate if the code I'm really interested 
in protecting is in external classes rather than inside the FLA?  Does 
the same go for compiled clips or custom UI components?


JOR



___
===  James O'Reilly
===
===  SynergyMedia, Inc.
===  www.synergymedia.net


___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders