Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Flex / Air obfuscation [closed]

I've written (most of) an application in Flex and I am concerned with protecting the source code. I fired up a demo of Trillix swf decompiler and opened up the swf file that was installed to my Program Files directory. I saw that all of the actionscript packages I wrote were there. I'm not too concerned with the packages, even though there is a substantial amount of code, because it still seems pretty unusable without the mxml files. I think they are converted to actionscript, or atleast I hope. However, I would still like to explore obfuscation.

Does anyone have any experience with Flash / Actionscript 3 / Flex obfuscators? Can you recommend a good product?

like image 352
Shawn Avatar asked Aug 07 '08 14:08

Shawn


3 Answers

The procedure suggested by maclema will not really stop any attacker from obtaining the source - the "wrapper application" will need to be unencrypted so the attacker will be able to find out that you use AES (or any other algorithm) and he will obtain the decryption key in a similar way (because it needs to be in plaintext somewhere). Once he has this, he will be able to decrypt your SWF file easily.

The only reliable solution (well...) is some kind of obfuscator - we use Amayeta which works for Flex in the latest version - please see http://www.amayeta.com/software/swfencrypt/ .

like image 89
Borek Bernard Avatar answered Nov 01 '22 06:11

Borek Bernard


Here's what I would do.

  • Compile your application to a SWF file. Then encrypt the SWF using AES.

  • Make a "wrapper" application that loads the encrypted SWF into a ByteArray using URLLoader

  • Use the as3crypto library to decrypt the swf at runtime.

  • Once decrypted, use Loader.loadBytes to load the decrypted swf into the wrapper application.

This will make it a lot harder to get your code. Not impossible, but harder.

For AIR applications you could leave the SWF encrypted when delivering the application to the end-user. Then you could provide a registration key that contains the key used to decrypt the SWF.

Also, here is a link to an AS3 obfuscator. I am not sure how well it works though. http://www.ambiera.com/irrfuscator/index.html

like image 12
Matt MacLean Avatar answered Nov 01 '22 05:11

Matt MacLean


Well, in my opinion, the easiest and safest solution is a mix of maclema and Borek answer:

Obfuscating code can be a big headach if you did not include it in your process from the start and if your aplplication is quite big: it's likely that obfuscation make your application corrupted if you used remote packages (and did not declare this to the obfuscator) if you used to many unTyped variables in Objects or dynamic classes ....

So: if you do maclema's solution on your big application and use obfuscation on your wrapper (which is a small app likely to be very easy to obfuscate) you're code will be the safest and the hasle the least. Only a very angry pirate would take the time to reverse engineer the obfuscation to then decrypt the package .... Well if someone wants your application code soo bad it's either CIA related or you're already very rich (or both)

thank you all for your answers

like image 3
RR404 Avatar answered Nov 01 '22 06:11

RR404