Protect your SWFs from decompilers

So far, Protecting SWFs from decompilers is not important for me. The main reason why is that all projects I has done till now are all outsourcing projects and I have never received such requests from the client.

During recent months, I have developed some games for the company then I found that some old games has been stolen by other competitors using decompiler tool. In such case, Decompilers are real worry for people who create flash content. You can put a lot effort into design and coding the best game there, then someone can steal it (images, sounds, source code or whole), replace logo, change a little bit design, etc... and put it into their website. How? Using a Flash decompiler tool. Unless you project your SWFs, it can be decompiled and decompiler can output whole readable source code and assets.

1. Getting started

To begin, I give you an example to illustrate throughout my article.

Use Sothink SWF Decompiler tool to decompile, we will see all assets, including images, sounds beyond readable source code appear.

2. Anti-Decompile

Use a third-party software to protect and encrypt your SWFs. For example, SecureSWF, SWFProtection

As we see, package và class name are all renamed to make difficult for developers to read and Compiler can not build in normal way ( '_-' signs are invalided for package, class or variable declares).

The techniques used in these tools are Obfuscation and Encryption. Almost of tools are commercial.

3. An approach to Anti-decompile

A technique, which is very easy to implement, is that use [Embed] meta tag. It is called 'ByteArray based data embedding technology in Actionscript 3'. To do that, we encapsulates the whole SWF file into a ByteArray based data structure, then it loaded and decompressed further.

package  {
import flash.display.DisplayObject;
import flash.display.Loader;
import flash.display.Sprite;
import flash.events.Event;
import flash.events.MouseEvent;
import flash.system.ApplicationDomain;
import flash.system.LoaderContext;
import flash.utils.ByteArray;
import flash.utils.getDefinitionByName;
/**
* The is wrapper class to embed the main file as binary format.
* @author Hai Nguyen
*/
[SWF(width="640", height="480", frameRate="60", backgroundColor="0x000000")]
public class GameEncrypt extends Sprite {
[Embed(source='/../bin/RollyBallGame.swf', mimeType='application/octet-stream')]
public var GameBinaryClass: Class;

private var loader: Loader;

public function GameEncrypt() {
init();
}

private function init():void {
var data: ByteArray = new GameBinaryClass() as ByteArray;

loader = new Loader();
loader.contentLoaderInfo.addEventListener(Event.COMPLETE, loaderCompleteHandler);
loader.loadBytes(data, new LoaderContext(false, ApplicationDomain.currentDomain));
}

private function loaderCompleteHandler(event: Event): void {
var gameClass: Class = getDefinitionByName("RollyBallGame") as Class;
var game: DisplayObject = new gameClass();

addChild(game);
}
}
}

• Line 17: [Embed(source='/../bin/RollyBallGame.swf', mimeType='application/octet-stream')]. The RollyBallGame.swf file is compiled normally using Flex SDK. We use [Embed] meta tag to embed the whole SWF as binary format.

• Line 27: var data: ByteArray = new GameBinaryClass() as ByteArray; Declare data variable to hold ByteArray based SWF.
• Line 31: loader.loadBytes(data, new LoaderContext(false, ApplicationDomain.currentDomain)); Use loadBytes function of Loader to embedded SWF into main appliction domain.
• Line 35-36: Retrieve the main class inside embedded SWF, then create an instance and add it into stage

That's it.

4. Analyze the result



As you can see, all assets and source code are hidden except several necessary classes for decompress embedded SWF.

5. Conclusion
This technique is rather simply to learn and implement. However, higher level people still can steal source code and asset from encrypted SWF. In my next post, I will show you the technique to do that as well as additional protection to help your SWF more secure.
Of course, This is not unique way to protect your SWF, you can use some software for your purpose. Good luck :)

You can download the source code here.