During recent months, I have developed some games for the company then I found that some old games has been stolen by other competitors using decompiler tool. In such case, Decompilers are real worry for people who create flash content. You can put a lot effort into design and coding the best game there, then someone can steal it (images, sounds, source code or whole), replace logo, change a little bit design, etc... and put it into their website. How? Using a Flash decompiler tool. Unless you project your SWFs, it can be decompiled and decompiler can output whole readable source code and assets.
1. Getting started
To begin, I give you an example to illustrate throughout my article.
Use Sothink SWF Decompiler tool to decompile, we will see all assets, including images, sounds beyond readable source code appear.
2. Anti-Decompile
Use a third-party software to protect and encrypt your SWFs. For example, SecureSWF, SWFProtection
As we see, package vĂ class name are all renamed to make difficult for developers to read and Compiler can not build in normal way ( '_-' signs are invalided for package, class or variable declares).
The techniques used in these tools are Obfuscation and Encryption. Almost of tools are commercial.
3. An approach to Anti-decompile
A technique, which is very easy to implement, is that use [Embed] meta tag. It is called 'ByteArray based data embedding technology in Actionscript 3'. To do that, we encapsulates the whole SWF file into a ByteArray based data structure, then it loaded and decompressed further.
package {
import flash.display.DisplayObject;
import flash.display.Loader;
import flash.display.Sprite;
import flash.events.Event;
import flash.events.MouseEvent;
import flash.system.ApplicationDomain;
import flash.system.LoaderContext;
import flash.utils.ByteArray;
import flash.utils.getDefinitionByName;
/**
* The is wrapper class to embed the main file as binary format.
* @author Hai Nguyen
*/
[SWF(width="640", height="480", frameRate="60", backgroundColor="0x000000")]
public class GameEncrypt extends Sprite {
[Embed(source='/../bin/RollyBallGame.swf', mimeType='application/octet-stream')]
public var GameBinaryClass: Class;
private var loader: Loader;
public function GameEncrypt() {
init();
}
private function init():void {
var data: ByteArray = new GameBinaryClass() as ByteArray;
loader = new Loader();
loader.contentLoaderInfo.addEventListener(Event.COMPLETE, loaderCompleteHandler);
loader.loadBytes(data, new LoaderContext(false, ApplicationDomain.currentDomain));
}
private function loaderCompleteHandler(event: Event): void {
var gameClass: Class = getDefinitionByName("RollyBallGame") as Class;
var game: DisplayObject = new gameClass();
addChild(game);
}
}
}
- Line 17:
[Embed(source=
'/../bin/RollyBallGame.swf'
, mimeType=
'application/octet-stream'
)].
The
RollyBallGame.swf file is compiled normally using Flex SDK. We use [Embed] meta tag to embed the whole SWF as binary format.
- Line 27:
var
data: ByteArray =
new
GameBinaryClass()
as
ByteArray; Declare data variable to hold ByteArray based SWF.
- Line 31:
loader.loadBytes(data,
new
LoaderContext(
false
, ApplicationDomain.currentDomain));
Use loadBytes
function
of Loader to embedded SWF into main appliction domain.
- Line 35-36: Retrieve the main class inside embedded SWF, then create an instance and add it into stage
4. Analyze the result
As you can see, all assets and source code are hidden except several necessary classes for decompress embedded SWF.
5. Conclusion
This technique is rather simply to learn and implement. However, higher level people still can steal source code and asset from encrypted SWF. In my next post, I will show you the technique to do that as well as additional protection to help your SWF more secure.
Of course, This is not unique way to protect your SWF, you can use some software for your purpose. Good luck :)
You can download the source code here.
This comment has been removed by the author.
ReplyDeleteThat's great. You are challenging developers who write decompiler software.
ReplyDeleteyeahh, a good tip, thank anh ^^
ReplyDeleteAwesome post :D It helps us to against some guys who just wanna to steal our ideal and hardworking time. But all the tools are commercial, so we must spend our money to protect our product. It's fair. Viva Flash Guys :D
ReplyDelete