Home Tutorials Forums Articles Blogs Movies Library Employment Press
Old 05-27-2004, 06:03 AM   #1
stephSumo
Registered User
 
stephSumo's Avatar
 
Join Date: May 2004
Location: Geneva / Switzerland
Posts: 43
Default How to secure your Flash from decompilers ?

Hi

does anyone have an idea on how to secure a POST from Flash to PHP, knowing that with that damn *** sothink decompiler anyone can access your scripts and algorythms and with some effort insert what they want in your DB ?
I made a game, when the game ends a LoadVars.sendAndLoad sends the result (encrypted with an algorythm, then the encrypted result is inserted in a random very long string at a random position in the string) to PHP for saving. The encryption is cool for sniffers, but is no help for decompilers...

I spent lot of time thinking about this, but this is circular thinking and since someone can access your actionscript with a decompiler I always come to the same conclusion: with a decompiler someone can do what they want with your flash, whatever cool algorythm you will find (supposing they take the time needed to do it).

For my game there was a 5'000$ gift, believe me they took the time... Fortunately it's not a problem for my client as they anyway would have given that gift and all they want is to draw traffic on their site. But anyway I would like to know if there is a solution for this.
stephSumo is offline   Reply With Quote
Old 05-27-2004, 06:31 AM   #2
nathanleyton
Registered User
 
Join Date: Apr 2003
Posts: 204
Default

I'm afraid not. There is no guard against this. I have found this to be a major problem on some of my larger projects. There is some usefull information about this over the forum. You can make it more difficult.
nathanleyton is offline   Reply With Quote
Old 05-27-2004, 06:35 AM   #3
nathanleyton
Registered User
 
Join Date: Apr 2003
Posts: 204
Default

just looking. Maybe you could nest you swf in a PHP page and use the ;

swf_openfile("test.swf", 256, 256, 30, 1, 1, 1);

function.

You could then have your swf in a non public folder. So people cannot download it to decompile. Just an idea. Never tried it so I dont know if it would work.

Nathan
nathanleyton is offline   Reply With Quote
Old 05-27-2004, 07:10 AM   #4
stephSumo
Registered User
 
stephSumo's Avatar
 
Join Date: May 2004
Location: Geneva / Switzerland
Posts: 43
Default

This can't work, they don't need to download the flash, once it's served in your browser, you just have to click on "sothink" button in Explorer bar (!) to save and open it.
Also if the swf is in a non public folder, how can you serve it to the browser ?

Make it more difficult to crack is not an issue, you can spend weeks doing that, you can obfuscate your code, make it difficult to read or whatever you like someone motivated will do it. For 5'000$ many people would be motivated...

My goal is not to make it more difficult, I know how to do this, what I'd like is to make impossible, but I think that's not possible...

Last edited by stephSumo; 05-27-2004 at 07:12 AM.
stephSumo is offline   Reply With Quote
Old 05-27-2004, 08:09 AM   #5
nathanleyton
Registered User
 
Join Date: Apr 2003
Posts: 204
Default Hey

http://www.genable.com/aso/

this may be what your looking for.
nathanleyton is offline   Reply With Quote
Old 05-27-2004, 08:37 AM   #6
stephSumo
Registered User
 
stephSumo's Avatar
 
Join Date: May 2004
Location: Geneva / Switzerland
Posts: 43
Default

thanks,

I already know this and other obfuscators. In fact these softs have not much future as MX2004 obfuscates the code natively. Try to decompile a .swf made with MX2004 and you'll see the same as this obfuscator does, that's why I guess we'll never a version past Alpha of this software.
But obfuscators do not obfuscate object oriented scripts (classes, methods, properties) nor does MX2004. The same for keywords which remains plain and visible...
Moreover if you concentrate you can reconstitute the complete obfuscated code as it simply replaces strings with others (less readable, but still readable).

example of MX2004 obfuscation:

this code:
Code:
function setFieldFormat (a) {
	for (var n in a) {
		if (n.substr(0,2) == "tf") {
			a[n].background=1;
			a[n].border=1;
			a[n].borderColor=0x933c11;
			a[n].addListener(txtListener);
		}
	}
}
once decompiled gives this:
Code:
function setFieldFormat(a) {
	_l1 = a;
 	while (_l1 != null)	{
		_l2 = _l1;
		if (_l2.substr(0, 2) == "tf"){
			_l1[_l2].background = 1;
			_l1[_l2].border = 1;
			_l1[_l2].borderColor = 9649169;
			_l1[_l2].addListener(txtListener);
		} // end if
	} // end while
	_l2 = _l2;
	_l1 = _l1;
}
as you see, keywords remain intact.

Now this which is an object:
Code:
myObj.oUser = function (b,l,i,a) {
	this.uId=i;
	this.alias=a;
	if (b!=null && b!="" && b!=undefined) {
		this.bestScore=b;
		this.lastScore=l;
		this.bestScoreDisplay = b.substr(0,2)+"'"+b.substr(2,2)+"''"+b.substr(4,2);
		this.lastScoreDisplay = l.substr(0,2)+"'"+l.substr(2,2)+"''"+l.substr(4,2);
}
(...)
}
becomes this (which is readable):
Code:
myObj.oUser = function (b, l, i, a)
{
    var _l1 = this;
    var _l2 = b;
    var _l3 = l;
    _l1.uId = i;
    _l1.alias = a;
    if (_l2 != null && _l2 != "" && _l2 != undefined)
    {
        _l1.bestScore = _l2;
        _l1.lastScore = _l3;
        _l1.bestScoreDisplay = _l2.substr(0, 2) + "\'" + _l2.substr(2, 2) + "\'\'" + _l2.substr(4, 2);
        _l1.lastScoreDisplay = _l3.substr(0, 2) + "\'" + _l3.substr(2, 2) + "\'\'" + _l3.substr(4, 2);
    }
(...)
}
As you can see, object's properties are not obfuscated (bestScore).

Of course for my final version I replaced manually bestScore with randomly generated strings, which is time consuming and then when you come back to modify your script it takes three times longer to remember and understand what is used for what. And once again if you want to, you can follow the code, whatever I'll do. Finally it's more pain than protection...

Once again it's maybe hard, but not impossible.

Last edited by stephSumo; 05-27-2004 at 09:13 AM.
stephSumo is offline   Reply With Quote
Old 05-27-2004, 09:04 AM   #7
CyanBlue
Super Moderator
 
CyanBlue's Avatar
 
Join Date: Jan 2002
Location: Centreville, VA
Posts: 26,666
Default

I don't know how applicable this one is, but this one is the latest one I've ever seen... (Not meaning this is good or bad though...)

AS Protect
http://as-protect.com/
__________________
CyanBlue / Jason Je / Macromedia Certified Flash Developer & Designer
http://CyanBlue.FlashVacuum.com
http://www.FlashVacuum.com
http://tutorials.FlashVacuum.com

Do NOT PM, Email or Call me... Your question belongs right in this forum...
CyanBlue is offline   Reply With Quote
Old 05-27-2004, 09:19 AM   #8
stephSumo
Registered User
 
stephSumo's Avatar
 
Join Date: May 2004
Location: Geneva / Switzerland
Posts: 43
Default

hmm

now this could be cool, did you try it ? is it reliable ?
I'll give it a try later...

thanks
stephSumo is offline   Reply With Quote
Old 05-27-2004, 09:41 AM   #9
CyanBlue
Super Moderator
 
CyanBlue's Avatar
 
Join Date: Jan 2002
Location: Centreville, VA
Posts: 26,666
Default

Unfortunately I have not because I don't have ASO, but you're welcome to tell us what you think if you try it...

This thread at the FlashCoders talk some more about it...
http://chattyfig.figleaf.com/cgi-bin...jcboajbgfeee#b
__________________
CyanBlue / Jason Je / Macromedia Certified Flash Developer & Designer
http://CyanBlue.FlashVacuum.com
http://www.FlashVacuum.com
http://tutorials.FlashVacuum.com

Do NOT PM, Email or Call me... Your question belongs right in this forum...
CyanBlue is offline   Reply With Quote
Old 05-27-2004, 10:09 AM   #10
stephSumo
Registered User
 
stephSumo's Avatar
 
Join Date: May 2004
Location: Geneva / Switzerland
Posts: 43
Default

well... I don't have ASV neither... I bought Sothink Decompiler to make tests and I'm bored giving money to people who make apps used to crack my work (and possibly make me lose money).
The idea is great: you pay a soft to steal others work... in the case of a developper you pay a soft to people that make this soft that causes so many troubles to you and make you lose time and money (!)... Is it not fantastic ?
stephSumo is offline   Reply With Quote
Reply


Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:22 PM.

///
Follow actionscriptorg on Twitter

 


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Ad Management plugin by RedTyger
Copyright 2000-2013 ActionScript.org. All Rights Reserved.
Your use of this site is subject to our Privacy Policy and Terms of Use.