3 Replies Latest reply on Oct 3, 2006 6:43 AM by inlineblue

    Flex SWFs and Decompilers

    Stefan Schmalhaus
      As you all know there are many decompilers for Flash SWF files. And I'm pretty sure once Flex 2 is officially released there will be decompilers for Flex-generated SWF files as well. Is Adobe going to address this issue? Or can anyone recommend a method to protect MXML/AS 3.0 code from being decompiled?
        • 1. Re: Flex SWFs and Decompilers
          jtan Level 1
          I asked internally about the answer to your question. Here is the response I received from one our compiler guys. I hope this helps.

          "Decompiling AS3 applications will be trickier, but we will be providing enough information (its an open spec) such that one can be written. It certainly will be difficult to produce "good" source, though. It will be very low level, and hard to interpret, since its optimized bytecode. (Note that there aren't any decompilers out there that can produce even AS2 class source, they really only decompile to AS1).

          There will presumably be tools that will mangle code to be even less readable (i.e. remove english variable names), and another option is to use your own byte-level obfuscation, Embed a block of code using application/octet-stream, then reverse the obfuscation and use Loader.loadBytes to pull it in. This will foil any decompiler, although not fully, since presumably the de-obfuscation code will be visible. It does make it much much harder, though, well outside "casual" decompilation."

          Joan
          Flex QA
          • 2. Re: Flex SWFs and Decompilers
            kopir
            I have some questions about this subject:

            Is it still true that variable names are visible?

            quote:

            Note that there aren't any decompilers out there that can produce even AS2 class source, they really only decompile to AS1

            That means AS2 has never been decompiled? or anyway AS2 code is readable, but in mess?
            and will Adobe provide a obfuscator?

            and finaly, Can't we protect our swf? (like a key to open it!)

            thank you
            • 3. Re: Flex SWFs and Decompilers
              inlineblue Level 1
              quote:

              Originally posted by: jtan
              Note that there aren't any decompilers out there that can produce even AS2 class source, they really only decompile to AS1.


              Either I'm misunderstanding this statement or this compiler guy is living in denial. For example, I passed one of my SWFs through Sothink SWF Decompiler, and it lists every class contained within. Here's a partial listing from class mx.controls.Button (forum will trash the formatting):

              class mx.controls.Button extends mx.controls.SimpleButton
              {
              var initializing, labelPath, initIcon, getState, enabled, phase, idNames, __width, __height, setState, invalidate, __get__labelPlacement, iconName, __get__label, refresh, createLabel, _iconLinkageName, removeIcons, __get__icon, hitArea_mc, createEmptyObject, __set__icon, __set__label, __set__labelPlacement;

              function Button()
              {
              super();
              } // End of the function

              function init(Void)
              {
              super.init();
              } // End of the function

              function draw()
              {
              if (initializing)
              {
              labelPath.visible = true;
              } // end if
              super.draw();
              if (initIcon != undefined)
              {
              this._setIcon(initIcon);
              } // end if
              delete this.initIcon;
              } // End of the function
              }

              Yes, the names of class properties and methods are compiled into the SWF (in AS2, anyway). The names of local variables are stripped, though.

              There really is nothing you can do to 100% protect your SWF from decompilation. What we do is pass our SWF through an obfuscator, making the variable/function names unreadable, thus making it really hard to understand what's going on. But this approach takes time as you can't just willy-nilly replace any and all variable names, else your SWF will most likely not run as expected.