Obfuscator for haXe compiled SWFs

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Obfuscator for haXe compiled SWFs

tommedema
Rather short message, but there's not much to explain.

I was wondering if there are any obfuscators for haXe compiled SWFs that are open source or free.

Doesn't have to be great. I just need to prevent the not so experienced debuggers from copy pasting my application with their credits.

Regards,
Tom

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Lars Madson
Le 07/08/2010 12:45, Tom a écrit :

> Rather short message, but there's not much to explain.
>
> I was wondering if there are any obfuscators for haXe compiled SWFs
> that are open source or free.
>
> Doesn't have to be great. I just need to prevent the not so
> experienced debuggers from copy pasting my application with their credits.
>
> Regards,
> Tom
Relase it open source with a huge blog post, then it's yours for ever.

Laurent

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Tony Polinelli
just do all of your coding in l33t 



On Sun, Aug 8, 2010 at 9:32 AM, Laurent Kappler <[hidden email]> wrote:
Le 07/08/2010 12:45, Tom a écrit :

Rather short message, but there's not much to explain.

I was wondering if there are any obfuscators for haXe compiled SWFs that are open source or free.

Doesn't have to be great. I just need to prevent the not so experienced debuggers from copy pasting my application with their credits.

Regards,
Tom
Relase it open source with a huge blog post, then it's yours for ever.

Laurent


--
haXe - an open source web programming language
http://haxe.org



--
Tony Polinelli
http://touchmypixel.com

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Matthew Spencer-2
The one problem with an obfuscation programs is that they make the common techniques known. Chances are even if you do use a recent obfuscator, the decompilers will usually provide a counter fairly quickly. Someone familiar with bytecode and the swf format won't be stopped if they want your application.

Script kiddies however rely on decompilers and whatnot, a good protection against them is building a swf that will load an encrypted version of your swf and unencrypt it. Generally, they won't devote the time to figuring out how to read the child swf from memory, nor will they attempt to decrypt the packet info.

Would definitely recommend the loader. The obfuscation would be a bonus (coming up with your own personal obfuscation strategy is a good idea too, just don't tell anyone what it is)

On Sun, Aug 8, 2010 at 8:45 PM, Tony Polinelli <[hidden email]> wrote:
just do all of your coding in l33t 



On Sun, Aug 8, 2010 at 9:32 AM, Laurent Kappler <[hidden email]> wrote:
Le 07/08/2010 12:45, Tom a écrit :

Rather short message, but there's not much to explain.

I was wondering if there are any obfuscators for haXe compiled SWFs that are open source or free.

Doesn't have to be great. I just need to prevent the not so experienced debuggers from copy pasting my application with their credits.

Regards,
Tom
Relase it open source with a huge blog post, then it's yours for ever.

Laurent


--
haXe - an open source web programming language
http://haxe.org



--
Tony Polinelli
http://touchmypixel.com

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

tommedema
I know, I wasn't asking for the philosophies available ;)

Are there any obfuscators for haXe compiled SWFs that are free, at the moment?

That's all I need to know.

Regards,
Tom

2010/8/9 Matthew Spencer <[hidden email]>
The one problem with an obfuscation programs is that they make the common techniques known. Chances are even if you do use a recent obfuscator, the decompilers will usually provide a counter fairly quickly. Someone familiar with bytecode and the swf format won't be stopped if they want your application.

Script kiddies however rely on decompilers and whatnot, a good protection against them is building a swf that will load an encrypted version of your swf and unencrypt it. Generally, they won't devote the time to figuring out how to read the child swf from memory, nor will they attempt to decrypt the packet info.

Would definitely recommend the loader. The obfuscation would be a bonus (coming up with your own personal obfuscation strategy is a good idea too, just don't tell anyone what it is)

On Sun, Aug 8, 2010 at 8:45 PM, Tony Polinelli <[hidden email]> wrote:
just do all of your coding in l33t 



On Sun, Aug 8, 2010 at 9:32 AM, Laurent Kappler <[hidden email]> wrote:
Le 07/08/2010 12:45, Tom a écrit :

Rather short message, but there's not much to explain.

I was wondering if there are any obfuscators for haXe compiled SWFs that are open source or free.

Doesn't have to be great. I just need to prevent the not so experienced debuggers from copy pasting my application with their credits.

Regards,
Tom
Relase it open source with a huge blog post, then it's yours for ever.

Laurent


--
haXe - an open source web programming language
http://haxe.org



--
Tony Polinelli
http://touchmypixel.com

--

haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Rezmason

On Aug 9, 2010, at 5:34 AM, Tom wrote:

I know, I wasn't asking for the philosophies available ;)

Are there any obfuscators for haXe compiled SWFs that are free, at the moment?

That's all I need to know.

Regards,
Tom

I have an idea. Why not use Joa Ebert's reducerIt's part of Apparat, and its LZMA compression technique is SWF-agnostic. It'll use 7z to compress and obfuscate your SWF, then slap a small decompression system on the business end of the SWF and hand it back to you.

At runtime, the ByteArray containing the 7z data gets decompressed and loaded. How about that?

-Jeremy

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

jlm@justinfront.net
In as2 loading functionality with a *.jpg extension was an alternative way to hide code... as already mentioned non conventional approaches will most likely confound most, rather than just off the shelf solutions.

On 9 Aug 2010, at 10:48, Jeremy Sachs wrote:


On Aug 9, 2010, at 5:34 AM, Tom wrote:

I know, I wasn't asking for the philosophies available ;)

Are there any obfuscators for haXe compiled SWFs that are free, at the moment?

That's all I need to know.

Regards,
Tom

I have an idea. Why not use Joa Ebert's reducerIt's part of Apparat, and its LZMA compression technique is SWF-agnostic. It'll use 7z to compress and obfuscate your SWF, then slap a small decompression system on the business end of the SWF and hand it back to you.

At runtime, the ByteArray containing the 7z data gets decompressed and loaded. How about that?

-Jeremy
--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

tommedema
In reply to this post by Rezmason
Sounds interesting Jeremy, I have to look into that! Has this been achieved before?

- Tom

2010/8/9 Jeremy Sachs <[hidden email]>

On Aug 9, 2010, at 5:34 AM, Tom wrote:

I know, I wasn't asking for the philosophies available ;)

Are there any obfuscators for haXe compiled SWFs that are free, at the moment?

That's all I need to know.

Regards,
Tom

I have an idea. Why not use Joa Ebert's reducerIt's part of Apparat, and its LZMA compression technique is SWF-agnostic. It'll use 7z to compress and obfuscate your SWF, then slap a small decompression system on the business end of the SWF and hand it back to you.

At runtime, the ByteArray containing the 7z data gets decompressed and loaded. How about that?

-Jeremy

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

game flash
If you're going to use reducer, you may as well use as3crypto.

Add AES encryption to your swf and then load it as a ByteArray.
Then obfuscate your loader swf with secureswf.
http://www.kindisoft.com/



On Mon, Aug 9, 2010 at 7:58 AM, Tom <[hidden email]> wrote:
Sounds interesting Jeremy, I have to look into that! Has this been achieved before?

- Tom

2010/8/9 Jeremy Sachs <[hidden email]>

On Aug 9, 2010, at 5:34 AM, Tom wrote:

I know, I wasn't asking for the philosophies available ;)

Are there any obfuscators for haXe compiled SWFs that are free, at the moment?

That's all I need to know.

Regards,
Tom

I have an idea. Why not use Joa Ebert's reducerIt's part of Apparat, and its LZMA compression technique is SWF-agnostic. It'll use 7z to compress and obfuscate your SWF, then slap a small decompression system on the business end of the SWF and hand it back to you.

At runtime, the ByteArray containing the 7z data gets decompressed and loaded. How about that?

-Jeremy

--

haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

makc
In reply to this post by tommedema
On Mon, Aug 9, 2010 at 12:34 PM, Tom <[hidden email]> wrote:
> I know, I wasn't asking for the philosophies available ;)
> Are there any obfuscators for haXe compiled SWFs that are free, at the
> moment?

I don't understand what makes haxe SWF different to obfuscator from
flash SWF or mxmlc SWF. You don't even have to parse SWF to obfuscate
it, if you have identifiers list - see http://wonderfl.net/c/6WDD

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

makc
In reply to this post by Matthew Spencer-2
On Mon, Aug 9, 2010 at 4:19 AM, Matthew Spencer <[hidden email]> wrote:
> Generally, they won't devote the time to figuring out
> how to read the child swf from memory, nor will they attempt to decrypt the
> packet info.

I thought you could just listen to all complete event and save your bytes. no?

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Jan_Flanders
In reply to this post by makc


On Mon, Aug 9, 2010 at 3:25 PM, Makc <[hidden email]> wrote:
I don't understand what makes haxe SWF different to obfuscator from
flash SWF or mxmlc SWF.

Most decompilers and obfuscators expect (at least in the past they did) the actionscript bytecode file to occur in a swf-tag with id 82.
haXe puts the actionscript bytecode in a tag with id 72.
TagId 72 is mostly used for swc because it allows you to give a (class) name to the tag and to have an abc file/swf tag per class instead of all classes being part of 1 big abc file. But in principle the only difference between the two is the (class)name in the header of the tag.

Remember that all reflection will fail if you use an Obfuscator.
AS3 example:
var veld1:TextField=new TextField();
addChild(veld1);
var name1:String="jan";
this["veld"+1].text=this["name"+1];
will look after obfuscation like this (and will obviously fail at runtime)
var :TextField=new TextField();
addChild();
var :String="jan";
this["veld"+1].text=this["name"+1];

If you understand Dutch (and I think Tom can...) you can read an older forum post of mine here:
http://www.flashfocus.nl/forum/showthread.php?t=51338

Jan



--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

makc
On Mon, Aug 9, 2010 at 4:41 PM, Jan Flanders <[hidden email]> wrote:
> Most decompilers and obfuscators expect (at least in the past they did) the
> actionscript bytecode file to occur in a swf-tag with id 82.
> haXe puts the actionscript bytecode in a tag with id 72.

thnanks, that's interesting to know. but I think decompilers now show
haxe code just fine for at least a year or so.

> Remember that all reflection will fail if you use an Obfuscator.
> AS3 example:
>
> var veld1:TextField=new TextField();
>
> addChild(veld1);
> var name1:String="jan";
>
> this["veld"+1].text=this["name"+1];
>

this particular code could still work, if you do simple string replace
for "name" and "veld". of course you could write this ["v" + "e" + "l"
+ "d" +1].text= if you are determined to break your swf, but it is
expected that you would do other way around, e.g. replace
this["veld"+1].text= with if(use1) veld1.text=, if you really really
want your SWF to be obfuscated and work, so that should not be a
problem at all.

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Matthew Spencer-2
In as2 loading functionality with a *.jpg extension was an alternative way to hide code... as already mentioned non conventional approaches will most likely confound most, rather than just off the shelf solutions.
Ahh, the good ole days. I remember encrypting swf's into certain bits of each pixel of jpg's over an offensive picture. Fun stuff.

> Generally, they won't devote the time to figuring out
> how to read the child swf from memory, nor will they attempt to decrypt the
> packet info.
I thought you could just listen to all complete event and save your bytes. no?
 
The real loader would be designed to recieve the swf through a loader/socket connection reassemble and then run, not save. If they wanted to save it, they'd have to decompile your loader and modify it to save (Not too difficult). There are all kinds of methods you can use to make that step more difficult. One of them would be to have the server generate an entirely new loader with different bytecode/encryption. Then allow a request for the real swf from that loader for the next [x] ms.

 
On Mon, Aug 9, 2010 at 9:59 AM, Makc <[hidden email]> wrote:
On Mon, Aug 9, 2010 at 4:41 PM, Jan Flanders <[hidden email]> wrote:
> Most decompilers and obfuscators expect (at least in the past they did) the
> actionscript bytecode file to occur in a swf-tag with id 82.
> haXe puts the actionscript bytecode in a tag with id 72.

thnanks, that's interesting to know. but I think decompilers now show
haxe code just fine for at least a year or so.

> Remember that all reflection will fail if you use an Obfuscator.
> AS3 example:
>
> var veld1:TextField=new TextField();
>
> addChild(veld1);
> var name1:String="jan";
>
> this["veld"+1].text=this["name"+1];
>

this particular code could still work, if you do simple string replace
for "name" and "veld". of course you could write this ["v" + "e" + "l"
+ "d" +1].text= if you are determined to break your swf, but it is
expected that you would do other way around, e.g. replace
this["veld"+1].text= with if(use1) veld1.text=, if you really really
want your SWF to be obfuscated and work, so that should not be a
problem at all.

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

makc
On Mon, Aug 9, 2010 at 5:47 PM, Matthew Spencer <[hidden email]> wrote:

>> > Generally, they won't devote the time to figuring out
>>
>> > how to read the child swf from memory, nor will they attempt to decrypt
>> > the
>>
>> > packet info.
>>
>> I thought you could just listen to all complete event and save your bytes.
>> no?
>
>
> The real loader would be designed to recieve the swf through a loader/socket
> connection reassemble and then run, not save. If they wanted to save it,
> they'd have to decompile your loader and modify it to save (Not too
> difficult).

not at all, check out
http://jpauclair.net/2010/02/17/one-swf-to-rule-them-all-the-almighty-preloadswf/

--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Matthew Spencer-2
Seems I spoke too soon. Did not know about that.

On Mon, Aug 9, 2010 at 11:42 AM, Makc <[hidden email]> wrote:
On Mon, Aug 9, 2010 at 5:47 PM, Matthew Spencer <[hidden email]> wrote:
>> > Generally, they won't devote the time to figuring out
>>
>> > how to read the child swf from memory, nor will they attempt to decrypt
>> > the
>>
>> > packet info.
>>
>> I thought you could just listen to all complete event and save your bytes.
>> no?
>
>
> The real loader would be designed to recieve the swf through a loader/socket
> connection reassemble and then run, not save. If they wanted to save it,
> they'd have to decompile your loader and modify it to save (Not too
> difficult).

not at all, check out
http://jpauclair.net/2010/02/17/one-swf-to-rule-them-all-the-almighty-preloadswf/

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Jake Lewis
I've used SOB and it does a good job.  It replaces all labels with alphanumerics - your code can still be decompiled, but it looks like gibberish.  Might not stop someone simply replacing the credits of your app though.

Apart from Reflection, the other gotcha with this approach is that predefined strings with the same name as classes tend to get obfuscated too.

The website of SOB seems to have shut down recently, 


but the goodies are attached to this post ( unzip and rename sob.e_e to sob.exe) . Jake

--
haXe - an open source web programming language
http://haxe.org

sob.zip (77K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

tommedema
Thanks for that zip but SOB doesn't seem to work for my flash player 10 app.

Only the runtime obfuscation types seem to work. But actual source code obfuscation makes the flash player terminate with errors like:

ReferenceError: Error #1065: Variable Button is not defined.

Any other suggestions?

- Tom

2010/8/12 Jake Lewis <[hidden email]>
I've used SOB and it does a good job.  It replaces all labels with alphanumerics - your code can still be decompiled, but it looks like gibberish.  Might not stop someone simply replacing the credits of your app though.

Apart from Reflection, the other gotcha with this approach is that predefined strings with the same name as classes tend to get obfuscated too.

The website of SOB seems to have shut down recently, 


but the goodies are attached to this post ( unzip and rename sob.e_e to sob.exe) . Jake

--
haXe - an open source web programming language
http://haxe.org


--
haXe - an open source web programming language
http://haxe.org
Reply | Threaded
Open this post in threaded view
|

Re: Obfuscator for haXe compiled SWFs

Marlon
This post has NOT been accepted by the mailing list yet.
In reply to this post by game flash
You can use SWF Encryptor. I recommend