I often see people asking about protecting their SWF files after they’ve created their game. Of course they’re invited to use a encoder, but that’s generally not enough. This article will show you some ways to dissuade the hacker from doing his work. Feel free to leave your comments and questions below or on the MochiAds forum thread.
It’s always frustrating when we work for months and then some guy takes our work and calls it his own. Of course there are ways to pursue them after this happens, but here are some ways to stop them or make it harder. With this tutorial, you will learn some methods to easily protect your games, without using complex math or programs. It’s all ActionScript using variables. So let’s begin:
Encrypt Your SWF
First, get a program to encrypt your SWF file. This is important because it will stop most hackers. I recommend Amayeta SWF Encrypt. The trial version allows 25 encryptions, so use it wisely before buying, because the full version costs $125 USD. Note that Amayeta and similar programs don’t protect your game 100%, but they do make it more difficult for folks to steal. There’s also Flash Encryption Genius, which also offers a free trial — with the full license costing $99 USD. I tried those two and here is my review:
- SWF Encrypt: The most well-known of the encryption tools offers different levels of security. However, because it’s popular, more hackers are focused on ways to bypass it. Another downside is that the trial version leaves a big watermark on the top left corner (see screenshot 1, below). A plus is that you can preview the game directly in the program. It’s useful when there are many files. We can also selectively choose what to encrypt.
- Flash Genius: This program allows you to choose parameters for protection (Main Scene, Button Event, etc.) just like SWF Encrypt, and the game works perfectly. However, it prints a small watermark almost in the middle of the screen, which can make playing hard (see screenshot 2, below). It works for Windows, Mac OS X and Linux.
1. 
2. 
Make Your Code Harder To Read
Next, I’ll explain some ways to make the decompiler work harder to further protect your code.
After you’ve made your game, the first thing to do is select “Find and Replace,” and replace all your variables’ name with something of no relation.
For example, instead of the variable “Lives_remaining,” use “Pie_is_my_device.” Be mindful in creating these words; keep a text document for yourself that tracks what each variable name means — so you know what to change if you need to. Doing this makes it harder for a hacker to decompile your code. Instead of finding neatly organized variables that he can change and modify, he will have to spend energy trying to figure out what each variable means.
Protect From Import
Flash provides the ability to import compiled Flash files, which allows a Flash SWF file to be imported into an FLA. If you check the “protect from import” box in Flash, you can protect your file from being imported into a Flash file by another user.
Instructions: In Flash, navigate to “File,” and then “Publish Settings.” On the “Flash” tab, select the “Protect from Import” box and enter a password.
I’ve Been Hacked, What Do I Do?
If your game was seriously decompiled, what do you do? If it’s a sponsored game, I would recommend alerting your sponsor and enlisting their help with dealing with the Flash site. It’s also a good idea to contact the website you’ve seen your game on via email or through their contact form to request that they remove the game. In some cases, they may not be aware that the game was illegally copied. Send them a polite and professional message to request taking it down. Good luck!
I hope you found these tips useful. Don’t forget that there is always a way to bypass protection. The tips I mentioned can make it more difficult, but make sure you use these in addition to your other encryption methods.
Great Job |)ereck! :D
Love the tutorial, might come in handy.
EV
I find that protecting from import is almost pointless since it’s the easiest thing to bypass. Note, I do think you should do it still, since it will stop some people from using it.
And since it’s an interpreter language, any encrypting can be bypassed.
The very best thing you can do is to obfuscate the code, meaning making it unreadable, or hard to read/understand.
I haven’t tried Flash Genius, but SWF Encrypt does more than just encrypt it, it has excellent obfuscation, which I think should have been mentioned. At the same time it protects and encrypts it so most flash decompilers can’t handle it.
But the best part is the obfuscation. There is no way around obfuscation and it can make the code really hard to understand.
I tried out a few other pure obfuscation tools, but they all were no good and often even made the program not work anymore.
Another thing to remember to do is to split up any strings in your code. So instead of something like name = “mochi”;, you can write name = “m”; name += “o”; name += “c”; name += “h”; name += “i”; That will make the obfuscation better, and especially for site locking, where you have your url as a string, this is a good idea.
Careful with variables names.
better use simple names, with just 1-2 letters. especially for variables in loops etc.
since in flash – less name got variable – then faster it proceed.
Don’t be too aggressive when asking for removal too – one company was quite happy to compensate me the price of a full non-exclusive when I contacted them asking them to remove their ad-stripped copy of Insurgo. If I had’ve come in cursing and threatening legal action, it may have been a lot harder to resolve.
You forgot to mention secureSWF (www.kindisoft.com) I find it to be the best SWF protector out there!
You should also specify how to sitelock an swf so that people dont add it to networks without your permission , this can be useful if you’re working with sponsors.
Variable name length is not an issue in AS3 any more.
Flash Encryption Genius is a SCAM! Beware! I bought it and the serial number they sent didn’t work. Contacted support (Both the developers and the distributors) No help from them ever came. I lost 100$ to them just like that.
Flash Obfuscation overview
I spent a lot of time creating a flash app and making the content as secure as possible (within reason).
There is quite alot of junk to wade through to figure out the best options.
I believe Kindisoft’s secureSWF is the best obfuscator at this point. I’ll get to it later.
I think an important step in protecting a SWF file is flash actionscript obfuscation (sometimes called encryption, although they don’t do encryption)
Since actionscript is run from the source code each time, an unprotected swf can have its actionscript code copied by a Flash decompiler program (such as Trillix or Sothink). So an obfuscator scrambles (obfuscates) the source code into something that is confusing to humans but functions the same in flash.
Flash obfuscators are relatively new. Both Kindisoft’s secureSWF and Amayeta’s SWF Encrypt came out in 2005 (As far as I can tell, Amayeta started with version 3.0) With the addition of Actionscript 3.0 there are many more obfuscators popping up, it’s kinda like the wild west.
I have tried out the 5 obfuscator programs listed below with varying success.
Kaiyu’s Flash Encryption Genius and Swfprotect.net’s SWF Protect did very little to obfuscate the code. With the Sothink decompiler I could recover all the actionscript rather easily. These are not worth it in my opinion. Ambiera’s irrFuscator works on .as files to rename all it can. It gives the ability to choose what is renamed. I didn’t spend much time with it, but it could rival Ameyta’s SWF Encrypt for some uses. An additional benefit of Ambiera’s irrFuscator is greater certianty that your swf won’t break with later versions of flash, since it works on .as files.
I purchased Amayeta’s SWF Encrypt first. It does a decent job, mainly “renaming” a lot of actionscript variables. The resulting actionscript after decompile has many unreadable names. For my purposes though it didn’t work since you have no control over what gets renamed. It’s all or nothing. I needed to call a function from another swf, which is impossible with Amayeta’s SWF Encrypt.
Fortunately Kindisoft’s secureSWF version 3.0 came out in August ‘08 (which supports actionscript 3.0). I settled on the standard version for $200 since it does “renaming”. SecureSWF does renaming and 3 other bytecode techniques. These 3 other techniques work on the bytecode rather than sourcecode. These 3 other bytecode techniques make Trillix and Sothink decompilers crash, which is good.
The “personal” edition of secureSWF for $99 does everything the standard version does except renaming. Since even the personal edition crashes Trillix and Sothink, I’m not sure the ammount of the additional benifit. For my purposes I thought renaming was important enough for the additional $100.
Flash Actionscript Obfuscators:
Kindisoft’s secureSWF ($99, $200, $400)
Amayeta’s SWF Encrypt ($125) – adequate, simple, few options, mostly renames things
Ambiera’s irrFuscator ($93) – works with .as files – basically renames things, has decent amount of control.
Kaiyu’s Flash Encryption Genius ($99) – very limited obfuscation – not worth it
Swfprotect.net’s SWF Protect ($30) – very limited obfuscation – not worth it
Additional protection used:
I truly encrypted my content swf using an encryption algorithm. The swf I protected with secureSWF loads and decrypts the encrypted swf. (used loadBytes method: http://code.google.com/p/as3crypto/ ) This was very difficult to do, but worth it in my opinion.
I hope this helps someone else.
BJO
You can try SwfShield. It provides a new encryption technology which encrypts the original swf file and embeds it into the other swf file.
This method hides complete swf file (including images, sounds etc) from decompiler.
o.o sorry but you live in copyright prehistory. Free software and Open Source is the way to go now. Share your code to the world, let everybody learn and help improve your work. That feels really good.