This method hides complete swf file (including images, sounds etc) from decompiler.

I spent a lot of time creating a flash app and making the content as secure as possible (within reason).
There is quite alot of junk to wade through to figure out the best options.
I believe Kindisoft’s secureSWF is the best obfuscator at this point. I’ll get to it later.

I think an important step in protecting a SWF file is flash actionscript obfuscation (sometimes called encryption, although they don’t do encryption)
Since actionscript is run from the source code each time, an unprotected swf can have its actionscript code copied by a Flash decompiler program (such as Trillix or Sothink). So an obfuscator scrambles (obfuscates) the source code into something that is confusing to humans but functions the same in flash.

Flash obfuscators are relatively new. Both Kindisoft’s secureSWF and Amayeta’s SWF Encrypt came out in 2005 (As far as I can tell, Amayeta started with version 3.0) With the addition of Actionscript 3.0 there are many more obfuscators popping up, it’s kinda like the wild west.

I have tried out the 5 obfuscator programs listed below with varying success.

Kaiyu’s Flash Encryption Genius and Swfprotect.net’s SWF Protect did very little to obfuscate the code. With the Sothink decompiler I could recover all the actionscript rather easily. These are not worth it in my opinion. Ambiera’s irrFuscator works on .as files to rename all it can. It gives the ability to choose what is renamed. I didn’t spend much time with it, but it could rival Ameyta’s SWF Encrypt for some uses. An additional benefit of Ambiera’s irrFuscator is greater certianty that your swf won’t break with later versions of flash, since it works on .as files.

I purchased Amayeta’s SWF Encrypt first. It does a decent job, mainly “renaming” a lot of actionscript variables. The resulting actionscript after decompile has many unreadable names. For my purposes though it didn’t work since you have no control over what gets renamed. It’s all or nothing. I needed to call a function from another swf, which is impossible with Amayeta’s SWF Encrypt.

Fortunately Kindisoft’s secureSWF version 3.0 came out in August ‘08 (which supports actionscript 3.0). I settled on the standard version for $200 since it does “renaming”. SecureSWF does renaming and 3 other bytecode techniques. These 3 other techniques work on the bytecode rather than sourcecode. These 3 other bytecode techniques make Trillix and Sothink decompilers crash, which is good.
The “personal” edition of secureSWF for $99 does everything the standard version does except renaming. Since even the personal edition crashes Trillix and Sothink, I’m not sure the ammount of the additional benifit. For my purposes I thought renaming was important enough for the additional $100.

Flash Actionscript Obfuscators:
Kindisoft’s secureSWF ($99, $200, $400)
Amayeta’s SWF Encrypt ($125) – adequate, simple, few options, mostly renames things
Ambiera’s irrFuscator ($93) – works with .as files – basically renames things, has decent amount of control.
Kaiyu’s Flash Encryption Genius ($99) – very limited obfuscation – not worth it
Swfprotect.net’s SWF Protect ($30) – very limited obfuscation – not worth it

Additional protection used:
I truly encrypted my content swf using an encryption algorithm. The swf I protected with secureSWF loads and decrypts the encrypted swf. (used loadBytes method: http://code.google.com/p/as3crypto/ ) This was very difficult to do, but worth it in my opinion.

I hope this helps someone else.

BJO

And since it’s an interpreter language, any encrypting can be bypassed.

The very best thing you can do is to obfuscate the code, meaning making it unreadable, or hard to read/understand.

I haven’t tried Flash Genius, but SWF Encrypt does more than just encrypt it, it has excellent obfuscation, which I think should have been mentioned. At the same time it protects and encrypts it so most flash decompilers can’t handle it.

But the best part is the obfuscation. There is no way around obfuscation and it can make the code really hard to understand.

I tried out a few other pure obfuscation tools, but they all were no good and often even made the program not work anymore.

Another thing to remember to do is to split up any strings in your code. So instead of something like name = “mochi”;, you can write name = “m”; name += “o”; name += “c”; name += “h”; name += “i”; That will make the obfuscation better, and especially for site locking, where you have your url as a string, this is a good idea.