[...]Tutorial: Protecting Your Flash Game[...]…

[...]Tutorial: Protecting Your Flash Game[...]…

[...]Tutorial: Protecting Your Flash Game[...]…

[...]Tutorial: Protecting Your Flash Game[...]…

This method hides complete swf file (including images, sounds etc) from decompiler.

I spent a lot of time creating a flash app and making the content as secure as possible (within reason).
There is quite alot of junk to wade through to figure out the best options.
I believe Kindisoft’s secureSWF is the best obfuscator at this point. I’ll get to it later.

I think an important step in protecting a SWF file is flash actionscript obfuscation (sometimes called encryption, although they don’t do encryption)
Since actionscript is run from the source code each time, an unprotected swf can have its actionscript code copied by a Flash decompiler program (such as Trillix or Sothink). So an obfuscator scrambles (obfuscates) the source code into something that is confusing to humans but functions the same in flash.

Flash obfuscators are relatively new. Both Kindisoft’s secureSWF and Amayeta’s SWF Encrypt came out in 2005 (As far as I can tell, Amayeta started with version 3.0) With the addition of Actionscript 3.0 there are many more obfuscators popping up, it’s kinda like the wild west.

I have tried out the 5 obfuscator programs listed below with varying success.

Kaiyu’s Flash Encryption Genius and Swfprotect.net’s SWF Protect did very little to obfuscate the code. With the Sothink decompiler I could recover all the actionscript rather easily. These are not worth it in my opinion. Ambiera’s irrFuscator works on .as files to rename all it can. It gives the ability to choose what is renamed. I didn’t spend much time with it, but it could rival Ameyta’s SWF Encrypt for some uses. An additional benefit of Ambiera’s irrFuscator is greater certianty that your swf won’t break with later versions of flash, since it works on .as files.

I purchased Amayeta’s SWF Encrypt first. It does a decent job, mainly “renaming” a lot of actionscript variables. The resulting actionscript after decompile has many unreadable names. For my purposes though it didn’t work since you have no control over what gets renamed. It’s all or nothing. I needed to call a function from another swf, which is impossible with Amayeta’s SWF Encrypt.

Fortunately Kindisoft’s secureSWF version 3.0 came out in August ’08 (which supports actionscript 3.0). I settled on the standard version for $200 since it does “renaming”. SecureSWF does renaming and 3 other bytecode techniques. These 3 other techniques work on the bytecode rather than sourcecode. These 3 other bytecode techniques make Trillix and Sothink decompilers crash, which is good.
The “personal” edition of secureSWF for $99 does everything the standard version does except renaming. Since even the personal edition crashes Trillix and Sothink, I’m not sure the ammount of the additional benifit. For my purposes I thought renaming was important enough for the additional $100.

Flash Actionscript Obfuscators:
Kindisoft’s secureSWF ($99, $200, $400)
Amayeta’s SWF Encrypt ($125) – adequate, simple, few options, mostly renames things
Ambiera’s irrFuscator ($93) – works with .as files – basically renames things, has decent amount of control.
Kaiyu’s Flash Encryption Genius ($99) – very limited obfuscation – not worth it
Swfprotect.net’s SWF Protect ($30) – very limited obfuscation – not worth it

Additional protection used:
I truly encrypted my content swf using an encryption algorithm. The swf I protected with secureSWF loads and decrypts the encrypted swf. (used loadBytes method: http://code.google.com/p/as3crypto/ ) This was very difficult to do, but worth it in my opinion.

I hope this helps someone else.

BJO