Comments on: Protecting your work #2 – Initial Testing

By: Rasmus Wriedt Larsen

Rasmus Wriedt Larsen — Wed, 07 Apr 2010 13:03:34 +0000

Apparently, Amayeta’s SWF Encrypt and DComSoft SWF Protector 2 are not really worth anything:
http://gamedev.rasmuswriedtlarsen.com/2010/04/07/some-swf-encryptorsprotectors-are-worthless/

By: Squize

Squize — Fri, 26 Mar 2010 00:18:17 +0000

Vlad yeah let’s swap email addresses via a twitter DM and I’ll encrypt your swf.
One thing though, I’m moving house tomorrow so I’m not going to be able to touch it for a couple of days at best.

Rather than be cheeky and direct link here, if you go to our blog and enter “651:” into the search box it should bring up a link to the 651 demo that is protected if you want to have a nose at that.

Roy you’re totally right, but it’s pretty well hidden in the code, keep in mind the vast majority of hacks are by script kiddies who don’t really know what they’re doing.
To be able to get at the code, you’ll have to get the key, figure out the decryption routine, run that on the encrypted bytecode and then convert that bytecode into a working swf, before decompiling with normal methods.
That’s a ton of effort for very little reward.

By: Tweets that mention Protecting your work #2 – Initial Testing | -- Topsy.com

Thu, 25 Mar 2010 17:24:20 +0000

[...] This post was mentioned on Twitter by Filipe Cruz and Vortix Games, GameDive. GameDive said: Inspecting obfuscators http://bit.ly/bVtYr0 RT @vortixgames: Protecting your work #2 – Initial Testing [...]

By: JoH

JoH — Thu, 25 Mar 2010 14:46:02 +0000

You can found a great option following this link… http://active.tutsplus.com/tutorials/workflow/protect-your-flash-files-from-decompilers-by-using-encryption/

By: Roy

Roy — Thu, 25 Mar 2010 14:05:00 +0000

As far as I know the encryption requires for key to be stored in the same encrypted swf, so this is not a very good idea because the key can be used to decrypt the code without any problems… This is what I think.

By: Roy

Roy — Thu, 25 Mar 2010 14:03:36 +0000

As far as I know the encryption requires for key to be stored in the same encrypted swf, so this is not a very good idea because I think.

By: Vlad

Vlad — Thu, 25 Mar 2010 13:21:18 +0000

That would be cool Squize but do you know what would be a good all-around test? If you could pass the swf I’m using to test in your system and then check the results of all methods. Do you think that’s doable?

By: Squize

Squize — Thu, 25 Mar 2010 13:11:57 +0000

We actually rolled our own encryption, it’s really not too tricky and it’s a lot more secure than the off the shelf options.
Basically we turn the complete game swf into a byteArray, and then encrypt that using blowFish ( There are lots of great open source encryption packages for as3 that do all the hard work for you ).
Then we have a “stub” class, which just embeds that encrypted swf, and the preloader loads that and then de-crypts it at run time.

The only weak spot is the de-crypt routine, but that uses a checksum to see if it’s a valid key we’re using, and the code is pretty messed up.

If you’re interested when you’re on the decompiler post I’ll give you a link to something we protected with our system so you can check it out for yourself.

By: Roy

Roy — Thu, 25 Mar 2010 12:34:33 +0000

Very interesting tutorial… I have been planning to buy an Actionscript obfuscator, but did not decided yet. But I don`t want to make an early pick… Will see the costs.