Software: SecureSWF 3.5
Company: Kindisoft
Price: $99, $199 and $399

The SWF format

Everyone that uses Flash and specially for distributed applications or games knows that their files can be torn apart, rebranded and redistributed on other machines or domains. This is a big problem for anyone that worked hard to make something unique and even profit from their expertise. The SWF format is an open and documented one, you can download the SWF specification document from Adobe’s website and find everything there from “SWF Structure” to “Basic Data Types” and every type of object like “Shapes”, “Bitmaps, “Sounds”, etc. So its no wonder that some companies are trying to make a profit from selling software that decompiles SWF files into source code Actionscript and FLA files.

Why bother?

There is no way to 100% protect SWF files, however there are other companies that try to do the opposite by encrypting and obfuscating your compiles SWF’s so that the resulting decompiled files are virtually unusable, some might even crash the decompiler software if not run by a second software that successfully decrypts it.

What are the options?

The theory behind obfuscation is to change the code in such a way that it still compiles but is nearly impossible to understand, this is done by replacing readable code like “initializeGame” into something meaningless like “_-E5”, some might even use unprintable characters. Some offer string encryption that is then decrypted at run-time by an added decryption function. This is not all, there’s a way to add junk bytes to your SWF so that it make decompiler’s jobs harder, even crashing them but with every protection comes someone that finds a way to remove it and in this case someone did. There’s a whole blog dedicated to removing encryption from SWF files so that they can be decompiled, it doesn’t turn the obfuscated code to readable one but it does remove the junk bytes that prevented you from decompiling the SWF.

The author of that blog and creator of a small software that decrypts SWF’s has an interesting article about the several protection softwares available out there, it basically puts them into 2 categories. Category 1 is the software that doesn’t really do anything special to protect your files and can easily be decrypted which are Amayeta SWF Encrypt and DComSoft SWF Protector and Category 2 is the software that provides real code obfuscation methods like Kindisoft SecureSWF and Ambiera irrFuscator. Here’s a quote from him:

“SecureSWF and IrrFuscator are actual ActionScript obfuscators. They do what other obfuscators for every other language are doing. They rename the classes and variables to make decompiled code harder to understand. But SWF Encrypt and SWF Protector do not do that. They are just rip-offs. If they rename anything, then SWF Decrypt will leave it renamed. It is not possible to revert to the original names. SWF Decrypt works in the same way for any SWF file and removes the few junk bytes it can find.”

I tried irrFuscator’s demo but it made my SWF unusable, I’m sure that in the licensed version there are options to prevent this for most files but I didn’t decide to go with them because the demo didn’t work out of the box and do what is supposed to do which is make people pleased enough to grab the full version. However I’ve read some people using irrFuscator are pleased with it so I have no other negative remarks to say about it.

SecureSWF

All this made me try Kindisoft’s SecureSWF, that and the fact that a large majority of developers regard it as the best solution out there and I liked it enough to make this review and add a banner without any kind of return money involved.

The software comes in 3 editions which can be compared here.

  • The Personal Lite edition costs $99 and offers Control Flow Obfuscation and Statement Level Randomization.
  • The Standard edition costs $199 and has all the Personal Lite features plus Identifiers Renaming, Smart Renaming and Frame Label Removal.
  • The Profession edition costs $399 and has all the features including Code Optimization, Literal Strings Encryption, Encrypted Domain Lock and Encrypted Loader Creator.

I’ll be reviewing the Professional edition in as much detail as I can (from a user point of view). For decompiling I’ll use SWF Decrypt along with Sothink SWF Decompiler.

Installation

Installation was as easy as it gets, at least on MacOs X which is the one I ran. There are also binary installation files for Windows and Linux which I’m sure will install with the same simplicity.

Interface

The interface is a bit daunting when you first lay your eyes on it, you get the feeling there’s a lot of work involved to protecting your file when its actually not true. The software is actually very easy to work with, the interface design just doesn’t help you see that at first.

SecureSWF Interface

All you need to do is click the “Add” button and browse to your SWF file, then choose the option you prefer from the “Protection Preset” list and click on the “Protect SWF Files” button in the top right corner. This will generate a protected SWF with either the “secure_” prefix, “_secure” postfix or something else depending on your options.

SecureSWF has 5 tabs at the top which I’ll try to explain next.

Tab 1 – Project Files

If you don’t need special options this tab is all you need, you can add you files, choose the protection level and save a protected version. This tab has the following areas:

Project Files

Project Files

This area is where you have a button to add SWF files to protect and also the different Presets you can choose which are the following:

  • Most aggressive – all options set to max levels
  • Standard – best balance between protection, performance and file size
  • Safe – less protection but will always generate working files
  • Best Size – generates the smallest possible file size
  • Testing – all options disabled, used for troubleshooting
  • Custom

There is quite a good number of presets and the options are well explained, this should be enough for most users .

Output Options

Output Options

Here you can select the location and name for the generated SWF(s), do batch saving and enable “Super Compression”, nothing special and all is self-explanatory.

Statistics

This area is merely for information, it shows the number of Files, MovieClips, Local Identifiers, Frame Labels, Classes and Class Members.

Tab 2 – Identifiers Renaming

This section of the software is dedicated to renaming, it is the true power behind the obfuscation that will keep decompilers from understanding your code.

Enable Identifiers Renaming

Identifiers Renaming

This area basically turns on or off the whole feature and also lets you choose the level of renaming you wish to perform, the 3 options are:

  • Safe Renaming
  • Normal
  • Rename Everything

Renaming Options

Renaming Options

You can enable the “Use ActionScript keywords” here which is a nice feature to both confuse decompilers and prevent re-compilation. Another option is “Aggressive Renaming” and lastly “Automatic handle Warnings”.

Additional Renaming

Additional Renaming

There’s 4 options in this area, you can choose to enable / disable renaming of “protected namespaces”, “function parameters” and “local variables” and you can also ask for a mapping table to be generated for you which will show you the old name and the ascii codes that compose the new name.

Classes / Labels

Classes RenamingLabels Renaming

This area actually breaks itself into 2 new tabs. One is for Classes which will show you all the classes in a list to the left and when selected the class variables and functions will be shown on the right, you can then choose to enable / disable the renaming of them or the whole class. The second tab is for Labels which will show you a list of all the labels and enables you to choose which ones to rename.

There’s also an “Advanced” button at the bottom which will show up a panel with select, deselect and restore defaults by a criteria like the type of identifier or a regular expression.

Tab 3 – Protection Options

Further options are presented in this tab like optimization, domain locking, control of the obfuscation and string encryption.

Code Transformation

Code Transformation

In this area you have full control over the aggressiveness of the code transformation, this allows you to tweak it until you’re satisfied and find the best balance without breaking your SWF execution. It controls Statement-Level Randomization, Control Flow Obfuscation, Dynamic Code Wrapping, Breaking Function Calls, Randomizing Results and also more Advanced Configurations.

Encrypted Domain Locking

Encrypted Domain Locking

This one is particularly helpful, specially if you’re SWF will be hosted on several domains but has to be prevented from running on others without your consent. You can add URL’s to a list which will be encrypted and when the File runs it will check if it’s running from one of those URL’s. This can be done with some ActionScript code but then you have to find the identifier to rename it and make sure it is hidden so this option is really nice to have. It can also prevent the file from running locally on a computer.

Optimization

Optimization

This area offers some additional features to Optimize your code, Force compression, removing Metadata, removing Dead Code, removing Debug Info like traces and removing Code Line Numbers.

Literal String Encryption

Literal String Encryption

Here you are presented with a list of all the strings in your file, you can enable encryption for any or all of them but make sure you’re not doing it on critical code that might run a lot of times because this can add overhead to performance.

Tab 4 – Configuration Rules

This tab shouldn’t be messed with unless you’ve read instructions about it or are an advanced user, you can add specific rules to each package, class or class member. It might be helpful if you have a set of rules that you want to use several times, you can just have them stored somewhere and paste them here whenever you need to protect something. I didn’t try using anything in this tab so I won’t share my thoughts on it in this article because I believe the large majority of users won’t use it and the ones that will don’t need my unexperienced help.

Tab 5 – Operations Summary

This tab is just a summary of what has been done with your file, you can read through it, save it or generate a PDF with it.

Tests

For this review I used a file with my latest game which is reasonably complex and was optimized because of performance issues I had at some point.

The tests are not really revealing apart from the fact that SecureSWF really does what it says.

The presets

I generated a file with each of the presets from “Safe” to “Aggressive” and the result was always working files with no problems on the game performance.

Custom options

I was able to produce working files with pretty much any different option combination, it only broke when I set the Identifier Renaming Level to “Rename Everything” which are really good results.

Filesize

I wasn’t able to cut down much on file size even with compression and all the optimization options enabled, just went down around 22k in 3.8Mb.

Decompiling

The different levels of encryption really make it harder and harder to understand code which is what it says on the box, on Best Size and Safe levels I was able to decompile without problems even though the code was not easy to read but in Standard and Aggressive the Decompiler simply crashed down with both exporting or just browsing the classes. I was able to decompile them but had to run the files through SWF Decrypt which is an additional step but the power of the software is not in preventing decompilation but rather in true code obfuscation.

Encrypted Loader

This feature is really nice, it basically creates a small wrapper file that will load your SWF from an address making it hard to be found and downloaded. This is not always an option for Flash Games because some portals don’t like this method but it might be still useful in some cases.

Conclusion

As I said before, any SWF can eventually be decompiled and there’s no way to protect your assets but if you want to protect your code then true code obfuscation is the way to go and there are only 2 softwares offering that out there, irrFuscator and SecureSWF. Even though SecureSWF is a bit more expensive it offers com more control and additional options which I personally like and will use. The fact that you can control what strings you want encrypted, if you want domain locking and what to rename makes it really powerful and a true companion for any Flash developer.

Some might say its price is too high, well it isn’t because it has more options and control then all other softwares in this area combined and it does the job the others fail to do which is to protect your code. So what is more expensive, a software that does nothing and costs you between $60 and $145 or one that works as intended and costs $199 / $399?