A Flash Developer Resource Site

Results 1 to 16 of 16

Thread: AS2 and flash security woes.

  1. #1
    Member
    Join Date
    Aug 2014
    Posts
    51

    AS2 and flash security woes.

    Hi all,

    I have recently used flash CS3 with AS2 to develop some small application that I wish to embed in as a movie in a website. I was very happy with the functionality till I came to know that there are huge issues with the swf security. That it can be easily decompiled with tools freely available and the code is there for all to see. I have in fact tried one or two and they work like magic but this magic is not pleasing at all.

    SO for the last one week I have been studying about swf security and it seems like there is none. Almost all tools (paid) that are available there to protect the SWFs can be hacked easily or that is what the reviews on various products say. It is so utterly confusing that after a week of research I feel I am just more confused. Further there seem to be no alternatives either. Even the latest HTML5 technology that uses javascript seems to be comletely transparent. I read that the swfs were still somewhat secure as compared to HTML5.

    I finally decided to come to a forum and ask the questions of the experts and some real GURUS.

    1. Is there no way to protect the code client side be it swf or HTML5?
    2. Does anyone have any genuine idea which product is really good and does provide some security to the swfs?
    3. What alternatives / options does a flash programmer have?
    4. Is it bad to program flash with AS2?

    Really really looking forward to some great help from the GURUs to proceed with my work.

    Thanks all.

  2. #2
    . fruitbeard's Avatar
    Join Date
    Oct 2011
    Posts
    1,780
    Hi,

    As you seem to have found out from your extensive research, it is near on impossible to prevent a tech savvy user from getting their hands on your precious code / file if they really really want it.
    Your average Joe user can probably be easily deterred from going further than the initial swf if you make it that way.

    I have never used the obfuscators but have come across many swf files that have had them used, they more or less just change function names and var names, which is easily overcome if you know what to exchange them for ect ect.

    There is the change the extension name and flash will still load it, but that fools nobody really.

    There is always link your swf to some php file and only play if it spits out the correct refer / domain / pass ect ect, but this only prevents play back, and not decompilers.

    I personally just make it harder for somebody, the first swf loaded can be the container for all other swf files, make it so they can only work if combined with the parent swf ect ect.

    Import all vars from another external files maybe.

    Try using *.as files too, lots of them, so the orignal swf has no code inside of it all, I rememebr the first time I decompiled an swf that used *.as files, I was baffled as to where the code was.

    After all of that if somebody is determined to have your code (they could just as you in a forum maybe) they will get it.

    I wouldn't recommend strong passwords inside of an swf at all though.

    AS3 can do far more.

  3. #3
    . fruitbeard's Avatar
    Join Date
    Oct 2011
    Posts
    1,780
    Hi,

    Typo's


    (they could just as you in a forum maybe) = (they could just ask you in a forum maybe)

    I wouldn't recommend strong passwords inside of an swf at all though. = I wouldn't recommend storing passwords inside of an swf at all though.

  4. #4
    Senior Member
    Join Date
    Feb 2005
    Posts
    1,834
    You're thinking about this wrong. High level languages are geared towards being easily read. There is no real compiling happening. In other words, what you see and what the flash player sees is essentially the same thing. The only thing that you can really do in this case is make it as annoying as possible to mess with your code. Either by obfuscating the code itself or fragmenting it. Fragmenting probably your best bet. Also, storing a password in any easy to reach place is always a terrible idea. That includes with the code.
    .

  5. #5
    Member
    Join Date
    Aug 2014
    Posts
    51
    Hi fruitbeard and swak,

    Thank you both for your inputs. As pointed by both of I fragmentation seems to be the best bet. However I am lost how I can fragment the code.

    There are two things here. One I have my code in one swf with frames and some of the frames have code in them. All coding is in AS2 as of now and I don't know much of AS3. I have started to learn it though. I would like to take the code out of the frames and put them in .as files but i have no idea how to. If you could show me, with a tiny example, how to do so as well as how it(the code in *.as files) is linked back to the main swf at run time, I would be grateful.

    Second, if I do that, it would kind of clear my swf of the code, then do i still need to break the main swf into multiple swfs? Again a small example would really help.

    Thanks loads.
    PS fruitbeard a special thanks to you for all your help to me in the past. It's been invaluable.

  6. #6

  7. #7
    Member
    Join Date
    Aug 2014
    Posts
    51
    Hi Swak,

    Thank you for the reply.

    Pardon me if I am wrong but I think that if include command is used to bring in the *.as files into the project at compile time, then the code would still get included in the swf and can be seen using a decompiler. I wanted to generate the .as files so that I could then somehow, if possible, linkup the code to the fla at runtime. Something that was suggested by fruitbeard. I am also not sure how that would be possible, if at all, but I thought that it was a good idea to do things one at a time.

    I have looked around the internet and there are very few relevant examples involving AS2. Mostly AS3.

    I'll revert again with a small sample fla and maybe you can show me how to do it there.

    Thanks

  8. #8
    . fruitbeard's Avatar
    Join Date
    Oct 2011
    Posts
    1,780
    Hi,

    A very basic AS2 class would be like so.

    create an fla, call it anything you desire.

    first frame use this code.

    PHP Code:
    var traceMe:Main = new Main();
    traceMe.mainFunction(10); 
    create an as file and call it "Main.as" keep within same directory as fla ( for this example ) and use this code.
    PHP Code:
    class Main
    {
        private var 
    varToGet:Number;

        public function 
    mainFunction(passed:Number):Void
        
    {
            
    varToGet passed;

            
    otherFunction();
        }

        private function 
    otherFunction():Void
        
    {
            
    trace("Other Function displays : " varToGet);
        }

    to make this even more annoying to try and steal maybe use a shared library, I use AS3 with an external swf containing all the graphics and stuff then access it using flash.system.ApplicationDomain, I think you use a shared libray with AS2 , I never did get round to using that part.

    Or you could just use #include "Main.as" on the first frame of your fla and then use the *.as file as normal timeline coding, you cant use it in class form if you do it like this.

  9. #9
    . fruitbeard's Avatar
    Join Date
    Oct 2011
    Posts
    1,780
    Hi,

    Quick example,

    fla
    PHP Code:
    var numberMe:PartOne = new PartOne();
    numberMe.doInternal(10);

    var 
    stringMe:PartTwo = new PartTwo();
    stringMe.doInternal("AS2"); 
    PartOne.as
    PHP Code:
    class PartOne
    {
        private var 
    numberToGet:Number;

        function 
    PartOne()
        {
            
    trace("Part One now.....");
        }

        public function 
    doInternal(passed:Number):Void
        
    {
            
    numberToGet passed;
            
    this.getInternal();
        }

        private function 
    getInternal():Void
        
    {
            
    trace("Part One displays : " numberToGet);
        }

    PartTwo.as
    PHP Code:
    class PartTwo
    {
        function 
    PartTwo()
        {
            
    trace("Part Two now.....");
        }

        public function 
    doInternal(passed:String):Void
        
    {
            
    trace("Part Two displays : " this.getInternal(passed));
        }

        private function 
    getInternal(arg:String):String
        
    {
            return 
    arg;
        }


  10. #10
    Member
    Join Date
    Aug 2014
    Posts
    51
    Hi fruitbeard,

    Thanks for the examples. While I have understood how they are working, I am not sure how can I use them to split open my swf's.

    By the way I use the movie as an embedded HTML, and I use php to pass the data to the swf.

    So I have prepared a small fla with its flow and structure somewhat resembling my file which is much bigger and has more such modules along the timeline. In your honor, I have named it fruits.fla

    I would like to request you to show me how we can split it open and make it as secure as possible by dynamically loading swf's and shifting the code to .as files. I think this would also make an only one of it's kind tutorial in AS2.

    Would be much obliged.

    Thanks loads

    P.S. Hi fruitbeard, Just saw the second post from you after submitting this post. Will go thru and maybe you have already explained what I want. Will go through and revert soon. Thanks very much.
    Attached Files Attached Files
    Last edited by ajoo; 09-15-2015 at 01:34 PM.

  11. #11
    . fruitbeard's Avatar
    Join Date
    Oct 2011
    Posts
    1,780
    Hi,

    I think you will need to look up shared library, I use AS3 far more than the AS2 so I'm treading in unknown waters from here, I personally think it is easier too, especially the shared library stuff ( flash.system.ApplicationDomain)

  12. #12
    . fruitbeard's Avatar
    Join Date
    Oct 2011
    Posts
    1,780
    Hi,

    Here is a further thing for you using shared library and a few bits of extra code and stuff.

    The main problem with *.as files is that you always need to save and publish with the fla, you will figure that out in the end.
    They do not need to be uploaded to the server once fully published with swf either.

    I tried to decompile the swf (index.swf), although it did compile it did not include any of the graphics when published, so it's making things awkward and harder to steal.
    Although it still does not prevent a determined cat thief, as you well know.

    I did not download your file ( it seems you have an admirer ), I will leave it for you to get to grips with from now on.

  13. #13
    Member
    Join Date
    Aug 2014
    Posts
    51
    Hi fruitbeard,

    Thanks loads for all the inputs. I hate to bother you with trivialities but I still use CS3 and this fails to open there. Please, please if you could save this as a CS3 version and resend it. I'll be eternally obliged.

    I would really like to study this and learn and I will definitely get back if I get stuck somewhere.

    Thank you very much for all the help.

  14. #14
    Member
    Join Date
    Aug 2014
    Posts
    51
    Hi fruitbeard,

    Like I said I hate to bother you with trivialities, so please do not bother with this ! I have managed to do it. I used the de-compiler and managed to reconstruct the project in CS3.

    I am amazed that you pack so much functionality in your examples. They teach far more that I had asked for. I do not know about me but you definitely have an admirer.

    Coming back to the security issue I wonder if I should be feeling good about being able to reconstructing this? And the code is there for anyone to see all the time.

    I am yet to sit back and understand all your code. I will study it some more and revert with maybe more questions.

    Much Obliged, Thanks loads.

  15. #15
    . fruitbeard's Avatar
    Join Date
    Oct 2011
    Posts
    1,780
    Hi,

    Impossible for me to save as CS3, I don't actually like CS3 either, tried it, you will need to upgrade to at least CS5 for me to be able to save lower for you.
    Funny, when I decompiled the index.swf with so think 7.4 it did do it but didn't keep the same structure. yes you got all of the files excluding the library.swf, it did however extract them into the index file, anyway, it still makes it stealable.

    I will leave it up to you to decide whether it is worth the hassle of defragmenting the file just for the code to be half easily recompiled again.

    Whats so secretive about your code that somebody would want to steal it when all of your secure stuff is on the server.
    Is it some crazy code that you would never find something similar on the internet anywhere.

    I am absolutely no authority on this issue in any way shape or form.

    The basic answer to the original question is split it all up / fragment, jus t0 make it that bit harder for somebody.

  16. #16
    Member
    Join Date
    Aug 2014
    Posts
    51
    Hi fruitbeard,

    I actually got the library.swf as well. That's how I got the shapes for the fla that I reconstructed.

    No there is absolutely nothing secretive about the code. On the contrary it's a simple piece of code. Still just to create a minor deterrent I thought if I could introduce some measure of security into the swf's that would be nice. Just enough to keep the decent guys at bay. But seems like there is not much that can be done.

    I am also trying to learn to break up the file into loadable swf's. Maybe that coupled with the shared library would provide a little extra deterrence. Just maybe.

    Thanks a ton for all your help. I'll keep coming for more !

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center