News

June 23, 2009

Why and How to Encrypt Your Flash SWF

More articles by »
Written by: Par
Tags: , , , , ,
secureswf-tn

Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit

So you just finished your first flash game, it’s excellent, at least you think so. I mean you put hours on top of hours into it. Your eyes have been bloodshot and you’ve pulled your hair out more than once. Needless to say, you’ve worked hard and you are incredibly proud of it (But your ego is in check, you’re not arrogant or anything :D ). So you send your game off to be spread virally around the internet and it’s doing amazing!!! You’re making all kinds of money on your advertising, then a week later some guy comes out with your game and new graphics… better graphics. But it’s the same game, seriously to the last detail it works almost the exact same way. You’re the victim of someone decompiling your game and stealing your source code! You’re game loses popularity and you just lost a lot of hard work and money!

Okay, that’s a fictitious example but it happens and it’s easier than you may think. For $79.99 you can purchase Sothink SWF Decompiler and you will be on your way to decompiling any and every swf you can get your hands on. Does it work? Yes. And let’s be honest, if someone is shady enough to steal your flash game’s actionscript code, they probably illegally downloaded SWF Decompiler meaning anyone can decompile your swfs for free!

What is Flash SWF Encryption?

Encryption is what is going to save your game from falling into the wrong hands.  It allows you to scramble your source code to the point that it will be completely unreadable by the person trying to recover your source code. The good is most, if not all, encryption software works on a compiled swf file so you don’t have to worry about it messing up your actual as2/as3 source code. The one thing I need to clear up though is all SWF Encryption software that I know of is not really encryption. Encryption requires decryption in order to make the encrypted application work. Since that’s not very reasonable in a public distributed viral flash game, it’s not a good option. Flash Encryption software actually works via code obfuscation methods.

Obfuscation you say? Yes, if your wondering. Obfuscation simply is the scrambling and renaming of your code to make it difficult to manage and interpret. So from now on when we call in encryption software as it is popularly called, we really mean obfuscation software.

Okay okay how do I encrypt my game?

Simple! There’s quite a few encryption software products on the market.  A simple search for flash encryption software on google will return plenty of possibilities.  The two games I’ve released to the public were encrypted and I wouldn’t have considered releasing them without it.

Encrypt my Game Now with Kindisoft secureSWF

I’ll be honest, I’ve researched flash game encryption for quite a while and when I finally decided who to use, I chose Amayeta SWF Encrypt 5.0. This was over a year ago. However, after a lot of reading at the Flash Game License forum I’ve seen it to be a pretty heated battle between whether SWF Encrypt or Kindisoft secureSWF is the better encryption software. That said, I highly doubt most of the people in the discussion have used both products, as of now, I have.

A  few weeks ago I asked Kindisoft if I could have a copy of their software to review. Full knowing that I could give them a bad review they handed over license and linked me to their download page to test the software. If I had developed their software, I would have done the same thing. It is without a doubt the most superior flash encryption software I have seen to date, it’s something to be proud of developing.  You can’t go wrong with this product, it’s simply amazing. Compared to secureSWF, SWF Encrypt options pale in comparison. Don’t get me wrong, SWF Encrypt is a solid product and it works (most of the time) but secureSWF is a lot more effective.

Once I got secureSWF loaded on my machine, my first goal was to fix a problem I’ve had with encrypting all my games with SWF Encrypt. Every time I encrypt a game on Kongregate with the API added I get a weird API Bootstrap error that messes up my game. I tried everything with SWF Encrypt to make it work but it never did. I ended up uploading my games with no encryption. SCARY! I know. secureSWF’s endless options helped me take care of everything I needed, now my Blueberry: Escape from Chaos Factory game is up on Kongregate and encrypted. Needless to say I am very happy and Kindisoft’s secureSWF is the reason why.

How to Use Kindisoft secureSWF to Encrypt your Game

Now you may or may not want to use secureSWF, that’s fine. But if you do, and I think the next few lines will convince you, here’s a look at all the features that the software has to offer and how you can use it to encrypt your next flash game.

The secureSWF main loadup screen. Here you can pick which swf files you want to encrypt and setup some basic information

The secureSWF main loadup screen. Here you can pick which swf files you want to encrypt and setup some basic information

Okay so first things first, the main screen when you load up the application.  All you do is click add and select your swf file that you want to encrypt. Once done it will pop up a little information about your swf in the bottom right corner. As you can see Blueberry is a pretty detailed game (220 classes).  Another cool thing here is your have a dropdown of “Protection Presets” these let you choose how you want your swf file to be encrypted. There’s a few options from Aggressive to Testing, which you choose depends on how you developed you game. Certain programming choices you make will determine what options you can use and where. I’ll give an example later. Anyway, I chose custom with Blueberry because I wanted full control of what was encrypted. An extremely valuable feature that I have only seen with secureSWF. let me know if you know of a product with as much customization. I don’t know of any.

The Identifiers Renaming Tab. Here you pick what you want secureSWF to rename in order to make reading your source code more difficult.

The Identifiers Renaming Tab. Here you pick what you want secureSWF to rename in order to make reading your source code more difficult.

This made me very happy. Every class I used in Blueberry appeared in the tree list on the left. I could go through all the classes and choose which I wanted to be renamed and which I didn’t. At the same time when I clicked on a class it’s functions and variables would appear on the right. I could also select which of them I wanted to be renamed. Like before, I have a drop down that allows me to choose how aggressive I want the renaming to be.  There’s also an advanced option at the bottom that allows me to quickly control what classes, functions, variables, and labels will be renamed.

Now if you are wondering why you need to be in control of what’s renamed, let me explain. There are times when renaming certain functions or classes can cause your application to not work. Remember the tutorial about using strings to call functions? Well, imagine if our encryption software names our jumpUp function “id_loc_3″ but our string still keeps the data “jumpUp”.  We’ve got a problem. So to fix this we can simply tell secureSWF to not rename our jumpUp function. This is awesome, the other software I have used required me to disable all renaming in order to fix the issue.

The labels tab. Here you can choose which labels to rename.

The labels tab. Here you can choose which labels to rename.

Like the class renaming list the above picture is the label renaming list.  Here you can select what labels you want to rename and which you would like to leave alone. This is valuable for the same reason as I mentioned above.

An example, if you use gotoAndPlay(frame label); in your code, you don’t want your frame label to be changing. In the above case I’m deselecting vats because I want to be able to use gotoAndStop(“vats”); in my game’s sourcecode.

The protec tion options. Make a few changes here and there and set your flash file as encrypted as possible

The protection options. Make a few changes here and there and set your flash file as encrypted as possible.

Here you can do a lot of work to encrypt your game. Everything for the most part is controlled by sliders which you can move in order to find the highest level of encryption that will work well with your game.  I’ll be bluntly honest with you, I don’t fully understand the details but I know what it does works as you can see from how mangled the source code is after an encryption occurs.

There is also the option to encrypt strings.  This works really well; however, not really needed unless you are wanting to hide the text inside the string from a decompiler. Which could definitely be useful on occasion, and it’s great to be able to access this feature if needed.

One of the handiest features on this tab is the domain locking feature. With domain locking you can control what websites the game can be played on. This works great when you have a site-locked sponsorship of your game that you want to make sure only works on that website. All you have to do is enter the url of the website the game is playable on and you are all set :D

There’s also a few optimization features that will increase the speed and filesize of your game. Definitely an excellent feature to have around.

Final Note and examples of secureSWF and SWF Encryption

Currently my flash development arsenal consists of four very solid applications.

  • Adobe Flash
  • Adobe Photoshop
  • Flash Develop
  • and now Kindisoft secureSWF

With the first three apps I can program and design a solid flash game. With the last application, I can make sure my flash game stays mine and out of the hands of would be thieves. It’s the perfect mix.

I’d love to show you a before and after of some of the code from Blueberry but secureSWF’s encryption worked so well I couldn’t get my decompiler to actually decompile the code without crashing. Here’s an example from secureSWF’s website of what their encryption does to actionscript source code:

Before secureSWF:

private function getNeighbours(i:int, j:int):Array{
  var a:Array = new Array();
  for (var k = 0; k < 8; k++){
    var ni = i + int(neighbour_map[k][0]);
    var nj = j + int(neighbour_map[k][1]) ;
    if (ni < 0 || ni >= xsize || nj < 0 || nj >= ysize)
      continue;
    a.push(Cell(cells[ni][nj]));
  }
  return a;
}

after secureSWF:

private function getNeighbours(_arg1:int, _arg2:int):Array{
  var _local3:Array = -(((null - !NULL!) % ~(undefined)));
  var _local4:*;
  var _local5:*;
  var _local6:*;
  _local3 = new Array();
  _local4 = 0;
  for (;//unresolved jump
  , _arg2 < 8;_local4++) {
    _local5 = (_arg1 + int(!NULL!));
    _local6 = (_arg2 + int(!NULL!));
    if (true){
      _arg1 = (((//unresolved nextvalue or nextname << !NULL!) + !NULL!) 
<< undefined);
      _arg1 = (!(!NULL!) ^ !NULL!);
      (!NULL! instanceof !NULL!);
      var _local1 = (((!NULL! as !NULL!) + !NULL!) == this);
      if (!(!NULL! == !NULL!)){
        -((true << !NULL!)).push(Cell(cells[_local5][_local6]));
      }
    }
    if (!true){
      (_local6 < 0);
      (_local6 < 0);
      (_local5 < 0);
    }
  }
return (_local3);
}

I hope this gets you excited about encrypting your flash games. If you want more information you can find secureSWF at http://www.kindisoft.com/secureSWF/. Enjoy and if you want to test out some of their products you can from their website or FlashGameLicense. FGL has partnered with Kindisoft to offer encryption for all flash files hosted on their website. So make sure to check out FGL and use a basic version of Kindisoft’s encryption and site-locking.

Similar Posts:


Share on TwitterShare on TumblrSubmit to StumbleUponSave on DeliciousDigg ThisSubmit to reddit


About the Author

Par
Hey! Don't be surprised, I'm a flash developer. While Flash is definitely one of my favorite languages to develop in, most of all I just like making games. If you want to see the games I've developed so far head over to my website, DigitallyBold, in the link below. If you want to know more about what I'm working on now and in the future be sure to follow me on twitter.




23 Comments


  1. Mike

    Did you do a review of SWFProtect?

    It’s the least expensive on the market and I’d be interested to know the pros and cons of it.


  2. Par

    I haven’t… but there’s not a lot to review. You can check their demo it’s pretty much the most basic of them all. There seems to be no options simply click the button a pray it works. It may work well for a lot of situations but the ones where you really need to be specific about what to encrypt… That’s where products like secureSWF come in handy the most.


  3. Mike

    Thanks for the tip.

    I currently use it to just protect my flash website, and the games I’m making are so basic that it’s more an issue of preventing artwork theft than code theft.

    The specific limitation that I’ve noticed is that it doesn’t allow for SWC protection.

    You can get around it by coding flv players, scrollers, etc. strictly in AS3, but I may end up trying secureSWF simply because it also protects SWC components and will less of a hastle.


  4. Nice article, good topic to cover. It’s nice to see a comparison of some of the products as well. Ironic enough I got an email about a 2 weeks after reading this from a fan who told me he had decompiled one of my .swfs and wanted to make sure it was ok that he was going through my code. He tells me this… (Thankfully it was an old game that I don’t really care about anymore) Anyways, it was a good eye-opener to the idea that maybe I should invest in some encryption software.


  5. Sergio

    hi,

    you review is great.
    I just have one question, i mean you encrypt the swf and then put it encrypted on your webpage. but how does adobe player read it if encrypted? and how to encrypt an air application if possible!?
    did I say one question? I meant two!
    thanks


  6. Sergio,

    as I can see, it looks like it uses assembly (asm).
    Don’t quote me fully on that but all the “null” is making me think that, that’s what it’s doing. changing all the code to assembly, and then compiling that. Or, could be adding a form of a bootstrap.
    Personally, I just play with the SWF headers, and then add extra bytes at the end of th swf.. sometimes it messes up the swf, other times it breaks decompilers. lol. I’ve used trillix and sothink. Trillix was easier to break than sothink.


  7. Sergio

    first of all thanks for answering,

    okay i see how it’s done, nice. didn’t know that was possible. For the matter of the flex air, i will look about it, if i learn something new i keep in touch. same for you! ;)


  8. Ruah

    Greetings to all,

    anybody know what kind of encryption is in use in this secureSWF?

    Which algorithm, AES, RSA or …?

    Regards,

    Ruah.


  9. I looked at the price/features comparison chart, and to get all the options you described, you pay $400… or find a cracked version, I suppose. Still, I may look into using the demo for one of my later projects.


  10. Spruten

    Does secureSWF add to the size of the SWF or “de-optimize” the code? Looking at the “after” portion of the before/after secureSWF, it appears it would.


  11. Spruten

    (Would you be able to combine this comment with my last?) In regards to, “There’s also a few optimization features that will increase the speed and filesize of your game,” do you really mean increase the filesize? With all the junk the obfuscation seems to add, this seem plausible, but you stated it as if it were good to increase the filesize. I’m unsure of what you really meant. Thank you.


  12. mg

    secureswf is easily the best… i use it too

    and had all of the other ones …none of them could ^come close to secureswf, im one of those first time costumers too :)

    had it already back in 05 or 06…go for it u wont regret it


  13. zutuk

    For people using flex, I can recommend ‘irrfuscator’, not sure why noone mentioned it yet. Simply rewrites your source files, meaning you are able to actually even debug your actionscript code afterwards. But I’ll also try the sothink software you mentioned, didn’t try the latest version yet.


  14. Thomas james

    @Spruten : if SWF size is important for you, you can use “Flash Secure Optimizer” by eramsoft, it has more options to reduce SWF size.


  15. Currently there are 3 main competitors of such software available on the market. And they are:
    - SWF Protector by DComSoft;
    - secureSWF by Kindisoft;
    - SWF Encrypt from Amayeta;

    I am using DComSoft and it fits all my requirements. I do tested them all and from my opinion SWF Protector is the best choice because it reliable and user-friendly.

    secureSWF is pretty nice too, but it is very complicated and expensive.

    As for the SWF Encrypt, It is more expensive then others, and I even don`t know why :) It provides the same functionality as others.


  16. John Orange

    We use secureSWF Professional for all our projects. It is the only one that really works and is easy to use. We’ve tried all the other software (SWF Protector & SWF Encrypt) before and it didn’t do the job and was easily defeated by decompilers.


  17. By the way, Thomas. Why use “Flash Secure Optimizer” by eramsoft if there available FREE solutions from DComSoft software?

    SWF Compressor-Decompressor
    SWF Optimizer


  18. Does secureSWF also change the filenames of all of the classes as well and not just the variable names?

    How about com.adobe.corelib.JPGEncoder for instance, would that also come out as something completely different? If so, that’s awesome but if not, hmmm, maybe it’s lacking?


  19. dmc

    Is it worth spending money for a commercial encrypter?
    I mean, are crackers really going to hack your flash games?


  20. Ivanov

    I think SWF Encrypt Amayeta is better from secureSWF Kindi.
    I made a test with both programs and decompiled encrypted files with Sothink SWF Decompiler.
    Results:
    SWF Encrypt Amayeta – Win
    secureSWF Kindi – lose
    SWF Encrypt Amayeta hid values of my vars successful, and secureSWF Kindi didn’t.


  21. ExplosionsHurt

    @dmc,

    yes, they are. Usually, it’s done for flash cheat websites, like arcadeprehacks.


  22. Great tutorial!!… i found a online encrypting tool for swf files but i’m not sure how good is compared to “secure SWF”…
    http://encrypt-swf.raisedtech.com/


  23. @cool math: I would stay away from sites like these as they might actually be stealing your code instead of helping you. I don’t even see a Disclaimer section on that website or anything.

    Does anyone know if these obfuscating tools slow down performance of the game? As I’m seeing from the before/after example, the tool adds about 3 more variables and then performs some stuff that just seems as extra processing to me. I might be wrong but that’s why I’m asking.



Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">


Advertisement