Update: Please see the update at the end of the post.
Generally I don’t post about specific Flash/SWF obfuscators. I believe there’s a need for both obfuscators and decompilers. We bypass popular obfuscations with our tools with updates every 3 to 6 months, which I believe is fair.
There are many obfuscators. SWF Encrypt by Amayeta is a well known one. SWF Encrypt ‘works’, as many other obfuscators do -until they are bypassed, though Amayeta usually have funny claims like their software provides ‘up to 1000 times stronger’ protection. (It took us just minutes to bypass their initial v3, with such claims).
I haven’t tried their new version 4 yet, we bypass obfuscations as we receive requests from our customers, we do not actively check them out. But, as ASV 5.21 bypassed many current obfuscations at the time of its release (January 5, 2007), we expected obfuscator vendors releasing updates. (Actually, I thought they would be much quicker. An obfuscators whole job is to hide your script. A professional decompiler like our ASV provides many other benefits so it’s not vital for us to bypass SWF obfuscations very quickly. In fact, we deliberately not do that).
SWF Encrypt is an expensive tool from where I look. We sell ASV for US$60, their tool sells for US$125. Writing a decompiler is far more difficult as I see it, so I consider it expensive.
Now, they have another tool, SWC Encrypt, for $125 and they sell the bundle for ‘just’ $250 (they don’t believe in bundle discounts I guess).
SWC files are in ZIP format, you can rename a SWC as .ZIP and open/extract it with any ZIP tool. ASV does that when you open a SWC file, searches the ZIP and opens the SWF if there’s only one, or displays a SWF list. We never thought of releasing a SWC decompiler, because it would only mean the added support for opening ZIP files, for which there are free libraries.
I don’t know if this SWC Encrypt actually does something special for the SWCs, but I’ve previously seen one other ‘SWC obfuscator’ that didn’t. I wasn’t able to find any info about this on their site, if this SWC Encrypt is just SWF Encrypt with ZIP support, selling for another US$125, that is just sad.
You may choose SWF Encrypt for your SWF obfuscation needs, it’s a bit expensive and a bit too popular (both are not really good), but it works as much as any other in its class, considering ASV (I must say that I don’t know exactly how much other decompilers bypass every obfuscation out there). (I also must say that I usually recommend another class of obfuscation, identifier renaming, as Genable ASO lite does. The process is harder to automate and may not suit your needs, but it’s irreversible. Even if you’ll be using another obfuscator later, it may be worth obfuscating identifier names first for maximum protection).
For your SWC obfuscation needs, I’d suggest simply extracting the SWF(s) from the SWC (by renaming it as a ZIP first) and obfuscating using your current solution. Then you can zip them back and rename the file as .SWC. (and this can easily be automated).
If you paid US$125 for SWF Encrypt, if I were you, I’d ask them for SWC support, which is trivial and I can’t see why they shouldn’t have it (unless it will make their SWC Encrypt obsolete).
If you have a Flash obfuscator, it’s easy to obfuscate SWF files in SWC files using your current obfuscator. You don’t really need to purchase a separate SWC obfuscator.
And if you have a SWC obfuscator, chances are that you can use it for obfuscating your SWFs. Simply ZIP your SWF, rename the ZIP as .SWC, obfuscate it and extract your ‘obfuscated’ SWF back…
(5 hours later) Update:
OK, one of my good friends emailed me and said that the above (obfuscating SWFs and re-zipping the SWC) didn’t work with SWF Encrypt. I was surprised. I hadn’t tested anything but I didn’t see why it wouldn’t work.
The only reason I can think of is the method SWF Encrypt uses. It moves the bodies of the scripts to undefined SWF tags, jumps to those tags from action tags. It exploits the fact that Flash Player will jump and execute code anywhere in the SWF file. This may have caused the SWC incompatibility.
If you have SWF Encrypt, you may need an additional SWC obfuscator, as it seems their obfuscation is not that compatible. (Other obfuscators should work well, maybe you should think twice before investing in SWF Encrypt).
If you have a SWC obfuscator -and that should include SWC Encrypt- , you can obfuscate your SWFs using it by simply putting them in ZIP files and renaming ZIPs as SWCs.
(One day later) Update:
My initial motivation for this post was my surprise to see a SWC obfuscator, which is normally quite redundant if you have a SWF obfuscator. It turns out, Amayeta needed one because of the obfuscation method they used with SWF Encrypt. So, in fact we have two different obfuscation methods here. (You can use SWC Encrypt for SWF obfuscation but you cannot use SWF Encrypt for SWC obfuscation). I’ve received an email suggesting that SWF Encrypt is stronger than SWC Encrypt. This may well be the case, but they both sell for US$125…