SWF Encrypt, SWC Encrypt, Do you need them both?

Update: Please see the update at the end of the post.

Generally I don’t post about specific Flash/SWF obfuscators. I believe there’s a need for both obfuscators and decompilers. We bypass popular obfuscations with our tools with updates every 3 to 6 months, which I believe is fair.

There are many obfuscators. SWF Encrypt by Amayeta is a well known one. SWF Encrypt ‘works’, as many other obfuscators do -until they are bypassed, though Amayeta usually have funny claims like their software provides ‘up to 1000 times stronger’ protection. (It took us just minutes to bypass their initial v3, with such claims).

I haven’t tried their new version 4 yet, we bypass obfuscations as we receive requests from our customers, we do not actively check them out. But, as ASV 5.21 bypassed many current obfuscations at the time of its release (January 5, 2007), we expected obfuscator vendors releasing  updates. (Actually, I thought they would be much quicker. An obfuscators whole job is to hide your script. A professional decompiler like our ASV provides many other benefits so it’s not vital for us to bypass SWF obfuscations very quickly. In fact, we deliberately not do that).

SWF Encrypt is an expensive tool from where I look. We sell ASV for US$60, their tool sells for US$125. Writing a decompiler is far more difficult as I see it, so I consider it expensive.

Now, they have another tool, SWC Encrypt, for $125 and they sell the bundle for ‘just’ $250 (they don’t believe in bundle discounts I guess).

SWC files are in ZIP format, you can rename a SWC as .ZIP and open/extract it with any ZIP tool. ASV does that when you open a SWC file, searches the ZIP and opens the SWF if there’s only one, or displays a SWF list. We never thought of releasing a SWC decompiler, because it would only mean the added support for opening ZIP files, for which there are free libraries.

I don’t know if this SWC Encrypt actually does something special for the SWCs, but I’ve previously seen one other ‘SWC obfuscator’ that didn’t. I wasn’t able to find any info about this on their site, if this SWC Encrypt is just SWF Encrypt with ZIP support, selling for another US$125, that is just sad.

You may choose SWF Encrypt for your SWF obfuscation needs, it’s a bit expensive and a bit too popular (both are not really good), but it works as much as any other in its class, considering ASV (I must say that I don’t know exactly how much other decompilers bypass every obfuscation out there). (I also must say that I usually recommend another class of obfuscation, identifier renaming, as Genable ASO lite does. The process is harder to automate and may not suit your needs, but it’s irreversible. Even if you’ll be using another obfuscator later, it may be worth obfuscating identifier names first for maximum protection).

For your SWC obfuscation needs, I’d suggest simply extracting the SWF(s) from the SWC (by renaming it as a ZIP first) and obfuscating using your current solution. Then you can zip them back and rename the file as .SWC. (and this can easily be automated).

If you paid US$125 for SWF Encrypt, if I were you, I’d ask them for SWC support, which is trivial and I can’t see why they shouldn’t have it (unless it will make their SWC Encrypt obsolete).

If you have a Flash obfuscator, it’s easy to obfuscate SWF files in SWC files using your current obfuscator. You don’t really need to purchase a separate SWC obfuscator.

And if you have a SWC obfuscator, chances are that you can use it for obfuscating your SWFs. Simply ZIP your SWF, rename the ZIP as .SWC, obfuscate it and extract your ‘obfuscated’ SWF back…

(5 hours later) Update:
OK, one of my good friends emailed me and said that the above (obfuscating SWFs and re-zipping the SWC) didn’t work with SWF Encrypt. I was surprised. I hadn’t tested anything but I didn’t see why it wouldn’t work.

The only reason I can think of is the method SWF Encrypt uses. It moves the bodies of the scripts to undefined SWF tags, jumps to those tags from action tags. It exploits the fact that Flash Player will jump and execute code anywhere in the SWF file. This may have caused the SWC incompatibility.

Current conclusion:
If you have SWF Encrypt, you may need an additional SWC obfuscator, as it seems their obfuscation is not that compatible. (Other obfuscators should work well, maybe you should think twice before investing in SWF Encrypt).

If you have a SWC obfuscator -and that should include SWC Encrypt- , you can obfuscate your SWFs using it by simply putting them in ZIP files and renaming ZIPs as SWCs.

(One day later) Update:

Final thoughts:

My initial motivation for this post was my surprise to see a SWC obfuscator, which is normally quite redundant if you have a SWF obfuscator. It turns out, Amayeta needed one because of the obfuscation method they used with SWF Encrypt. So, in fact we have two different obfuscation methods here. (You can use SWC Encrypt for SWF obfuscation but you cannot use SWF Encrypt for SWC obfuscation). I’ve received an email suggesting that SWF Encrypt is stronger than SWC Encrypt. This may well be the case, but they both sell for US$125…

This entry was posted in Flash, MG.

14 Responses to SWF Encrypt, SWC Encrypt, Do you need them both?

  1. steve says:

    I’m very interested in buying ASV, but I need to know whether it can handle swf encrypted files. Will you let me know?

  2. Hi Steve,
    These obfuscators have been very recently released (SWF Encrypt v4 and SWC Encrypt v1). Current ASV version 5.21 handles many obfuscators, but not these, not yet. (ASV should work with SWF Encrypt v3 though).
    As I mentioned in the post, we generally bypass obfuscations with updates after 3-6 months they are released.
    Best regards,

  3. Dennis says:

    Unzipping, obfuscating, rezipping, renaming won’t work if you use identifier renaming.
    Upon unzipping the swc file, you will notice an intrinsic actionscript file which lists all the attributes and methods.
    you have to be carefull either not to rename these when obfuscating or replace their names with the obfuscated ones.
    This is a theoretical solution, i haven’t tried it yet – too much stuff to rename :)
    I’ll try it out with smth trivial and post the final result.

  4. Hi Dennis,
    ‘Identifier renaming’ is something you’ll *always* need to be careful with.
    For this reason most obfuscators, that need to have user-friendly one-click operation, don’t use ‘identifier renaming’ at all.
    Thanks for posting, and please do post your results.
    Best regards,

  5. Dovy P. says:

    I get a lot of “\x01″ variables. What program is that and how/when will your program be able to bypass it?

  6. > I get a lot of “\x01″ variables.
    That’s most probably SWF Encrypt, it can be version 3 or 4.
    As I mention in the post (maybe it isn’t clear), we will look into bypassing SWF Encrypt 4 in 3-6 months after its release. So the earliest possibility is May.
    Best regards,

  7. ben says:

    i have use SWF Protect it is strong and decompilers can not bypass protect.

  8. Hi Ben,
    > decompilers can not bypass protect
    Are you sure? Can you send me a sample protected SWF (to burakk at buraks.com)? Also, can you post the URL for the application, there are at least 2 applications I know named as such.
    Best regards,

  9. Darren says:

    >As I mention in the post (maybe it isn’t clear), we will look into bypassing SWF Encrypt 4 in 3-6 months after its release. So the earliest possibility is May.
    Anything available for SWF Encrypt 4?

  10. Hi Darren,
    5.25 versions handle SWF Encrypt 4.
    Best regards,

  11. Let me note: At the time of ASV 5.25 release (May 10, 2007), latest SWF Encrypt version was, AFAIK, 4.0.2. Amayeta will, no doubt, quickly update SWF Encrypt.

  12. Joe says:

    You are not making sense. You say that ASV can bypass obfuscations. Obfuscation is permanent. What your program bypasses is encryption and security, not obfuscation. Obfuscation is making the code hard to read.

  13. Hi Joe,
    Technically you may be correct, but please understand my blog posts aren’t PhD papers and the fact is that it’s really blurry in some respects. Also, products are named as vendors find domains.
    And not many people are aware of any distinction. Years ago, I’ve started calling every protection/encryption/obfuscation as ‘obfuscation’ – in a sense they all are.
    Some obfuscations can be ‘bypassed/reverted’, some cannot be – even in theory-. So what you say isn’t also exactly true. But it’s fine with me…

  14. Alan Wolfe says:

    Encryption itself is a more intense form of obfuscation. In fact obfuscation is also a weaker form of encryption :P