In this day and age, the importance of securing SWF executables seems to have become a prominent topic. The reason for this boils down to malicious hackers trying to develop sophisticated memory hacks to manipulate the Flash application or game at runtime. The only software package currently available to really mitigate such attacks comes from the company DCOMSOFT. I had some time over the weekend to play around with DCOMSOFT’s SWF Protector 3 which was released around two years ago.

The interface I found really intuitive, and it has a good set of configuration options to boot. In the latest release, it finally supports Flash Player 10 exported SWFs which is what I mostly deal with these days. After converting a handful of SWFs into the protected format, I ran a few benchmarks and found no problems with how the obfuscation and protection methods hinder the final exported AVM bytecode.

The icing on the cake for me was the ability to use the command line to run the application. Without this feature, I would not be able to integrate the application into the automated build scripts we use with ANT. The below instructions was from the help file and shows just how simple it was to implement:

You can use command line to avoid customizing settings manually. The following syntaxes present the meaning of each command:

swf_protector.exe file1 file2 … fileN

This command specifies the list of SWF files for protection in Simple mode with default settings.

Overall, I’m impressed the quality of the product and just how simple it is to use. However, I do not like the notion of encrypting and obfuscation code for just the sole purpose of hiding implementation. This aside, SWF Protector will help keep hackers from finding easy wins in memory loopups and critical points of integration with other SWFs or backend calls.


Author: Jonathan Dunlap
Jonathan is a veteran software architect, author of IsoHill, humanitarian, and has worked with Bigpoint Inc, CrowdStar, ePrize, and Microsoft.
Be Sociable, Share!