11
Mar2011

SWF encryption: how to embed an encrypted SWF into another SWF file

Posted by: Ward De Langhe

In April 2009 I wrote an article on Flash encryption. You can read that article here. I explained how to encrypt an SWF file, load it at runtime, decrypt it using actionscript and add the decrypted SWF file to the display list. In that way the decrypted SWF only existed in memory.
This was a great way to add an extra layer of protection to protect your actionscript source code and assets. However, people could still easily download the encrypted file, decompile the loader SWF to get the key, and then decrypt your SWF using that key.
To make it a little harder to crack, I’m now embedding the encrypted SWF file as a ByteArray into another SWF. In this way, if you want to decrypt the SWF you have to find a way to extract the bytes from the encapsulating SWF. This is not an impossible task, but it will keep most people out.

Here’s how you embed an encrypted SWF in another SWF:

  • Download the XOR-tool. This is a little AIR application I made to encrypt your files using the XOR algorithm.
  • Select the SWF file you want to encrypt, choose a key, and encrypt your SWF.
  • Create a new actionscript project in Flash Builder, and add the following code to your main class:


    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    //copyright 2011 Ward De Langhe
    //http://www.veryinteractivepeople.com
    package
    {
        import flash.display.Sprite;
        import flash.display.Loader;
        import flash.display.Sprite;
        import flash.events.Event;

        import flash.utils.ByteArray;
       
        [SWF(width="770", height="490", frameRate="31", backgroundColor="#FFFFFF")]
        public class ProtectedSWF extends Sprite
        {
            //replace "encrypted.swf" to the name of your encrypted SWF file
            [Embed(source="encrypted.swf", mimeType="application/octet-stream")]
            private const EmbeddedSWF:Class;
           
            //put your encryption key here
            private static const KEY:String="WRITE_YOUR_OWN_CODE!";
           
            public function ProtectedSWF()
            {
                var binaryData:ByteArray = new EmbeddedSWF();
                if(binaryData.length != 0)
                {
                    XOR(binaryData,KEY);
                    var animationLoader:Loader = new Loader();
                    animationLoader.loadBytes(binaryData);
                    addChild(animationLoader);
                }
            }
            private static function  XOR(binaryData:ByteArray, key:String):void{
                var keyIndex:Number=0;
                for(var i:Number=0;i<binaryData.length;i++){
                    binaryData[i]=binaryData[i]^key.charCodeAt(keyIndex);
                    keyIndex++;
                    if(keyIndex>=key.length)
                        keyIndex=0;
                }
            }
        }
    }
  • Place the encrypted flash file in your source folder, and make sure it’s name corresponds to the one in the code. And change the key in the code to the key you used to encrypt the file.
  • Compile your project. The encrypted SWF is now embedded in another SWF. If you run this SWF you will see your original SWF movie.

How to make it harder to decrypt/decompile:

Here are some ideas to add some extra protection:

  • Repeat the process a couple of times, preferably using different keys
  • Hide the key in a second encrypted SWF
  • Obfuscate your code before encrypting it. If people manage to decrypt the file, they will still have trouble copying your code.

Problems:

One of the downsides of this technique is you can no longer pass Flash vars. If you load an SWF into another SWF it is possible to pass Flash vars trough URL parameters. However, in this case we are injecting the bytes directly into a Loader object. And because of this we cannot pass Flash vars.

11 Responses to “SWF encryption: how to embed an encrypted SWF into another SWF file”

  1. Bruce says:

    Actually, hackers can easily bypass this way use memory dump tools. I recommend you to try this free tool:
    http://bruce-lab.blogspot.com/p/swf-cry.html
    It can pack your swf, obfuscate the variables, as well as prevent memory hack to some extent.

  2. Everything that runs on the client can be cracked. I do realize that for someone with some programming knowledge it’s not too hard to crack this. It’s just an extra layer of protection. It will keep 95% of the script-kids out there from decompiling your code.
    Anyway, thanks for the link. I’ll give it a try.

  3. Glav says:

    Let me give you a tip :
    Sothink SWF Decompiler is the most used flash decompiler, but I found out that even the last version (5.4) only decompile AS3 code that is inside a class. For example, I wrote :

    package {
    import flash.display.Sprite;
    public class main extends Sprite {
    public function main() {
    var a:int = 4;
    var b:int = 9;
    var c:int = MySum(a, b);
    trace(c);
    }
    }
    }

    function MySum(x:int, y:int):int {
    return x + y;
    }

    And I opened the final SWF in Sothink, that gives me :

    package
    {
    import flash.display.*;
    public class main extends Sprite
    {
    public function main()
    {
    var _loc_1:int = 4;
    var _loc_2:int = 9;
    var _loc_3:* = MySum(_loc_1, _loc_2);
    return;
    }// end function
    }
    }

    No clue about the MySum function. I advise you to put your sensitive code here, so it will keep people using sothink out.

    http://img191.imageshack.us/img191/6425/screenshotvui.png

  4. saurav says:

    Hi,
    I am a game designer. Recently I created a game in flash as2. There is a problem in this game. This game work well without encryption(on the web), but after encryption its preloader doesn’t appear on loading screen, It shows a blank screen(white screen).but it loads everything and I can continue to play the game. Then I created a seperate preloader in as3 and call the encrypted game file in this as3 preloader. It shows the preloader that i created in flash as3 and then the game appear. But I can not publish both files to publisher. I want to make one swf file with preloader and game inside this, so that visitor can see loading bar. Please tell me the embedding process or any suggestion from you, I am trying to solve it from one month, I am not a advance as3 programmer. Please give me your suggestion.
    Thanks in advance.

  5. Jacob says:

    Hi Saurav
    Dcomsoft released a new protector for Mac. This can help youu http://www.dcomsoft.com/

  6. Pedram says:

    was clever ;)

  7. Dave Redder says:

    @Bruce – thanks for that link, that’s just what I was looking for!

  8. sanjay says:

    swf cry is an ONLINE tool. So what is the point, you are already revealing your swf/code to whole world by using online tool, so how is it useful??

  9. andri says:

    hi, i m trying to make a preloader, before addChild(animationLoader);
    i add this code
    animationLoader.contentLoaderInfo.addEventListener(ProgressEvent.PROGRESS,loading_swf);
    animationLoader.contentLoaderInfo.addEventListener(Event.COMPLETE,loading_done);
    it only read “loading_done” function. but not read “loading_swf” function.

  10. Venki says:

    Hi, i have protected the swf files using the XOR tool and it work perfect, but the problem is when i using Linux Ubuntu OS to run project in which the swf buttons click area were misaligned in y axis, sometimes x axis too. can u pls let me find a solution for this.
    Thanks in advance.

  11. Indika Wijesooriya says:

    Hello, Is there a way to encrypt a video using XOR algorithm and decrypt in in another swf ??? and play only inside the main swf??


Leave a Reply