Gareth Jones

After upgrading to Flash player 11.1 this week (11.1.102.55 to be exact) I noticed that a number of my games and applications were no longer displaying correctly. The screen would either be blank on startup or after a couple of button presses, and after that point right-clicking on the stage would present me with a “movie not loaded” message and not much else.

At first I thought that Adobe had simply dropped the ball again. It wouldn’t be the first time, let’s be honest.

I considered reverting back to a previous player version but of course that wouldn’t solve the problem for everyone else who is using my applications so I decided instead to investigate.

One of the applications that was affected was a personalised video messenger I’ve just finished for a major UK greetings card company. The strange thing was that the application would work on some screens when it was in normal mode, but not at all when it was in debug mode. The only difference between debug mode and normal mode was that for the benefit of the non-technical staff at the card company the application would output its traces to a text field at the bottom of the screen. No other logic was different so naturally my first thought was that it was related to dynamic text fields or maybe an embedded font issue.

After some messing around it turned out that it wasn’t the text field or the embedded font at all. In fact in turns out that Flash player 11.1 is happy with all of that stuff: until you run the SWF through SWF Protector 3. At that point the SWF again either refuses to work at all or refuses to work on screens that use dynamic text fields. For every Flash player version prior to 11.1 the SWF works fine so I can only assume that either there is a bug in 11.1 that SWF Protector 3 exposes or Adobe has deliberately changed something that happens to trip up this particular obfuscator.

So, I’ve had to consign SWF Protector 3 to the bin and am now using Kindi SecureSWF which, although technically a more secure product isn’t as user-friendly as there is no batch import of SWFs and no option to have the protected file over-write the original. I’m actually hoping the next Flash player resumes its compatibility with SWF Protector 3, but with SWF Protector 4 due out for PC any minute now there is also hope that DCOMsoft can resolve the problem themselves.

Company: DCOMsoft
Product: SWF Protector 3
Price: From $39.95

Following my recent re-review of Amayeta’s SWF Encrypt 6.0, here’s another look at SWF Protector 3 from DCOMsoft.

The latest version of the software is 3.0.1.191 which means it hasn’t changed at all for over a year, so it will be interesting to see if it still offers protection against decompilers that are advancing all the time.

First the interface. In the default simple mode this is clean and quite minimalist. You have a button to add individual files, a button to add folders and a button to recursively add folders which is a nice feature that can save a lot of time on larger projects. After adding your files to the list you can either protect them individually or all in one go.

A properties window on the right gives you rudimentary information on each file while a log window at the bottom keeps you informed of progress.

When protecting a file the program will attempt to use default obfuscation settings which it will automatically wind down if there are any problems so that the resulting file always works. If a file does ever break during the process there’s an advanced mode that allows you to tweak the obfuscation applied to each function individually, though to be honest I have never needed this as the automatic settings have never broken a file.

Obfuscated files are given the original file’s name while the original file is renamed which is great news if you’re obfuscating large projects as it means you won’t have to go round renaming files or updating references afterwards. This was something I highlighted in its predecessor as a major advantage over SWF Encrypt last year, before Amayeta shamelessly copied the feature.

The program does occasionally crash and when it does it will be one of two ways – either immediately after loading up despite no interaction from yourself or immediately after you add a file to the obfuscation list. Resolving the issue in both instances is a simple case of closing the program and running it again, but of course such a crash is an annoyance that can’t really be justified in this day and age of tried and tested OSes, drivers, middleware etc.

So, how does it perform when it comes to obfuscating? For this test I again used Sothink’s SWF Decompiler (version 640, build 3450) and Burak’s ASV 2011 (version 2011/08).

First Sothink’s SWF Decompiler. This tool opened both SWFs without crashing or throwing up any error messages, but the AS it gave me was all obfuscated. In both AS3 and AS2 it seemed to only show me the code as SWF Protector 3 wanted it to be seen, which is what we want from an obfuscator really. When I attempted to rebuild the AS3 FLAs the tool crashed, and while the AS2 files did yield FLAs they was completely worthless as none of the code was intact and the library assets were a mess. In short, all I could get from SWF Decompiler was the audio, fonts and graphics, but none of that is realistically going to help someone rip off your Flash project.

Burak’s ASV fared much better with AS3, but slightly worse with AS2. It was completely thrown by the AS2 files and gave me nothing but a long list of error messages. I couldn’t browse the file properly, let alone rebuild an FLA. This implies that the AS2 obfuscation in SWF Protector 3 is significantly more effective than that found in Amayeta’s SWF Encrypt 6. AS2 is traditionally easier to obfuscate than AS3 though, so how did an AS3 file compare? AS3 was a different story as ASV was not only able to open the file but it also showed me all of the code in original, unobfuscated form. It wasn’t quite able to get all the way through to rebuilding an FLA as the FLA that it exported would not compile into a functioning SWF, but with the asset library intact and the original code all visible in ASV’s code browser, it wouldn’t take too long for a determined developer to put together a working rip-off of your Flash project.

An interesting observation was that the test AS3 SWF increased in size slightly after it was run through ASV, but this didn’t seem to affect the file’s running in any way. I do wonder what extra data ASV injected into the file though.

To conclude, if your SWF files are AS2 then SWF Protector 3 looks like an excellent purchase. The two most well-known decompilers on the market couldn’t even get close to decompiling the files, and this tool costs less than half of what Amayeta charges for its ineffective SWF Encrypt software. If you work in AS3 however it’s clear that although SWF Protector 3 will still protect your work against Sothink’s SWF Decompiler, Burak’s ASV almost has it fully cracked. Indeed, a developer with some time on his/her hands would have no trouble in rebuilding your AS3 project from the exported FLA and unobfuscated code, which means that for AS3 developers the search for the perfect obfuscator continues.

UPDATE: It appears that SWF Protector 3 isn’t compatible with Flash player version 11.1.102.55 and it’s not clear if compatibility will return with a future release of the player. SWF Protector 4 is already out for Mac so it can’t be long before the PC version is made available so hopefully the issue will be resolved soon. Alternatively if you need a Flash obfuscator for PC today then you Kindi SecureSWF is your best bet.

I noticed a lot of traffic coming from the SWF Decrypt blog so I decided to take a look and see what was going on over there. It appears that Magus, the blog’s admin and author of the above named software has gotten pretty excited about DComSoft and Eltima being the same company. The reason for this is supposedly because both companies sell competing software – a SWF obfuscator and a SWF deobfuscator respectively, though an additional reason I think would be that for a few weeks now Magus has had a bee in his bonnet having broken DComSoft’s SWF protection and he no doubt sees this as a way of sticking the boot in.

To be honest though I wouldn’t at all be surprised if they were the same company:

• From correspondence I’ve had with reps from both companies, English is not their first language despite the USA being their registered addresses.
• When reviews of software from both companies go up on this blog, it’s Ukrainian traffic that comes for a look in both cases – not American.
• In all the correspondence I’ve had with these reps, their writing style is very similar.
• Products from both companies use the same activation tool and, as it would seem, the same EULA.
• Lastly, Eltima contacted me to offer me a review sample the *same day* that the DComSoft SWF Protector 2 review went up.

The thing is, who cares if they are the same company? Hundreds (if not thousands) of companies all around the world sell products that compete against each other – it’s known as a Multibrand Strategy or Multiple Branding and is defined below:

Marketing of two or more mutually competing products under different brand names by the same company. The motive may be that the company wishes to create internal competition to promote efficiency, or to differentiate its offering to different market segments, or to get maximum mileage out of established brands that it has acquired.

Source: http://www.brandchannel.com

One example would be BT, the UK’s telecommunications giant offering one phone number for recipients to tell who just called (1471), and another number to prevent this service from working if the caller doesn’t want the recipient to know who they are (141). Another would be that the same cosmetic companies offer both nail varnish and nail varnish remover. This really isn’t anything new.

In fact, you could even argue that a company that makes one product would be the best choice for a competing product – after all, the best lock-pickers are all lock-smiths.

Perhaps DComSoft’s/Eltima’s mistake is making themselves look suspicious by denying the link – or at least failing to acknowledge it – when accepting the link would have been no big deal to anyone with even a basic understanding of the markets.

Finally, it’s worth pointing out that however unlikely it is that this is all coincidental, it’s not an absolute impossibility that these two companies are independent. While we can all speculate I think we should wait to hear from a rep from either company before making such conclusions.

DCOMsoft have very kindly offered a free copy of the SWF Protector 2 software that I reviewed earlier today, to be given to the winner of some kind of competition. I’ve never held a competition on my blog before, so bear with me on this one. Ok, so…

The word “obfuscate”, as defined by Chambers Free English Dictionary, is:

1 to darken or obscure something.
2 to obscure something or make it difficult to understand.
3 to bewilder or confuse someone.

So, keeping with the theme, what’s the most bewildering or confusing thing that’s ever happened to you, or that you have ever inflicted on someone else? It can be on any subject – doesn’t need to be related to writing code or anything like that – and be no more than 500 words. It’s not an easy task, but then this prize is worth £40 so I don’t think I’m asking too much of you!

The best (most interesting or amusing) account by 12pm GMT on Monday the 12th of April gets a free copy of SWF Protector 2.

My girlfriend will be the judge, so you can be assured that the results will be totally fair and impartial. The judge’s decision is final and there are no cash alternatives to the prize. The winner will be announced right here.

Company: DCOMsoft
Product: SWF Protector 2
Price: From $39.95

Note: This review is for an outdated product. For a review of SWF Protector 3, see here.

About a week ago, DCOMsoft emailed me to ask if I’d be interested in trying out their SWF Protector 2 product and posting my thoughts in exchange for a licence. I’d like to stress that in no way does providing a license obtain a favourable review for any old product – I always approach a product objectively and will post both positive and negative findings whether the review is commissioned or not.

So, on with the review. On installing the application it came to time to register it. I copied and pasted in the serial and hit the Enter button without noticing that I hadn’t selected the serial number properly before copying and had missed off the last digit. The little registration window closed and gave me no feedback, so it wasn’t until I tried to run the application again and found that it wasn’t yet registered that I noticed that the registration had failed. I tried again, this time re-selecting the serial number and making sure I had it all in there, and it then gave me a message confirming registration. For instances where a mistake like this can happen, it would be worth having a message to say “Registration failed” or “Incomplete serial number”, but that’s a minor gripe.

Once registered, the application’s interface is very clean and quite minimalist. The first thing I noticed – and with some excitement – was an “Add folder recursively” button which, I’m pleased to say, works a treat. The application adds all of the SWFs contained within a parent and all child folders, tells you their protection status and offers the ability to open each one if you need to make sure you’re looking at the right file here.

As opposed to SWF Encrypt which shows you all the SWFs in a directory and asks you to select all of the ones you want to obfuscate, SWF Protector 2 assumes you’ll want to protect everything by giving you just one “Protect all” button. This makes sense, because if you didn’t want to protect your SWFs then chances are you wouldn’t be using the application in the first place. If there are any SWFs in there that you don’t want to protect however, you can simply remove them individually from the list before hitting the “Protect all” button. Alternatively, if you do only want to protect a single file, you can right-click on that file and select “Protect one file” from the menu.

Having had SWF Encrypt crash on me a few times after trying to obfuscate a file that was currently open inside the Flash IDE, I was curious to see what SWF Protector would do in this case. It didn’t disappoint, prompting me with a message stating that it could not overwrite the file – a much more elegant solution that simply crashing unexpectedly!

When my target file wasn’t open inside Flash’s IDE, SWF Protector 2 further impressed by renaming the original file “example_original.swf” and creating an obfuscated version with the original file’s name. This eliminates the issue I outlined in SWF Encrypt’s case where you either have to rename all your files manually or change all of your file links on your server to take into account the different name of the protected file. Bonus.

I also wanted to see what SWF Protector 2 did when revisiting a previous project – would it remember the last location or would I have to navigate to the project all over again? It actually remembered my previous location, and did so even when I closed the application without protecting any files. Excellent.

Also available at the top of the screen is an Advanced option which lets you configure the level of obfuscation – either on a per-class basis or you can set the level for the entire file. I took an unprotected SWF that was 518kb in size and ran it through the obfuscator at minimum settings and the output was also 518kb. I ran the same file again at maximum settings and this time the output came out at 555kb, so obviously the level of protection is such that it can make anywhere between 0% and 10% difference to the file-size – exactly how much protection you apply is up to you, so you can balance protection against file-size depending on the exact needs of your specific project. This is another feature that is missing from SWF Encrypt.

One bug that I did notice in SWF Protector 2 though was that after protecting a file in Advanced mode, the “Protect all” button would not become re-enabled for me to run another pass despite me selecting a new, unprotected file. To get the button back I either had to switch to Simple mode or restart the application and switch back to Advanced mode. This isn’t a deal-breaker, as you won’t be re-protecting files with different levels of security one after the other very often (if at all), and I only noticed it because of the test I was running. However, to get top marks an application does need to be bug-free, so I’ll have to take this and the failure to notify on a failed registration into account when coming up with a score.

The fact that SWF Protector 2 not only does what it says on the tin but does so with much more thought towards usability and thus efficiency of use does make it a better product than SWF Encrypt. I’m sure DCOMsoft will endeavour to resolve the two small issues I experienced with the application as soon as they read this post, whereas from past experience (here, here and here) I know that Amayeta is unlikely to even care about SWF Encrypt’s bugs, let alone fix them. Being a better product is one thing, but being a better product that costs only a third of Amayeta’s price (the personal license costs just £25, though you’ll probably want the business license at £39 to be able to use it commercially) is just great and easily makes it a recommended product.

8/10

Coming soon: A review of how these SWF protectors stack up against SWF decryption tools.