Installation

This release of secureSWF doesn't make any changes to your windows registry or files. Therefore, just extract secureSWF into any folder and start using it immediately.

Minimum Requirements

The minimum requirements for secureSWF are:

• Pentium II 500 MHz or higher
• 5 MB of free hard disk space
• Microsoft .NET Framework v1.1 or later
• Recommended minimum screen resolution of 800x600

Using secureSWF Graphical User Interface

The Graphical User Interface of secureSWF consists of three main sections; Project Files, Protection Options, and Operations' Summary.

Project Files

secureSWF is designed to handle either a single SWF file or multiple SWF files that interact together. The Project Files section allows you to add the SWF file(s) that you wish to protect. To get started, click on the "Add" button and select the SWF file(s) that you wish to protect. Or, alternatively, drag the SWF file from your file browser into secureSWF.

Once you've added the SWF file(s), you will notice that secureSWF starts analyzing the code, automatically determining the best obfuscation settings. You will also notice that the there are a number
of statistics about the SWF file(s) that you've added in the bottom-left group-box.

Now, you can optionally move to the Protection Options tab to change some settings or directly click on the "Protect SWF Files" button on the upper-left corner to protect and save the SWF files.

You can pre-select the method of saving the generated, protected, SWF file(s) using the options in the "Output Settings" group-box. This step is optional since secureSWF will ask for the saving options when you click on the "Protect SWF Files" buttons if they were not set. The following is a description of each method:

• Save Output to Folder: The protected SWF file(s) will be saved in the selected folder using the original filename(s). If a file exists in that folder with the same name, it will be overwritten.
• Add prefix to filenames: The protected SWF files will be saved in the same folders they are in but with adding the prefix text that you've entered (default "secure_" ) at the beginning of the filename.
• Add postfix to filenames: The protected SWF files will be saved in the same folders they are in but with adding the postfix text that you've entered (default "_secure" ) at the end of the filename.

Protection Options

In the Protection Options section you can change the settings for renaming the identifiers, obfuscating and optimizing the code, encrypting the literal strings, or adding domain locks.

Identifiers Renaming

One of the most powerful features of secureSWF is its ability to rename almost everything in your SWF file from variables and functions names to frame labels and symbol names in addition to AS2 classes. Not only that, but secureSWF automatically determines the identifiers that are safe to rename and the identifiers that are not. secureSWF renames the following identifiers:

• Local Variables
• Local Functions
• Function Parameters
• Instance Names (Movie Clips, Textfields, and Buttons symbol instances)
• Frame Labels (frame labels are removed and replaced with frame indices instead)
• Textfield Variables
• Global Variables
• Target Path Strings (such as "_level0/a_mc/b_mc")
• AS2 Class Names
• AS2 Class Members

To enable Identifiers Renaming make sure that the "Rename Identifiers" checkbox is checked. There are 6 tab pages in the Identifiers Renaming section:

• All: shows all the identifiers in the SWF file(s) in a tree-like hierarchy except for AS2 classes, members, and global identifiers.
• Local Identifiers: shows a table of all the local variables and functions in the SWF file(s) with the location of each identifier and its type.
• Labels: shows a table of all the frame labels and anchor names in the SWF file(s) with the location of each frame label.
• Instance Names: shows a table of all the symbol instances names in the SWF file(s) with their locations and types.
• Global Identifiers: displays all the global identifiers (variables and functions that are accessed using the keyword "_global") of each SWF file and the AS2 classes names.
• Class Members: displays all the dentifiers that are found inside AS2 classes.

If an identifier in any sections is checked, it will be renamed (or removed if it was a frame label) in the protected SWF file(s). The identifiers selection in the "All" section is automatically synchronized with the other sections. You can right-click on any identifier to locate it in the "All" section.

There are two methods to set the selection for a group of identifiers; using the tree in the "All" section, or by using the advanced selection tool. You can right-click on any tree-node in the tree of the "All" section to select, deselect, or set the selection back to default of the tree-node and its subtree. The other method is by clicking on the "Advanced..." button. Here, you can define the selection criteria by selecting the types of the identifiers and a string pattern to match the identifiers names with. secureSWF will loop through all the identifiers in all the section and perform the action that you've selected on the identifiers that match the criteria that you have defined.

Code Transformation

secureSWF offers four different methods to protect your source code from reverse-engineering and decompiling that can be applied separately or together. Each protection method is compatible with all the Flash players from v5 to v9 and has been tested separately to break all the known decompilers and disassemblers. The following is a description of each method, along with its advantages and disadvantages:

Statement-level Randomization: Randomly restructures the bytecode instructions that makes up an ActionScript statement making it almost impossible decompile the source code. The performance and file size effects of this method depend on the source code. A block of code that has no branches (for example, if-statements, for-loops, or function definitions) will become smaller in size and will execute faster. On the other hand, extra bytecode instructions will be added to handle the branches which has negligible impact on the performance and increase in the SWF file size.

Control Flow Obfuscation: Adds extra branches to the bytecode that distracts decompilers and disassemblers. This method increases the SWF file size depending on the selected intensity. You can set the intensity between 10% and 100%; a 10% intensity generates a smaller SWF file while a 100% intensity generates a more protected SWF file. Our testing results have shown that even a 10% intensity will break all known decompilers most of the time.

Code Wrapping: Wraps the actionScript blocks with branches and junk bytes that effectively distracts decompilers and disassemblers. The size and performance impact of this method is negligible. You can set Code Wrapping to three levels; minimum, medium, and maximum. The degree of code wrapping will determine the size of the added code. Use maximum code wrapping for maximum protection, and minimum to get a smaller file.

Break Function Calls: Makes it much harder for a decompiler to find out what parameters are being passed to a function call.

Optimization

secureSWF implements many code optimization algorithms. By enabling this option, you will get a smaller file size and better run-time performance.

Literal String Encryption

While obfuscation protects the code logic, valuable data such as access passwords and urls remain in the SWF file as clear text. Malicious users can simply open the SWF file using a text editor (decompressing the SWF file if compressed) and view the literal strings that exist in your code. secureSWF allows you to select the literal strings in your SWF file, encrypt them in the SWF file using a very secure symmetric encryption algorithm, and decrypt them only when needed at runtime. Please note that this entails an added overhead each time the string is accessed.

To use this features, click on the "Select Strings..." button. A table showing all the literal strings, the number of occurrences, and their location will be displayed. Select the strings that you wish to encrypt and then click on the "Ok" button.

Encrypted Domain Locking

Inserting an encrypted domain lock to your SWF file(s) will greatly decrease the chances of having the movie being played offline. The movie will simply refuse to play if it was copied to a different location than that it has been locked to. For example, if you locked your movie files to "http://www.mywebsite.com/myflashmovie/", then the movie will only play if it is being launched from that location. If someone managed to copy the SWF file(s) somewhere else (i.e. PC, another website ... etc), then the movie will not play at all.

What makes this feature powerful enough to rely on is that the locations (URLs) that you locked the movie to are encrypted inside the SWF files and will only be decrypted at runtime. This makes finding out what is happening, and changing it, a very time and effort consuming task to a level that recreating the movie from scratch is usually easier.

To use Encrypted Domain Locking click on the "Select Domains" button and add the domains or URLs that you want to lock the files to. Make sure to add all the URLs that you want the user to be able to access the SWF file through.

Encrypted Loader Creator

This tool will help you to highly decrease the chances of having your SWF files downloaded or used offline. It simply creates a new SWF file which dynamically loads your original SWF file into it.

To increase this feature's power and reliability, the name and location of the original SWF file are encrypted. In addition to that, you can change the extension of the original SWF file into any random string (i.e. .mp3 or .js). This will make finding the original SWF file in the browser cache a much harder task. The main important gain from using this tool is that users who will try to use SWF rippers (grabbers) will not be able to download the original SWF file at all.

Using the Encrypted Loader Creator Tool

First of all, itis important that the settings of the created loader match the settings of the original SWF file you wish to load. You can start by clicking on "Load Movie..." and selecting the original SWF file so that the "Encrypted Loader Creator" tool would be able to extract its settings.

After that, you can optionally create a copy of the original file using another file extension (i.e. .mp3 instead of .swf). To do so, check the "Load a copy of the movie" check box, then fill in the file name and choose from the drop-down-list an extension, or type in any extension you prefer. Changing the file extension is highly recommended.

The next step is to make sure that the URL field is exactly what the loader is going to load. It could be just the file name, if the original file and the loader are going to be in the same folder, or the full URL (file path) of the original file that will be loaded.

Finally, you can optionally make adjustments to the loader settings. The following table explains each option:

The Command-Line Interface

secureSWF comes with a CLI for batch execution and integration. To use the CLI, you have to prepare your secureSWF project settings file (.sspj file) using the Graphical User Interface first.

Using the CLI is simple and straightforward. The basic form is to pass in the project file and the output folder as shown below.

> ss project_file_name output_folder_name

For example:

> ss myProject.sspj c:\projectOutput

In this case, secureSWF will process the SWF file(s) listed in the project file and according to the settings saved in it.

You can also override the settings stored in the project file using the following optional switches:

For example,

> ss myProject.sspj c:\projectOutput -wrap:3 -slr:on

will set "Code Wrapping" to maximum and enable "Statement-level Randomization" no matter what is in the project file.

You can use the first letter only of each switch as well:

> ss myProject.sspj c:\projectOutput -w:3 -s:on