SWF Encryption Uncovered

It has been a while since I updated SWF Decrypt. The main reason was, of course, the much anticipated SWF Protector 3.0 from DComSoft. In other words, the lack of updates from DComSoft. They promised a complete rework of their protection algorithms that implements “Proper protection algorithms for AS3.0″ more than three months ago. And I was really looking forward for the new update because, after all, the main goal of this effort is to uncover the cheap tricks Amayeta and DComSoft are doing with the hope that this will encourage implementing proper obfuscation methods for ActionScript.

Unfortunately, I was disappointed right after I had a look at the bytecode of a SWF file protected by the new DComSoft software. I am not sure if the industry is changing, but it was my understanding that a major version update should at least either introduce a new feature or rework an existing one. I am sorry to say that the new version of SWF Protector is a complete joke! DComSoft are walking down the same path as Amayeta (see my Review of Amayeta SWF Encrypt).

SWF Protector 3.0 protection is the same as 2.0 with only a single byte added to the beginning of each method. Yes, only one byte in the same location over and over again. The new byte is 0×02 and it stands for a NOP instruction. For those who are not into assembly, it is an instruction that does not do anything!

As Amayeta SWF Encrypt last update, DComSoft were trying to expose bugs in SWF Decrypt rather than implement an actual protection method. But Amayeta was at least discreet about it by naming the new releases 6.0.6 and 6.0.7. DComSoft, on the other hand, choose to use a major version update to deceive everyone (reviews can be found here and here) into thinking they did major changes. Fixing your software to parse Flash 10 files correctly and exposing a bug in SWF Decrypt is not a major change. Most of the change in the new version, in my opinion, is replacing Eltima’s EULA and changing the version number.

The new version of SWF Decrypt (v1.2 if anyone cares) fully recovers SWF files protected by the latest releases from Amayeta and DComSoft. They had more than three months to implement actual code obfuscation methods and they failed in every way. If you are still unable to see that those companies are just ripping Flash developers off by now, then I don’t know what well.

I think this should be really interesting to everyone who paid to get SWF Protector. It is clear to me that Eltima, the company that makes Flash Decompiler Trillix, one of the most popular Flash decompilers, is behind DComSoft (makers of SWF Protector). While I do not have, in my opinion, any solid proof, there are a couple of things that clearly point that way:

DComSoft accidentally used one of Eltima’s products’ EULA

As you can see in the screen shots, SWF Protector for Mac comes with Recover PDF Password license agreement. Recover PDF Password is one of Eltima’s products and you can also see Eltima’s name at the end in the screen shot below.

I can think of only one excuse for this, DComSoft copied the packager for Mac from Eltima’s and forgot to change the EULA. It can happen

More Proof

Eltima immediately contacted Gareth Jones after reviewing SWF Protector. While it could be a coincidence, Gareth says from the correspondence it is clear they are the same company. It can also be that the same marketing guys are working for both DComSoft and Eltima.

I also noticed the following while visiting both websites:

1. Both have translations to only French and German… Exact match!
2. Copyright notice says 2000 – 2010 on both websites while the domain name dcomsoft.com was created in 2005.

Conclusion

While I do not think that any of this is a solid proof and there still exists a small chance that all of this is just a coincidence, it does mean one of two things:

1. DComSoft is indeed the same company as Eltima and it is completely unethical and totally crosses the line to sell a Flash decompiler for years then come up and sell another software, under another company name, that protects from the decompiler they originally made!
2. DComSoft is a very low quality company that copies content from Eltima and makes completely worthless software.

That’s what I think. Let me know what do you think in the comments section.

Update: Another post about the subject can be found here.