SWF Encryption Uncovered

Last week, I dug some dirt on DComSoft and Eltima and I got them really pissed off. This week is dedicated to Amayeta.

Known for providing the worst customer service anyone can expect, Amayeta started after MDM acquired Flashincrypt in 2005 (Amayeta and MDM are the same company too). Back then, a few developers wrote Flash applications that required any sort of protection and Flashincrypt was the only usable software. A more powerful software was in the make called ASO from Genable Labs. While it was never officially launched, I had the chance to test ASO and it was very promising. But Genable disappeared, all of a sudden, and I wasn’t able find any resource that said what happened. Their website just went down one morning and never got back up. Prior to the disappearance, Genable announced that they sold ASO Lite version to a CA company and they will continue to develop ASO Pro version. But that was their last announcement.

So how is that related to Amayeta? Well, Genable released a utility very similar to SWF Decrypt before disappearing called FINI that reversed Flashincrypt protection in November 2004. Flashincrypt was temporary discontinued until, by mid 2005, MDM acquired it and created SWF Encrypt. So, SWF Encrypt was born of a useless software to begin with

When SWF Encrypt 3.0 was released, it looks like Amayeta did not give Flashincrypt’s users a free upgrade as anyone would expect. They treated their users as if they were upgrading from a usable version looking for improved and additional features. You can see it on this page that I pulled from internet archive. They were clearly asking users to upgrade for a fee.

I am not sure when SWF Encrypt 3.0 got bypassed, but when Amayeta released SWF Encrypt 4.0 they literally said “The Encryption Technology used to protect your ActionScript are up to 1000 times stronger than previous builds.” as you can see here. But it didn’t take long for ASV to bypass their protection and show the world again that it is just a useless piece of junk. At that time, I was using SWF Encrypt 4.0 and I paid $125 for it. I saw my Amayeta protected SWF files decompile in ASV as if they were not protected at all! Even worse, I contacted their customer support a couple of times and never received a response. That was early 2007.

If SWF Encrypt 4.0 was “up to 1000 times stronger” than 3.0, then what on god’s earth was SWF Encrypt 3.0 doing?! What were they charging people for?!

Every release of SWF Encrypt was pretty much bypassed. Since 2004, anyone who had a look at how they did their protection was easily able to figure it out and reverse it. Authors of FINI and ASV both said it took them just minutes. I’m definitely not as experienced as they are, so it took me a weekend. If you still doubt that SWF Encrypt is just a scam and Amayeta is absolutely not a trustworthy company, check out swfdump and try it on your files before and after using SWF Encrypt. Let me know how long does it take you to figure out how stupidly their protection works!

It have been two weeks since I released SWF Decrypt to point out that some SWF encryptors  are worthless. While I didn’t directly contact Amayeta and DComSoft, I made sure they’d be among the first to know by explicitly mentioning their names, following them on Twitter, and posting comments on blog posts they commented on earlier. I have no doubt they knew about SWF Decrypt since the first day.

But none of these companies did anything. They didn’t update their broken software, they didn’t notify their users about this very important security issue, and they didn’t even contact me.

While I’m very pleased by the very positive feedback and the little buzz SWF Decrypt is getting, I am a bit disappointed by some of the reactions. For example, swftools.com rejected SWF Decrypt submission while is a perfectly legit SWF tool. At least, it is as legit as the 22 decompilers they are listing. And Emanuele, one of my favorite bloggers, blocked my comments on his recent SWF Protector review. Why are they trying to hide the truth and block it from reaching their readers? Any ideas?

Another interesting thing happened since the release. Some people thought that since I recommended SecureSWF and IrrFuscator then I must be working for them. Gareth Jones winked that I might be a new hire at KindiSoft. There is a reason why I would recommend those two and attack the other two. SecureSWF and IrrFuscator are actual ActionScript obfuscators. They do what other obfuscators for every other language are doing. They rename the classes and variables to make decompiled code harder to understand. But SWF Encrypt and SWF Protector do not do that. They are just rip-offs. If they rename anything, then SWF Decrypt will leave it renamed. It is not possible to revert to the original names. SWF Decrypt works in the same way for any SWF file and removes the few junk bytes it can find.

It took me a weekend to write SWF Decrypt, but by today Amayeta and DComSoft had over two weeks to fix their software. SWF Decrypt had proven to work very well and thanks to everyone who helped spread the word, it has been downloaded over 2,320 times. Why neither Amayeta nor DComSoft issued an update yet? I know DComSoft are at least trying.

Update: Amayeta is also “working on it”.

Not all protected SWF files. But the AS3 ones that are claimed to be protected by SWF Encrypt from Amayeta and SWF Protector from DComSoft. This should be really embarrassing to some people, but an eye-opener for the rest of the community.

For years, Amayeta had charged developers $145 for SWF Encrypt. Last week, I’ve put it to the test and SWF Decrypt was born. While at it, I took a stab at SWF Protector from DComSoft, newer but gaining popularity, and reversed their protection too. I’m publishing SWF Decrypt to share my findings and help spread awareness. I do not think it is an unethical or a hacker tool. I’m just uncovering what many people thought was protecting their work from Flash decompilers.

I also hope that SWF Decrypt will encourage the authors of SWF Encrypt and SWF Protection to implement real code obfuscation methods. Until they do, I can recommend to use other solutions that at least can rename classes and variables. If the software that you are using can rename classes, then you can tell it is using at least one code obfuscation method that works. Notice that SWF Decrypt does not recover renamed variables by Amayeta. There is no way to recover that. But from what I hear, their variable renaming method does not work for most people.

SWF Decrypt does not specifically target SWF Encrypt and SWF Protection. It reverses the lame techniques they use and probably used by other products as well. I didn’t test all the products available in the market yet. But I encourage everyone to share their findings in the comments section here.

SWF Decrypt is a freeware and can be freely distributed. I did not make it open source yet to prevent Amayeta and DComSoft from knowing how I managed to easily reverse their protection.  I plan to mess with them for a while