How (not) to protect AS3 source code

As people now seem to become quite aware that other people will steal their flash games by simply reverse engineering the source code out of the compiled .SWF files, one idea which pops up in a lot of blogs and forums is this: "Why don't you simply encrypt the SWF file?" Great idea. Except that it doesn't help or work. Here is why:

The usual idea is to take the working game .SWF file, encrypt it and embedd it into another wrapper-SWF file which plays the real SWF loaded and decrypted from an embedded binary resource. Great, so nobody is able to see the decompiled source, right? Wrong.
Remember: If your wrapper SWF file can decrypt the real game, then anybody else can do this as well. It only takes the evil guy at worst as much time finding the key and decrypting the real content as it takes you to encrypt it. Even less time if he uses one of the dedicated tools for this. You've only made it a litte bit more difficult to get the code for him, you didn't prevent it at all.

In order to prevent people stealing your code by reading the symbols in your code, the only way to do this is to remove the symbols. If there are no symbols anywhere, you cannot retrieve them. So simply remove the symbols from your code before publishing your SWF. And that's what code obfuscators are for. If the information isn't there anymore, it cannot be stolen. Simple as that :)

five comments, already:

This is what I like to call the “DRM fallacy”. You can’t hide the data from the intended recipient. Obfuscation only works because it’s (more or less) unreadable to humans, but the computer doesn’t care about names. Unless the human is very dedicated of course. Anything else (“real” encryption, layers of encoding, whatever) is completely pointless, as the developers of the DVD, Blu-Ray, etc. have found.
Phil Jordan () (link) - 18 11 08 - 18:28

Furthermore, it is senseless to implement encryptions/protections at all. If it is good, the game can and will be programmed again from scratch by someone else.
wITTus - 18 11 08 - 18:52

We programmers are all doomed man :(, I should’ve listen my dad and pursue a career in the NBA, but now it’s too late
The Onslaught - 18 11 08 - 19:39

fully agreeing with phil: as soon as you can run some program on your machine you also can copy it. there are two ways around it: revoke the users permissions to access his own machine (what TCPA or TPCA or whatever it is called tries to achieve) or do some core parts on a machine under your control (which is why it is kind of difficult to crack MMORPGs without stealing someone else’s account).

I’d believe that streaming content from a server on demand makes it much harder to copy a game, since to get all the content one should have to play the entire game (or at least a significant portion of it). Makes no sense for tetris, obviously.
xaos - 19 11 08 - 11:40

Its just like phil said if someone really wants to nothing can really stop them. But its good to make it hard for them.
leo (link) - 20 11 08 - 00:14

Remember personal info?
Email (optional):
URL (optional):
Enter "layered" (antispam):
Comment:Emoticons / Textile

  ( Register your username / Log in )

Notify: Yes, send me email when someone replies.  

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.
Note: If you type in your email adress above, it will be visible to other visitors, although it will be hidden for bots using javaScript.