The TAAS compiler is different from the ActionScript compiler since its input is not ActionScript source code but already compiled SWF or SWC files. Just like the haXe compiler can output AS3 instead of a SWF the TAAS compiler can do the same.
Now if you add one and one together you see that the TAAS compiler can be used as a very strong decompiler. My own tests have shown that it will work flawlessly where other commercial decompilers output rubbish. Since the compiler behaves like the Flash Player it will “execute” the bytecode in order to parse it which means it has a very highlevel understanding of the structure inside the SWF.
The only question is now what to do with the source code. I wrote the decompiler for my session at FOTB to show much easier how the optimizations behave. It is also a great tool to debug errors. But should it be opened or not?
To take it one step further one might also be able to write an obfuscator using the TAAS compiler. In my opinion it would be cool to have a strong decompiler and obfuscator, both being open source. We might also add an option to protect SWFs from the decompiler by adding something to the SWF metadata for instance. Of course this is just a simple rule which could be removed by someone once the code is open. What do you think?
I have mixed feelings about this, it can be both good and bad. I suggest you can make the obfuscator open source, but sell decompiler as a closed software which will help you make some money in the process
Regards,
Arul
An obfuscator can also save bytes, if you’re renaming variable names in a minimalist way. So the obfuscator would double as a compressor. I think of TAAS as a full blown compressor / obfuscator / optimizer. Send a .SWF in, and output a highly optimized .SWF. Both in speed, size and code.
As a debugging tool this will be incredibly useful. As for the abuse of such a tool, well, there’s always going to be vultures who will find ways to abuse other people no matter what.
Adding the simple SWF protection metadata will at least prevent the technically clueless vultures from taking advantage too easily.
I say open it up :)
P.S. Your work is phenomenal Joa, keep up the awesomeness :)
yeah, I’d too say open it up. It seems to be great work, and it would be sad if it wasn’t available to the community.
I would love to see an open source decompiler. For me, obfuscating is merely for the paranoid. If someone really wanted to hack your SWF, they’d find a way to do it, and no amount of obfuscating will protect a SWF 100%. I also like to encourage people to be open source!
An open source decompiler, with the option to recompile into a new optimized SWF – that would be amazing.
Hi Joa, I’m still amazed with your season in FOTB09!
There are two sides to it:
It’s good to be open source and share code but it is not good creating a weapon that will be used aganist developers by nasty companies.
There are some people that works very hard for years in just one flash file/project, I do. And whenever I release my product to the world I dont want that some evil company to decrypt my encrypted code and starts finding security holes making our lives hell.
If we encrypt code is for a reason, we are not beeing greedy selfish bastards. There must be some that are.
I always agree with sharing code with the comunity. But sometimes we have to protect the code for safety, and if you release your beast, lots of people is going to have to do the imposible to be able to protect users data.
If I had TAAS I would use to optimize the internal flash code as you showed as FOTB09… but nothing else really.
If people want code, they should just ask the developer how to do whatever but don’t steal the code! Decompilers are evil!
I’m with Arul Kumaran.
Just because the TAAS framework is open source does not mean you need to keep all the tools that use it open source too. Sell both the obfuscater and decompiler and earn yourself some well deserved money for your efforts. If someone doesn’t want to buy your tools, they can always use TAAS as a starting point and write their own…
I’m with the idea of opensourcing the obfuscator. It’s always good to learn through opensource. The decompiler, for all its “evilness”, does save your skin if you ever lose your source files. So I too tend towards Arul’s reasoning.
Hi Joa, Like others says there are two sides, but with releasing it as open source will it be worse than now ?
Some decompilers exists and cost money, but if someone really wants to take a look at you code it will probably buy the tool, or find it in the darkness of the net…
If we (SWF producers in that case) are counting protecting our code, or security implementation only through obfuscation, we have lost the battle. History have proven that it will never work.
In other things, it remind me the story of the ADOBE RTMPE reverse engineering : http://www.flashcomguru.com/index.cfm/2009/5/26/adobe-dmca-rtmpdump .
So i think you can release it the way you want as an open source project or selling it because you are doing an amazing job.
keeping the sources closed will not prevent those who want to decompile swf’s for abuse/stealing code. there are other decompiler than taas and there will always be. one may argue that you are giving them a powerful tool, but as we should know by now prohibition will not solve any problems at all.
think releasing the sources to the community is very now. keeping them away for reasons of what people make out of it is very then.
I work for nitrolm.com. We provide swf encryption services for flex and air as well as software licensing. While tools like this “might” make it easier for unscrupulous individuals to hack things, that shouldn’t be your primary concern. My vote is for you to open source TAAS, but hang on to the decompiler and obfuscator as closed source but commercially available. It’s not “evil” to make money. You’d be providing a service that others appreciate. They show you their appreciation by handing over these little “certificates of appreciation” also known as “money”.
Hey Joa,
This is an interesting ethical dilemma you are considering. It seems as if you want to do what is best for the flash community as a whole, and are unsure as to what course of action to take.
I think that releasing the source, or making an open source obfuscator project would make the tool functionally useless to the flash community as an encryption tool. Having an open source obfuscator project would in essence be an instruction set for how to build a decompiler- almost a self defeating project. The only value I can see to this is that most in-experienced hackers wouldn’t be able to decompile a swf- a practical benefit- but a swf needs only to be decompiled once for it to be decompiled a thousand times.
On the other hand, however, is your desire to contribute your ideas to the community so that we can all benefit from your excellent work.
I can’t say I know what you should do, but I understand your predicament- and I’m glad I am not the one who has to make the decision!
Good luck in your deliberations-
Hi Joa.
Pretty cool project you have going here. I notice you can output as3 code – ever thought about haxe output? I have been working on a c++ backend for haxe, and a haxe output would allow swf -> haxe -> c++ -> iphone, which would be pretty cool. I have though about a swf -> c++ translator, but it looks like you have done the hard yards already.
An open source project would help suck in others to help fill in a few gaps too.
Huge
Huge, I think you have a really good point. A SWF->AS3 module would be a great start for something like SWF->ObjectiveC (iPhone), SWF->haXe, SWF->C++ or SWF->Silverlight.
The problem with a commercial product is that I would have to support it, write documentation and fix bugs. This is and will be just a playground for me in my spare time.
I guess we all know that there are decompilers out there in the wild and that no SWF file will be 100% secure. Even after using an obfuscator.
The option with a way to protect your SWF from being decompiled by a tool I write could be a nice addition. But I think someone will probably remove it and release a version that ignores this check. However I could make that a little bit harder by putting core components into a (closed source) C++ library that someone then would have to crack. Not a bad idea after all now that I think about it :)
i would vote for opening the sources of the obfuscator and the decompiler. i think there is no security issue because clientcode is never secure. and there will be always some kiddies stealing someone elses code. they will not go far by this…
i guess the benefits from open sourcing this would be great. on the other hand if you want to sell these parts, i find that is also completely ok. just earn a bit money out of your enormuos effort you already invested.
thanks a lot for your great work!
You can also put core components on a web service (I did that on an swf obfuscator years ago). That way you can have more than one algo, and add/rotate them as you see fit.
with great power comes great responsibility.
I don’t really have an opinion about a decompiler or obfuscator. My default assumption is that there will always be decompilers of sufficient quality that a determined hacker will always be able to reconstruct my source code from a compiled binary.
That’s not an ideal situation. But basically unavoidable.
What really interests me about this post (and several previous posts where you’ve alluded to the same thing) is that your compiler “behaves like the Flash Player … executing the bytecode in order to parse it which means it has a very highlevel understanding of the structure inside the SWF.”
Can you talk about that in a little more detail?
Are you running an instance of the tamarin virtual machine? Do you have your own micro-interpreter? And how does executing the bytecode help you understand its structure? Do you just mean the JUMP and CALL instructions? Or do you execute every instruction?
My curiosity is based on a little project I’ve been working on in my own spare time. A month or so before your first TAAS post, I wrote an AS3 parser which produces abstract syntax trees and some tools for manipulating those trees based on XPATH-like patterns (useful for implementing loop invariant code motion transformations, etc.)
I haven’t written the compiler back-end yet, because my knowledge of flash player and SWF internals is pretty scant. I’ve read through Adobe’s documentation of the ABC bytecode format, and I have some basic low-level functions for writing instructions to a stream. But it’s a bit of a mess right now :o)
I’ve considered attempting to hook my front-end up to the TAAS back-end, but since I can’t yet generate SWFs, I’d need to transform my ASTs into something TAAS can consume.
Anyhow, that’s why I’m interested in your execute-bytecode-to-facilitate-parsing approach. Would you mind elaborating on that a bit?
And if you’re interested in my little compiler project, feel free to shoot me an email sometime: benji@benjismith.net
Hmm. I was playing with SWF decompelation in SWF itself for some time for various reasons(dynamic run-time compilation on client side, ruse of SWF without having/needing source code like mp3 player that wraps mp3 you can swap without recompiling etc etc) and I was thinking on your dilemma too. I kind of find that number of decompilers/compilers already exist and some are even open-sourced. For gods sake tamarin itself is. So it’s not that you will change much in decompiler availability sense. What you can change probably is that you can open a lot of eyes showing that SWF is not, never was and because of “Open” shift in Adobe towards Flash probably never will be truly protected.
So my vote here is open it up. You will not change much in sense of possibility to crack SWF open as it is generally possible already but those tools will have a lot impact in their legitimate use + if such thing will be open I think it is possible to write obfuscator that changes code in a way where you can’t turn it back in to usable OOP project(information just is not there anymore) which basically already is all you can hope for with SWF.
Too many responses to reply, but apparently it’s a good subject!
I have used decompilers in the past to learn from others. A good example is Buzzword. I had to see how they did it. And with almost every one of those projects, they are too complicated to just steal. The best I could do was write something similar myself which resulted in me abandoning the project after a few days and learning a lot.
So anyone using a decompiler will have to dig through your code and try to understand it. This will help raise the quality overall on the web.
Another (in my mind amusing) thought: once a project is finished and you would be offered to do it again, most of the time your code would look completely different. So let them have the crap I wrote :)
Anyway, keep up the spirit!
“The problem with a commercial product is that I would have to support it, write documentation and fix bugs. This is and will be just a playground for me in my spare time.”
That is the one and only argument that counts, totally agree on that one!
Greetz Erik
Hi Joa,
You are amazing. I hope you can open the source. People should take care of security on the backend period. Good obfuscation would take care of the stealing of code. Or at least make it so difficult that writing it yourself would be faster.
On the other hand. You should be making some money on such fantastic tools. The drawback of selling is of course that you are obliged to give support. It’s al up to you what you want. Anyway a good platform independen obfuscation tool for our complex flex project that runs on a ci build server (Dreaming…) The products we tried just don’t work with complex projects…
Anyway whatever you do, i hope you’ll finish the project and even more importan that you’ll stick to the flash/flex word cause people like you just give the platform a boost.
Arnoud
Hi Joa,
You’re doing amazing work, keep it up. Great talk at FOTB also.
Why can’t you just sell it “as is” without providing support? I don’t see why if you sell it you’re obliged to provide support for it forever. Some documentation would be handy though.
Daniel
My answer didn’t fit in the comments so I made a blog post about it : http://ncannasse.fr/blog/open_source_and_morality
I think if you do open source it, then it needs to have some sort of protection with meta tags as you suggested.
I guess I’m in the minority here being a game developer, but we and all my peers have suffered untold hacks of our games.
These aren’t anything useful like trainers, but people ripping out ads which pay for the games development ( Or even better, replacing the ads with their own ), inserting their own links / branding etc.
There’s so little money in indie game development anyway ( In spite of all the hype suggesting otherwise ) that giving script kiddies a free tool to make it even easier for them to steal our work just isn’t a great idea imho.
( As for the “justification” of decompilers as being a tool to see how something is done, if the author wanted you to know, it would be open sourced. If it’s not, then there’s a good reason for that )
oh my god! every time someone whines about decompilers i can only laugh! as if your oh so clever creations can’t be recreated by any flash coder. and if they really can’t, then people decompiling your code won’t be a threat anyways.
ron, you need to understand that sometimes some developers want to protect code sometimes for reasons that other people can’t think of sometimes. There are some developers that protect their code because they thin they are the best and they don’t even want to share. But most of the times is nothing like that. Don’t be so naive.
I have seen people copying someone else’s code (some one that we all know in Flash world, and that other person and then he tried even make the original look like an idiot).
There are some real nasty people out there. :(
You can’t prevent unscrupulous individuals from stealing work and ideas and code. It would be a real pity to not release a great tool to the general community, especially when people are going to get away with things either way.
If it’s not this decompiler it’ll be another, and if it’s no decompiler it’ll be an outsourced team of developers in a cheaper market who simply rip off your genius idea.
The more developers that realize Flash is simply not a closed format the better off everyone will be for security purposes anyway, since obscurity is simply not an option.
“as if your oh so clever creations can’t be recreated by any flash coder” Ron, must be nice to be in a position where you can replicate anything you see.
It’s good for my own ego to know that no matter what I do that “any” flash coder can do it too.
Here’s a nice high profile example of what goes on:
http://www.thepencilfarm.com/blog/2008/02/snow_day_at_the_beijing_olympi.html
This kind of crap happens all the time to varying degrees. Why make theft even easier ? There’s this lovely dated view that people will just use a decompiler to check how some cool effect works so the person viewing it ( In breach of the t&c of the decompiler, but let’s let that slip ) can learn from it.
In real life, IP is stolen, with people making a profit on that theft.
I can see a vague need for decompilers, if you lose your source and your back-up and need to work on a swf, but what percentage of swf’s are decompiled for that reason ?
There are already decompilers out there and even swf>fla programs so I am told. Some may be a little behind TAAS in functionality for now but give it a few weeks/months and they will catch up. So the bad guys will find a way whatever choice you make.
Personally I would say open the source but it is up to you.
Hi,
Very impressed by your FOTB session.
Really feels like I am still in the sand box…
Great!
I needed that as much as this lump growing on my neck!
As for the opensource matter…
If you don’t make it opensource, someone will catch up anyway and make money with it.
So unless their is really a way you could forbid decompression, and you really fight it making updates and warning people, I would say go for open source.
Up until now, as a flash video-games developper, I know that if someone try enough, he will definitely be able to cheat (and will try to if there is a gain).
I can only do my best and let webmasters deal with the weirdly too good scores (knowing every game has a special score scale and cypher).
Still… people might find a way to cheat.
At least my games are fun.. I think.
So I would be glad that someone would finally find a way to ensure some protection into swf files.
I had an idea a while ago, of trying to protect my variables into my code by settings some random variables which would be infected too, by delaying my mouse or keyboard events with setTimeout and by calling false methods.
It would work well with obfuscation especially if you could put many of those nonsenses, but it is a pain in the ass to do it by hand.
But if a process would do so, and in a smart way so that it doesn’t ruin the performances, it could be of great use.
Also, about obfuscation, if instead of a SWF file, compilers could give a data file that a PHP function could read and send back to users as en SWF with different vars and functions names (and declared in different orders), cheaters would have an hard time cheating twice.
For such features, and some better in combination, I would be glad to pay a license fee.
That would be just right, most people needing it would need it because they make money of it.
I hope I didn’t say any nonsenses.
And forgive my English, I’ve learned from video games ya motha fucka.
I’ve being looking into the usage of some publicly available, legally licensed, open source projects held on sites such as Google code or Sourceforge. However, these projects are written in Flash/Action Script, and I’m a Java developer of some years. Now, I COULD spend several months porting the algorithms held within this code to Java, however, all I really want to do is progress my idea and to benefit from the freely offered code base, ASAP. So, the decompiler tool would help me to port the logic to another language, this can be done using Abstract-Syntax-Tree-based tools.
Yes, the technology can and probably will be abused, but also, there will be many like me who would see such tech as a god send in speeding up their development process (i.e. integrating freely-available foreign code).
It’s a shame that so many people think “they’ll steal it anyway so why bother?” Truth is, by obfuscating your code with an excellent method like what Joa proposes (or other commercial tools) it becomes harder to steal. When it becomes harder to steal, there is less theft. Less theft means less loss of profit that you’ve earned.
Obviously there are still some very smart thieves that will be able to copy your work and make a profit off you, but if we get to the point where stealing is so incredibly hard, there’s such a small chance of your work being stolen that you will have effectively protected your work and therefore your profits.
Only pathetic people steal another’s hard work and brand it as their own and most of them do it very poorly. So if the obfuscation is good enough, those fools will be unable to steal from you. Even if it is still _technically_ possible, they won’t because they don’t know how or don’t have the time to figure it out.
With all that said, it seems that the people who will benefit from the decompiler as an educational tool are much fewer then those who would use it maliciously, mostly because it’s easier to be evil than learn yourself.
I vote to have the decompiler closed-source but open-source the obfuscator.
Problem with a metadata tag in the SWF to prevent decompiling is not that someone may remove that flag from the decompiler (which would be a pain) but that someone would remove the metadata from the SWF (significantly easier). Of course, you could apply a watermarking technique to sprinkle the “protect flag” throughout the code and in a very difficult to remove manner (basically encryption), but it would be easily removable after the first person cracked it.
The fundamental truth about all PC software is that relying on a “secure” client as a means to protect your revenue stream is a losing battle. If the client is valuable by itself then it will be hacked and compromised, regardless of the existence of decompilers or not.
Yes, theft of IP will occur. But the revenue “lost” is ultimately only revenue you wouldn’t have actually earned in the first place. Pirates weren’t ever going to pay for your product. Sites that’ll host hacked versions of your game and won’t respond to takedown notices aren’t sites you should depend on for ad-revenue.
Hi Joa, great work as always! ;)
If TAAS optimizes already compiled SWFs really as good as it seems to, maybe it’s possible to release a version which just does that and nothing else? Simply a one way solution?
I’m looking forward to see what happens to my projects when optimized with your tool. I would definitly pay for a licence if it won’t be open source!
We all can’t wait to play around with it!
Greetings from Berlin!