flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sean Thayne <s...@skyseek.com>
Subject RE: Air apps easily decompiled and hacked
Date Wed, 19 Feb 2014 21:02:14 GMT
That does make a lot of sense.
On Feb 19, 2014 2:01 PM, "Gordon Smith" <gosmith@adobe.com> wrote:

> It's this way because of the dynamic nature of ActionScript. If an object
> obj has an instance variable foo, the language allows that variable to be
> accessed by name lookup. For example, obj["foo"] or obj["f" + "o" + "o"] or
> obj[propName] , where propName has the value "foo", are all ways of
> accessing o.foo by name at runtime. If the name was not stored in the SWF,
> the variable could not be accessed by name lookup at runtime.
>
> - Gordon
>
>
> -----Original Message-----
> From: Sean Thayne [mailto:sean@skyseek.com]
> Sent: Wednesday, February 19, 2014 12:41 PM
> To: users@flex.apache.org
> Subject: Re: Air apps easily decompiled and hacked
>
> It looks like every var declared inside a function is obscured/renamed.
> But all class vars(regardless of protected, public, private) are not
> obscured.
> They keep their original naming. Which would make sense if your compiling
> a swc, but not if your compiling a final application (I would think). Maybe
> it was created this way for RSLs?
>
> -Sean Thayne
>
>
> On Wed, Feb 19, 2014 at 1:33 PM, Gordon Smith <gosmith@adobe.com> wrote:
>
> > Are you sure the others that aren't obscured are locals? I'd bet
> > they're instance variables.
> >
> > - Gordon
> >
> > -----Original Message-----
> > From: Sean Thayne [mailto:sean@skyseek.com]
> > Sent: Wednesday, February 19, 2014 12:24 PM
> > To: users@flex.apache.org
> > Subject: Re: Air apps easily decompiled and hacked
> >
> > Ya, you right Alex, I re-checked, and there are not comments. It does
> > keep
> > trace() calls though.
> >
> > I also noticed that it does obscure some local vars into _loc_# vars,
> > and but it doesn't obscure others, which I think is kinda weird.
> >
> > -Sean Thayne
> >
> >
> > On Wed, Feb 19, 2014 at 11:47 AM, Alex Harui <aharui@adobe.com> wrote:
> >
> > > Comments are easily viewable?  I don't think so.  It also depends on
> > > whether you have the original source files or not.  For Google
> > > Closure, if you have a source map, you can get back to the source as
> > well.
> > >
> > > Try dumping out an export release version of one of your SWFs.  Sure
> > > you can get back from the byte code to the basic algorithm, but I
> > > don't think it is that much easier than deciphering a minified js or
> > > even looking at intel byte code in an EXE file.
> > >
> > > -Alex
> > > ________________________________________
> > > From: Sean Thayne <sean@skyseek.com>
> > > Sent: Wednesday, February 19, 2014 8:21 AM
> > > To: users@flex.apache.org
> > > Subject: Re: Air apps easily decompiled and hacked
> > >
> > > I'm actually more concerned about the plain readability of the AS3,
> > > even comments are easily viewable. Where as a JS site that has been
> > > compile with Google Closures is minimized and heavily obscured. I
> > > feel like it would be very easy to steal someones hard work.
> > >
> > > -Sean Thayne
> > >
> > >
> > > On Wed, Feb 19, 2014 at 9:18 AM, Gary Yang <flashflexpro@gmail.com>
> > wrote:
> > >
> > > > Client side can not be trusted, server api should always be the
> > > > security gate!
> > > >
> > > > After all there are certain applications that can encrypt Flash
> > > > applications, Javascript application is just plain text!!!
> > > >
> > > >
> > > > On Wed, Feb 19, 2014 at 11:08 AM, Sean Thayne <sean@skyseek.com>
> > wrote:
> > > >
> > > > > Anybody else concerned about decompilers like SoThink?
> > > > >
> > > > > http://www.ericzhang.me/cracking-adobe-air-applications/
> > > > >
> > > > > -Sean Thayne
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message