Return-Path: X-Original-To: apmail-flex-users-archive@www.apache.org Delivered-To: apmail-flex-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C27EF10EBD for ; Wed, 19 Feb 2014 20:33:52 +0000 (UTC) Received: (qmail 65691 invoked by uid 500); 19 Feb 2014 20:33:52 -0000 Delivered-To: apmail-flex-users-archive@flex.apache.org Received: (qmail 65647 invoked by uid 500); 19 Feb 2014 20:33:52 -0000 Mailing-List: contact users-help@flex.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@flex.apache.org Delivered-To: mailing list users@flex.apache.org Received: (qmail 65639 invoked by uid 99); 19 Feb 2014 20:33:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Feb 2014 20:33:51 +0000 X-ASF-Spam-Status: No, hits=1.0 required=5.0 tests=FRT_ADOBE2,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS X-Spam-Check-By: apache.org Received-SPF: unknown (athena.apache.org: error in processing during lookup of gosmith@adobe.com) Received: from [207.46.163.190] (HELO na01-bn1-obe.outbound.protection.outlook.com) (207.46.163.190) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Feb 2014 20:33:47 +0000 Received: from BL2PR02MB451.namprd02.prod.outlook.com (10.141.95.16) by BL2PR02MB450.namprd02.prod.outlook.com (10.141.95.14) with Microsoft SMTP Server (TLS) id 15.0.878.16; Wed, 19 Feb 2014 20:33:24 +0000 Received: from BL2PR02MB451.namprd02.prod.outlook.com ([10.141.95.16]) by BL2PR02MB451.namprd02.prod.outlook.com ([10.141.95.16]) with mapi id 15.00.0878.008; Wed, 19 Feb 2014 20:33:24 +0000 From: Gordon Smith To: "users@flex.apache.org" Subject: RE: Air apps easily decompiled and hacked Thread-Topic: Air apps easily decompiled and hacked Thread-Index: AQHPLY0L7le0nncF/0uTug0c748oRJq8wTyAgAABDYCAACi4gIAAGw8AgAACAXA= Date: Wed, 19 Feb 2014 20:33:24 +0000 Message-ID: <443180011e4b41fd9f9f6455b3a287be@BL2PR02MB451.namprd02.prod.outlook.com> References: <1ca08c3af644473f8cc20c42b47cdfe2@BL2PR02MB500.namprd02.prod.outlook.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [192.150.10.208] x-forefront-prvs: 012792EC17 x-forefront-antispam-report: SFV:NSPM;SFS:(10019001)(6009001)(189002)(199002)(377454003)(51704005)(13464003)(24454002)(51856001)(74502001)(15975445006)(59766001)(46102001)(56776001)(74316001)(54316002)(69226001)(47736001)(50986001)(49866001)(76576001)(47976001)(76482001)(74706001)(76786001)(87266001)(47446002)(15202345003)(74876001)(95666001)(81542001)(74366001)(77982001)(53806001)(94316002)(87936001)(81686001)(80976001)(85306002)(4396001)(31966008)(74662001)(94946001)(92566001)(81342001)(81816001)(83072002)(79102001)(65816001)(54356001)(86362001)(95416001)(33646001)(83322001)(19580405001)(2656002)(56816005)(93516002)(19580395003)(76796001)(90146001)(63696002)(85852003)(66066001)(80022001)(93136001)(24736002);DIR:OUT;SFP:1102;SCL:1;SRVR:BL2PR02MB450;H:BL2PR02MB451.namprd02.prod.outlook.com;CLIP:192.150.10.208;FPR:EB6EF125.AC33D526.59F72DBF.92E8D26F.2030E;PTR:InfoNoRecords;MX:1;A:1;LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com X-Virus-Checked: Checked by ClamAV on apache.org Are you sure the others that aren't obscured are locals? I'd bet they're in= stance variables. - Gordon -----Original Message----- From: Sean Thayne [mailto:sean@skyseek.com]=20 Sent: Wednesday, February 19, 2014 12:24 PM To: users@flex.apache.org Subject: Re: Air apps easily decompiled and hacked Ya, you right Alex, I re-checked, and there are not comments. It does keep trace() calls though. I also noticed that it does obscure some local vars into _loc_# vars, and b= ut it doesn't obscure others, which I think is kinda weird. -Sean Thayne On Wed, Feb 19, 2014 at 11:47 AM, Alex Harui wrote: > Comments are easily viewable? I don't think so. It also depends on=20 > whether you have the original source files or not. For Google=20 > Closure, if you have a source map, you can get back to the source as well= . > > Try dumping out an export release version of one of your SWFs. Sure=20 > you can get back from the byte code to the basic algorithm, but I=20 > don't think it is that much easier than deciphering a minified js or=20 > even looking at intel byte code in an EXE file. > > -Alex > ________________________________________ > From: Sean Thayne > Sent: Wednesday, February 19, 2014 8:21 AM > To: users@flex.apache.org > Subject: Re: Air apps easily decompiled and hacked > > I'm actually more concerned about the plain readability of the AS3,=20 > even comments are easily viewable. Where as a JS site that has been=20 > compile with Google Closures is minimized and heavily obscured. I feel=20 > like it would be very easy to steal someones hard work. > > -Sean Thayne > > > On Wed, Feb 19, 2014 at 9:18 AM, Gary Yang wrote= : > > > Client side can not be trusted, server api should always be the=20 > > security gate! > > > > After all there are certain applications that can encrypt Flash=20 > > applications, Javascript application is just plain text!!! > > > > > > On Wed, Feb 19, 2014 at 11:08 AM, Sean Thayne wrote: > > > > > Anybody else concerned about decompilers like SoThink? > > > > > > http://www.ericzhang.me/cracking-adobe-air-applications/ > > > > > > -Sean Thayne > > > > > >