Flex / Air obfuscation [closed] - apache-flex

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I've written (most of) an application in Flex and I am concerned with protecting the source code. I fired up a demo of Trillix swf decompiler and opened up the swf file that was installed to my Program Files directory. I saw that all of the actionscript packages I wrote were there. I'm not too concerned with the packages, even though there is a substantial amount of code, because it still seems pretty unusable without the mxml files. I think they are converted to actionscript, or atleast I hope. However, I would still like to explore obfuscation.
Does anyone have any experience with Flash / Actionscript 3 / Flex obfuscators? Can you recommend a good product?

The procedure suggested by maclema will not really stop any attacker from obtaining the source - the "wrapper application" will need to be unencrypted so the attacker will be able to find out that you use AES (or any other algorithm) and he will obtain the decryption key in a similar way (because it needs to be in plaintext somewhere). Once he has this, he will be able to decrypt your SWF file easily.
The only reliable solution (well...) is some kind of obfuscator - we use Amayeta which works for Flex in the latest version - please see http://www.amayeta.com/software/swfencrypt/ .

Here's what I would do.
Compile your application to a SWF file. Then encrypt the SWF using AES.
Make a "wrapper" application that loads the encrypted SWF into a ByteArray using URLLoader
Use the as3crypto library to decrypt the swf at runtime.
Once decrypted, use Loader.loadBytes to load the decrypted swf into the wrapper application.
This will make it a lot harder to get your code. Not impossible, but harder.
For AIR applications you could leave the SWF encrypted when delivering the application to the end-user. Then you could provide a registration key that contains the key used to decrypt the SWF.
Also, here is a link to an AS3 obfuscator. I am not sure how well it works though.
http://www.ambiera.com/irrfuscator/index.html

Well, in my opinion, the easiest and safest solution is a mix of maclema and Borek answer:
Obfuscating code can be a big headach if you did not include it in your process from the start and if your aplplication is quite big: it's likely that obfuscation make your application corrupted if you used remote packages (and did not declare this to the obfuscator) if you used to many unTyped variables in Objects or dynamic classes ....
So: if you do maclema's solution on your big application and use obfuscation on your wrapper (which is a small app likely to be very easy to obfuscate) you're code will be the safest and the hasle the least.
Only a very angry pirate would take the time to reverse engineer the obfuscation to then decrypt the package .... Well if someone wants your application code soo bad it's either CIA related or you're already very rich (or both)
thank you all for your answers

I recently released an iOS and Android game using Flash. I looked around the internet for a good free program to protect the source code in my SWF and couldn't find anything so I wrote one. It's still in development and it's "use at your own risk" but it worked for me.
It's released on github. Check it out and let me know what you think.
https://github.com/Teesquared/flasturbate
I uploaded a windows binary but I recommend you follow the instructions to build it yourself if you want to give it a try.
This obfuscator works directly on the SWF file. It currently only renames symbols but it is built on a framework that could support altering bytecodes in the future.

Related

Unity3D build code encryption

I'd like to know whether it's possible to encrypt the compiled code in a Unity3D build in a way that de-compiling dlls won't give access to the legible source code to a potential hacker.
Cosmore pointed out in this post that it's possible to
'encrypt the assembly dlls and modify the mono loader (libmono.so)'
My question is, has anybody done this? If so, how? And can it be done on Windows, Mac and Linux builds?
If this is not possible, is there another way?
But the hacker should be capable to run the build (ie. play the game)?
Then in principle it's not possible. While you can encrypt the code, you have to also provide the key, so people can play it (decrypt).
So you are just adding one more layer of obfuscation for hacker. A seasoned hacker will simply disassemble the dll loader and put a breakpoint to a place where the content is decrypted already, and dump that for further tinkering.
That said, not every hacker is a seasoned hacker, and few layers of (unexpected) obfuscation may turn them away. So practically some encryption/obfuscation is done by some people, even if in principle it's hopeless.

static linking Qt with open source version [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
I'm developing an application with the Qt open source edition. As I don't want to deliver the Microsoft Visual Visual C(++) redistributables, I'd like to use a static-linked version of Qt.
The Qt licensing information says that I "should" develop with a commercial Qt license if I want to use static linking in my application, although when I use the configure -static command for building a static Qt library the command prompt asks me if I use the commercial or open source version of Qt.
So it is possible to build Qt with the open source version? Do I need the commercial edition to use static linking? I won't sell the application.
EDIT April 2016
Actually, I have recently been reading in depth about LGPL, and asking some experts on the subject. Turns out that the inability to use static linking for Qt in closed source applications is more of a cultivated legend and has nothing to do with reality.
What LGPL requires is the possibility for the end user to relink the application against a different version of the library. Using dynamic linking is one way to achieve that, but you can just as easily provide your object files, this way you don't have to open your source and the LGPL requirement is still satisfied.
On the Qt website there are 2 legal FAQs and in neither of them is it directly stated that you can't do it. Just as it is not stated that you can. However, there are at least several instances of implying a vague legal threat in case that you do. I think there is a good explanation for all of those - they can't say that you can't do it without publishing a practical lie which may as well have negative legal repercussions for them, and they are willing to discourage doing that rather than encourage it, as it has the potential to force more people into purchasing a commercial license.
So in short, yes you can, and you most definitely should as lately Qt has become a living deployment hell, plus as of Qt 5.7 in a static build, QML files are tucked neatly in the executable rather than being out on the file system, for anyone to tamper with. Just make sure that:
your Qt build only contains modules, licensed under LGPL, and nothing GPL
the about section of your app mentions that it is using Qt and contains a link to where you can download the application's object files
include all the respective license files with your application
Lastly, your application actually has to be "relinkable", that is, it must be able to work with a compatible library version that provides the necessary functionality. Which means that if you have made modifications to Qt before building it, you must provide those in the form of source code as well, but only the modifications to Qt, not your application's source code.
Update:
Here is an excerpt directly from the GNU FAQ:
For the purpose of complying with the LGPL (any extant version: v2,
v2.1 or v3):
(1) If you statically link against an LGPL'd library, you must also provide your application in an object (not necessarily source)
format, so that a user has the opportunity to modify the library and
relink the application.
That states it pretty clear.
The old, original answer:
It is possible to build Qt statically as long as your application is open-source and you provide the source. If you want to keep your source closed, you either need an expensive commercial license, or you need to use dynamic linking.
BTW using a static build of Qt is pretty nice, for Qt5 I get about 7-8 MB executable with no external dependencies, which is much better than the 20+ MB of additional dll's you have to ship with a dynamically linked app.
For more information, you can take a look at this video: Making the correct license choice when developing with Qt
All in all, can it be done? 100% yes. Should it be done? It depends, for personal/testing/learning purposes it is 100% OK, however if you plan to distribute production grade software, be that commercially or not, open source or not, you'd better first consult with a lawyer. The whole subject is unnecessarily complicated, subject to interpretation, so that the consultation with a lawyer becomes more expensive than a pricey commercial license.
The answer is Yes, if you are willing to open source your application.
According to the Qt-Project's own interpretation of the licenses they use, if you dynamically link to the Qt libraries your application can be either closed source or open. If you statically link, however, your application is subject to the terms of the LGPL.
The exact language the Qt Project uses is this:
In case of dynamic linking, it is possible, but not mandatory, to keep
application source code proprietary as long as it is “work that uses
the library” - typically achieved via dynamic linking of the library.
In case of static linking of the library, the application itself may
no longer be “work that uses the library” and thus become subject to
LGPL. It is recommended to either link dynamically, or provide the
application source code to the user under LGPL.
(http://qt-project.org/legal.html)
The suggestion in some of the other answers that the situation is "not at all clear" is simply untrue - The Qt Project has tried to be abundantly clear about in what circumstances usage of the LGPL license is permissible, and static linking is one of those as long as the app is also LGPL.
Since the original question specifies non-commercial (not necessarily open source), the asker will need to decide whether they can allow distribution under the LGPL (or GPL by extension, as the above page also says "LGPL can be converted to GNU General Public License").

Converting JavaFX 1.x scripts to JavaFX 2 Java code

Is there any tool to convert existing JavaFX 1.x applications to JavaFX 2.x Java code?
No such tool currently exists publicly and it is unlikely that one will be created.
Oracle did create a prototype tool which was used in internal Oracle development, but they decided not to continue development on it.
Quotes from the JavaFX project lead Richard Bair (from the forum threads linked below):
Richard: I'm sorry to say we have no tool to help with the migration. Our
experience from migrating the JavaFX Library and samples is that there
wasn't really an easy solution -- even the migration assistant that
was written was very incomplete. Some folks found it very useful, but
I just did it by hand.
PDVieira: Any chance you could send me the FxTranslator helper you've
created?
Richard: Wish I could, but unfortunately we cannot send it along
(actually, I don't even have the code on hand, didn't write it (Eamonn
did) and it would need to get legal approve to open source it, and it
probably doesn't even compile or work anymore because the platform has
change significantly since last December).
You can refer to these forum threads which discuss this further:
https://forums.oracle.com/forums/thread.jspa?messageID=9967190
https://forums.oracle.com/forums/thread.jspa?messageID=10064115

What coding tools do you use for improving effectivness of programming in FLEX? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
What coding tools do you use for improving effectivness of programming in FLEX?
I found Tr.ace() AS3 Debugging Utility which help me a lot with working in a team of programmers?
frameworks like RobotLegs and others.
Signals.
What are the others?
Chris
I guess it depends how you define tools. These are some things used by me, or others I've spoken to:
ServiceCapture: This is a great program to see the packets being sent to and from the browser / Flash Player and a remote server. Charles is another common tool for this purpose; and Flash Builder now has a network monitor built in to perform the same task. ServiceCapture will also show the trace statements that your app puts out.
Step Through Debugger: The Step Through Debugger is a fantastic tool for stepping through code to figure out what happens. It's built nicely into Flash Builder; but there is a command line tool too. I assume that other Flex IDEs support this functionality.
Flash Builder: You can write code in a text editor and compile it via command line tools; but an IDE helps tremendously. Flash Buyilder is Adobe's IDE; and the one I use primarily, but others exist such as IntelliJ or FDT.
ANT: ANT is build tool that allows you to do a bunch of tasks automatically; such as compiling and automatically uploading to a server. Maven and CruiseControl are two alternate options I've heard about. I think both are much more advanced than ANT.
Subversion: Subversion is a version control system that allows you to track changes with your code. It is strongly recommended for any project; but has extra special benefits when it comes to projects with multiple people working on them. Other options are Git, and CVS.
I would like to add some thing with "www.Flextras.com" answer.
Profiling the application
Profiling an application can help you in understanding the following:
Call Frequency
Method Duration
Call Stacks
Number of Instances and their sizes at any givin point of time
Garbage collection and Loitering Objects
for More info refer the link
http://livedocs.adobe.com/flex/3/html/help.html?content=profiler_1.html
since the profiling and network monitor available to premium Flash builders.
~~~~~~~Happy Coding~~~~~~~~~
There is also
Flexformatter: This is a great plugin for Flash Builder that helps you clean up Actionscript/MXML code.
http://sourceforge.net/apps/mediawiki/flexformatter/index.php?title=Main_Page

How have you ever interacted with a Nabaztag? [closed]

Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
The Nabaztag I ordered has arrived. I know there is an API to interact with the critter from your own software. Have also seen links to libraries in Perl and .NET among others, and have started work myself on a simple .NET Compact Framework 3.5 library for interacting with the bunny from my mobile phone.
I have seen at least one application claiming to interact with the Wifi bunny: the TFS Build Notification application by Rob Aquila. (Not related to this question, but this does look like a nice app to have running on a central monitor in a large TFS Team...)
I'm just curious to experiences by other people with the Nabaztag:
Have you ever used the Nabaztag API to interact with wireless rabbits?
What did you do? Is it freely available to try it out on my bunny?
How did you like working with the API? Did you just use the HTTP API yourself or did you use a library? And if so, which library did you use?
Even if you did nothing with the API yourself, what applications and/or websites do you know of that can interact with a Nabaztag?
Any other tips?
This is a bit of a shameless plug for my employer, but someone wrote a quick and dirty Perl script to make a bunny read out log events from ZXTM (Zeus Extensible Traffic Manager).
The Perl script (and further up that page, how to plug it into ZXTM)
Video of the bunny
VMware image of ZXTM suitable for use on a desktop to try this out
I extended the start on a python api wrapper that others had made, and have a few apps (ugly control panel, personal weather and traffic reader, Google calendar events of the day). They are all available for download at www.mcgurrin.com/nabaztag.
I created a CruiseControl.net plugin with it. Had some issues with the default API because it is not that good documented, so needed a lot of experimenting. Furthermore it is not that easy to develop to the default API.
So i made an .net API (c#) which abstracts the violet api away and gives you more help while developing, specially while creating choreographys (pain in butt they are Yoda would say).
Currently both are not available to the general public but i am in the process of releasing.
Things that can be neath to implement on your bunny, i don't know, local traffic information (nice to have) new releases for music you like, interfacing with your phone? (send command from phone to bunny)
Hey peSHIr, congrats for getting a rabbit. Now as violet got bought by Mindscape, it's sure it'll continue living...
I would like to develop funny stuff for the rabbit as well, but it seems like a big fuss and it's hard to get started - I checked out several APIs and proxys to get a grip on it - found many projects but either useless or outdated. Although it's written in PHP, the OpenNab Project seems to be one the fewer active around. Maybe worth to check it out?
http://opennab.sourceforge.net/
I hope Mindscape will provide a better API, or even better, open source the rabbit!

Resources