May 19, 2004
Actionscript Protection

In the eternal battle of good vs. evil - aka coders against decompilers - a new weapon is being forged to strengthen the lines of the brave programmers: The free web-based tool as-protect by Ilya Shlyakhovoy and Ivan Dembicki claims to use a different technique from currently available obfuscators. And indeed, first tests show that the latest version of Burak's ASV has real difficulties with the encrypted code. Let's see how long this will hold true, as Burak is known for his swift updates...

At the moment as-protect feels rather like a medieval strongbow than a laser sword, as you need some preparation in order to protect your code: Ironically enough you will need ASV in order to extract the bytecode sequences from your original swf file (sounds like beating an enemy with his own weapons...). You paste this code into their web based form and get a new bytecode in return. This code sequence you have to paste back into your fla file and then republish it.

I'd say this procedure could be improved upon, but let's see what these guys will come up with.

Posted at May 19, 2004 12:39 PM | Further reading
Comments

Buraks is already able to alter ASV to deprotect a code.
But. ASV is not a hacker product.
There is no war between protection programs and script viewers.
The only war that can exist is that with hacker products.

Posted by: Ivan Dembicki on May 19, 2004 01:23 PM

and the race is on! Decompilers, start your engines!

Posted by: Dominick Accattato on May 19, 2004 02:07 PM

Tested it and tried to use ASV and FLasm to decompile, but I was not able to.

Great job!

Posted by: Huberto Kusters on May 19, 2004 02:53 PM

We have decided not to even 'try' to add support to ASV for as-protect, until, if ever, some other tool or decompiler has an option to bypass the protection, in which case we'll all see how swiftly we can update ASV :)

Note that we will continue providing support to our customers with their own SWF files, obfuscated/protected or not, promptly, case by case basis.

Probably there'll be a free tool soon to get the bytecodes easily from a SWF so that you won't need ASV for the process.

Best regards,

Posted by: Burak KALAYCI on May 19, 2004 04:22 PM

Security through obscurity is no security at all. It's only a matter of time...

For reference, here's the thread on FlashCoders: http://chattyfig.figleaf.com/cgi-bin/ezmlm-cgi?1:sss:112473:200405:jnaldpdojcboajbgfeee#b

Posted by: darron on May 19, 2004 05:39 PM

Darron, anything has to begin somehow. Was flash 3 the same as 2004 mx? Every tool has a development timeline, this AS Viewers do bother me a little in same projects i have, so i guess this might be the start of something good for all.

Posted by: Mário Diogo on May 19, 2004 07:12 PM

Thank you! Your recognition is of great importance for me!

Posted by: Ilya Shlyakhovoy on May 20, 2004 08:14 AM

2 Burak:
I think if You will add an option to bypass the protection Y will leave in the court.
Now many peoples protect his code on our site.
Each of those who has already protected script or will protect his script in the future can bring an action the claim.
Protecting the code, developers receive an opportunity protect the rights in court.
Only we know who protected a code and only we can give an initial code to the owner and only to the owner.
Developers are NOT defenceless.
Also will not allow itself to f@k more.

Posted by: Iv on May 20, 2004 11:26 AM

ATT:
Now on site only demo. Real protection engine, issued later, will have more sophisticated protection techniques.

Posted by: iv on May 20, 2004 02:18 PM

Dear Ivan:

I have not a bit of worry about legal claims, because I know that what we do (and will do) is legal and furthermore my conscience is clear.

Our statement has two implications:
(1) To our customers: They know that if a protection is bypassed, ASV will do it too, so their investment in our software is OK.

(2) To our competitors: If you bypass the protection, you won't have an edge agains ASV. (This actually also stops them trying to bypass as-protect).

We never implemented an obfuscator ourselves, though I believe we can do one of the best, because we don't find it ethical to have both protection and de-protection.

I sincerely respect your efforts to have some way to protect the AS code. But, for example, if you start offering a service to unprotect the protected files, I won't find it ethical too (that's just my point of view).

I'd suggest making the protection so secure that even you won't be able to reverse it. Then we (or anyone else) also won't be able to do so even if we try. If it's reversable, then it means people are depending on you for their security. I don't have a problem with that, but in principle I don't think it should be like this.

Best regards,

Posted by: Burak KALAYCI on May 20, 2004 02:43 PM

I just noticed that if you are quick enough you can get a 25% discount on ASV. Until May 23 they celebrate their 4 year anniversary, so now is the best time to buy ASV: http://www.asvguy.com/2004/05/4_years_of_asv.html

Posted by: Mario Klingemann on May 21, 2004 12:04 AM

man, even java has decompilers, and i don't see people complaining about that.

It's cool to have this kinds of tools, and they are very helpfull.

I was developing a java library to output swf, and used a free swf decompiler (flasm flesm i don't remember) to help me see how good i was righting the code.

Also, I'm just starting to learn ming (for php), and I'm guessing that decompiling a swf would be helpfull, so you can then assemble then using php or any other scripting language for more complex projects (example: a chart system: you create the visuals in flash, decompile the complex stuff, and then use that info to compile it again with ming to create a usefull chart with real data).

So, there are legitimate uses for this kind of software. Also, I don't think you can really say that unprotecting an swf would be illegal. Macromedia made swf an open format, so therefore, there's not much you can do about keeping it secure.

Ask macromedia to develop a way to publish your movies as sswf (secure swf) and then we'll see what they say.

Posted by: argonauta on May 21, 2004 03:53 AM

Dear Burak,
[quote]
[…] I won't find it ethical too (that's just my point of view).[…]
[/quote]

Of course. It’s not etical. We don’t planning start offering a service to unprotect the protected files. We will save sended bytecode in database and give access to customers to his sended bytecode.

[quote]
I'd suggest making the protection so secure that even you won't be able to reverse it. Then we (or anyone else) also won't be able to do so even if we try. If it's reversable, then it means people are depending on you for their security. I don't have a problem with that, but in principle I don't think it should be like this.
[/quote]

Cool! Why You don’t make Your ASV unhackable?
You know, 100% unreversable is empty string only %).
Any protection is not absolute.
Any protection need technical and low support.

Posted by: iv on May 21, 2004 01:31 PM

Dear Ivan:

I see your point now.

And as a service, it seems very promising. Maybe we can have a service like that too!

"Any protection is not absolute."

Again correct. But some are easier to crack than others...

We first had the idea for an AS decompiler, because I, as someone who had free SWF related utilities, received many emails asking for help to recover actionscripts from lost FLA files. [Actually, one of the free utilities had an unintended feature to delete "protect from import" tag, because it had a general delete tag option, and that received similar response, at the time there was no need for an AS decompiler because latest version of a SWF was 3).

Any protection is crackable.

If you make a commercial product for crackers, cracked software users (or people who never pay for software), you won't make any money and you'll fail. ASV was cracked many times, and we don't have a current demo because it gets cracked the day it's released.

We never intended ASV as a cracker product that will let you steal others work. And I think the point that I was able to quit my part-time consultant jobs after ASV's release, and we are here after 4 years, proves that indeed ASV is not that kind of a product. But yes, of course, legal users of ASV do peek some other code sometimes, that's human nature, but they don't steal (that's a generalization I believe is true)...

Us and other decompiler vendors are just one half of the story. The protection you offer must be very hard to crack, because there are these cracker people around, and they are the other half, the really dangerous half, people who do steal others work...

So my point is, it's not ASV that is there against any protection (as you also know), it's not other honest decompiler vendors against this, it's the unknown cracker people who will try to bypass this protection, and they are the ones who actually steal (rather than peek some code time to time out of curiosity).

And I'd say that any protection should count on "technical support" more than "law support" to be really successful.

Best regards,

Posted by: Burak KALAYCI on May 21, 2004 05:15 PM

Dear Burak,
[quote from http://buraks.com/asv/]
If a free or commercial tool becomes available to bypass an unsupported obfuscation, we will add support for it to ASV in a very short time though.
[/quote]

- does this mean if anybody will start distribute hacked ASV all another peoples can start make it too???

Posted by: iv on May 21, 2004 09:26 PM

PS:
[quote]
And I'd say that any protection should count on "technical support" more than "law support" to be really successful.
[/quote]
- for example: if tommorow I will start distribute hacked ASV, what You will do?
You will polish up protection your ASV? NO! You will start legal procedures.

Of course, demo on http://as-protect.com now is not real protection. But it's demo only.

Posted by: iv on May 21, 2004 09:38 PM

- does this mean if anybody will start distribute hacked ASV all another peoples can start make it too???

No. I don't think this example applies at all.

ASV is legal. Cracking / hacking into software or SWF files and distributing them, when you don't have the right to do so, is illegal.

I hate to repeat this but it's like the gun issue. It's not the gun that is illegal, killing someone illegally is illegal; a gun may save you and your family used in a self defense situation.

ASV has many legal (and ethical) uses. Yes, you can use it to do something illegal, but that won't be ASV's fault. Heck, you can use a mouse to kill someone.

Lets say we make a gun and you make an armor. What we say is that if that armor is already penetrate-able, we'll also make our guns penetrate that armor. And what we say make other gun makers reluctant about improving their guns because they won't have an edge doing so...

(If a protection is bypassed by some commercial decompiler vendor, available for purchase, and when one of our customers asks what to do to get his code back which he protected with that protection, should I say 'Go purchase this other decompiler'?)

How will people get their code back if you go out of business next year, or something happens to your database?

- for example: if tommorow I will start distribute hacked ASV, what You will do?
You will polish up protection your ASV? NO! You will start legal procedures.

Actually I'll try to do both :)

But, in my case, to tell the truth, I wasn't able to track down and actually identify the crackers to start legal procedures. It's the internet world we are living in... What will you do if some application pops up from nowhere, a free application, that bypasses your protection? Who will you sue? Can we find virus authors, if they don't make a stupid mistake, at all, even though viruses cause much more damage?

If you go commercial, who will your customers think has sold them not-so-good protection in such a case? They might even sue you. And whatever the outcome of these legal matters come to be, the damage will be done.

Again, my main point: we are on the same side. It's the crackers that are on the other, evil, side.

It's extremely important to make your protection as secure as possible technically, because while you can sue me or my company (and in which case the outcome is not known, I think you won't win such a case - my opinion only), you won't be able to even identify people to sue from the other side.

Best regards,

Posted by: Burak KALAYCI on May 22, 2004 12:23 AM

Interesting conversation here :)

Ivan, I don't think you're right. You try to convince decompiler makers they are not allowed to break your protection by law? Are you a lawyer? I'm not, but I do see a lot of unanswered questions.

For example: I remember Macromedia states somewhere your tool has to produce valid SWF files. Does it? Valid SWF is not what current Flash Player can execute; valid SWF is what conforms to SWF specification. No false lengthes etc.

Another question: OK, you think it's illegal to break your protection intentionally. Maybe. Maybe not. I don't know. But what if Burak (or another vendor) just impoves his software so that it recovers from those problems, shows executed code and hides crap code? The task could be generalised, this vendor may not even know your protection exists. After all, Flash Player does just that.

Then, assume somebody buys your (hypothetical) product. If a breaking tool appears in two monthes, what do your customers do? Update their swf again? Or stay protected by law, not by technology? It's not enough.

After all, thinking in law terms, why does somebody need a protection at all? Stealing code is illegal. If you catch somebody doing this, it doesn't matter if your SWF was protected or not.

And so on. There is a reason cryptography doesn't rely on law, but on algorithms. These algorithms are published, so that anybody can try to break them. They are considered secure only as long as nobody is technically able to do that.

Don't misunderstand me - I'm not interested in breaking protections as such. But I know how easy it is to update, say, Flasm, in order to support wrong lengthes. 30 minutes. Since wrong lengthes seldom appear in normal SWFs, it's maybe my 10th priority. But Flasm is under BSD license. Anybody can do it.

Why don't you just write a better protection? It's possible. Just a matter of time and knowledge. You know, you'll never be able to hide a password, but AS code can be made incomprehensible and unrecoverable. Burak knows that, I know that, probably anybody who tried to write a decompiler knows that. I wanted to write such a program, but have never found enough time (or motivation) to do it. Personally, I just don't feel there are enough serious applications to be stealed :) You may not agree, that's completely subjective. Anyway, you're obviously motivated, so please do that. Just don't sell obscurity accompanied by unproven law statements as security. You may well fool some people, using the simple fact that ASV (or Sothink, or Flare) can't open such SWF right now. But serious developers (writing these critical applications) need more - published algorithms, for example.

Regards

Posted by: Igor Kogan on May 22, 2004 02:31 AM

[q]
ASV is legal.
[/q]
Now it is legal. But i see You are ready to come over to another side:

[quote from http://buraks.com/asv/ ]
If a free or commercial tool becomes available to bypass an unsupported obfuscation, we will add support for it to ASV in a very short time though.
[/quote]

This words saying me: "Now I'm legal. But if my competitors will go illegal, I will go illegal too."

Now You can debate about it as a weapon in ones hands
BUT
If You will start to bypass a protection this will be another point.
ASV will become a hackers product. Without beating around the bush.

Why don't you just add in to Your policy something like this:
"ASV is a legal product within all the respect to all the flash developers and their copyrights. Our company is not planning to bypass any kind of bytecode protection."
??

I'm a flash developer. And I want to read these words from your site.
This is what I need and I'm not alone.
I'm not the owner nor a developer of an as-protect.com.
Now I am asking you as an SFM owner and customer of as-protect.
Do you respect my copyrights? Straight away and in the nearest future I wanna be sure of your intentions. Otherwise, how is it possible to invest in my own projects without any warrant of hacking my code by some ASV owner?

Posted by: iv on May 22, 2004 02:57 AM

Actually, I can’t pick up a line in that thread.
Why you are so alarmed about decompiling issue?
I have a couple of projects that makes ASV useless cause of back-end functionality.
It’s faster to start from the scratch :). Some people are selling JS scripts- JS is totally open-source.

Posted by: INK• on May 22, 2004 03:12 AM

Dear Ivan,

I don't know, maybe it's the language barrier or cultural differences...

Yes, we respect your copyrights and any other copyright. But I don't think what you are asking is fair or grounded.

We have already changed our policy of bypassing obfuscations. And we've only done that for ethical reasons, not because ASV will become illegal and/or someone might sue us.

***

All major versions of ASV were cracked and was available at some cracker site at one time. One was even localized to Chinese. The demo version of ASV 3.01 was cracked so beautifully, we were in awe (and I don't use this word frequently), we decided we cannot beat the cracker and currently don't have a newer demo version. After someone created a key generator for ASV 4.01, we had to update our protection. (As an unrelated note, I'm proud that we kept the number of cracks at a minimum. But we weren't able to identify the actual cracker in any of the cases, even when we identified which copy we sent was cracked).

When we first found a cracked copy on the net years ago, we were terrified. Was this the end of our business? It turned out a definite no.

I visit those warez crackz sites sometimes in order to find out if they have ASV there. Let me assure you, if an application is any good and is not free, you'll find it cracked or as a warez download. So how do these other software vendors make money at all when every product they have is available to someone with ill intentions?

My conclusion is this: There are people who respect copyrights and pay money for software and there are people who don't. People who don't pay for any software know that they can get the cracked software free. And as I observed, what they are interested is in getting the software as soon as it's released, they have no worry about if they'll be able to get the software...

So, I want to state that I firmly believe that any legal 'owner' of ASV will respect copyrights. I don't know how you can warrant anything but I know that our customers, who paid for the software, will not be hacking / stealing any code.

(Certainly there are also the illegal users. But I don't think that matters, as you'll read below. My point here is that our customers are not potential thieves, they are honest people who respect copyrights).

(Another unrelated note, you might ask why we try not to have our software cracked if it's inevitable and it doesn't affect the sales. The reason is again an ethical one, because we think if we don't do this, it will not be fair to our customers who paid for the software. In fact, it would probably be better for our business, if we had a time limited, full featured demo, which would get cracked in a few hours).

***

When people purchase software, they look at the features even if they won't be using all of them. ASV is a tool to help you get back your lost FLA file, even if you have the 'protect from import' tag in it, even if you have obfuscated it (that's not exactly correct any more. But we will provide support in that case where ASV won't help automatically). It's an emergency tool, though it has some other features that make it useful for daily usage.

If someone has bypassed your protection, and that will happen only after you are successful, will it matter if ASV also does the same?

I don't think it will matter in your case, not for you, not for your users. Bad people will get the software even before we update ASV, and crack all the protected SWF files and steal all the code.

As a business we sell software with a purpose and we support our customers, even with corrupted SWF files.

So, in our case, we need to support our software and customers. Simply, if the product that bypasses a protection is a commercial one, I cannot tell our customers to go and purchase that product, if a need arises.

I also believe, the fact that we will bypass any protection that is already bypassed, stops other people and vendors from doing that (of course not all of them).

***

Igor has many good points.

I don't have to know about your protection, I can try to imitate what Flash Player does, and I don't see any problem with that. Anyone can do it that way.

As I've written to you in our private conversations earlier, I think a protection can modify the script in such a way that there's no higher level actionscript representation possible, and this can be made quite irreversable (that is: not practical to reverse), and that would eliminate most of the illegal use, if not all. Most of those ill intended people won't be interested in raw bytecode disassembly and won't bother trying to understand it.

***

Assume we said we'll never bypass your protection. Or better, assume, we stopped developing ASV and went out of business.

Or better yet, assume all commercial and non-commercial decompiler vendors discontinued their products.

Do you really think that will mean *anything* regarding the safety of your protection?

If the protection is not technically strong, it will be soon cracked by some weird named cracker just for the fame of it.

I'm sorry I cannot go out of business just to prove that this is correct. But take my word for it. Flash is big, Flash is everywhere. If legal decompilers were banned, an illegal one would emerge in a very short time.

***

I think we have done our best to show our good intentions with the change in our policy. And I've done my best to explain this.

Best regards,
Burak, Manitu Group

ps Mario, I think this page will get many hits after all cracks, warez mentions here. Maybe I should've posted all these to *my* blog... :)

Posted by: Burak KALAYCI on May 22, 2004 07:57 AM

Dear Burak,
I agree that protection should be on a high technical level.
And we have such protection that will be available soon.
But I disagree with you regarding the legality of viewers which bypass protection.
Why?
***It's not the gun that is illegal, killing someone illegally is illegal; a gun may save you and your family used in a self defense situation.*** (c) Burak KALAYCI.
Look at it from another side.
A keygen for ASV or an ASV cracker in good hands is an excellent example for learning purposes. And it can only be used for ASV cracking when in the wrong hands.
But I do not think that you agree with such a viewpoint.
Then for what reason do you refuse in this point of view all flash
developers?
The script is protected. What should a script owner do to let everyone know that his script should not be shown?!
When does a viewer become a cracker?
If it's ASV - never? If it's an ASV cracker - always? Why? What is the
difference?

Posted by: iv on May 25, 2004 05:16 PM

Dear Ivan:

Let me make my views clear. I'll be repeating myself at some places, sorry for that in advance.

Software is licensed, by the author (an individual or a company), who owns the rights. The software license agreement gives the user some rights. If you don't have the rights to use a software, using it is illegal.

There are many decompilers and disassemblers for many languages and systems. There are even system level debuggers which show the disassembly of system level code.

Using them, if you have the license to do so, is legal.

The license agreement for ASV states that decompiling, reverse engineering ASV by any means is not permitted.

So if you use your legal disassembler for disassembling ASV, doing this is illegal.

(ASV is also used as a debugging tool by many).

Purchasing a single license for ASV and giving it away to your friends is illegal, because that's against the license agreement.

Hex editors are legal tools and I'm sure any programmer uses one regularly. But using it to modify and crack ASV is illegal, because again this is against the license agreement.

After that, distributing ASV on the net for free, is illegal, because it's against the licence. For this distribution the cracker may use an FTP application. And FTP applications are legal.

My point is: If I 'own' a software and I license it with certain terms, and you agree to it by purchasing it; if you don't follow the license it's illegal. Also, using a software you don't have the license to use is illegal in the first place.

We, Manitu Group, authored ASV and hold every right to it. If we said 'you may crack ASV', then even cracking ASV would be legal. So even 'cracking' is not illegal by itself. [There are cracking contests with awards] (BTW, if anyone will pay us 1.000.000USD, we'll gladly sell the cracking rights of ASV. We can even negotiate on that price).

A keygen for ASV... might be illegal in the US because of the millenium act (DMCA), I'm not a lawyer. But if you don't use it to actually crack ASV, then I personally see no problem even there.

In broader sense, lets assume someone cracked ASV, or stole a legit copy from someone. And now he's using it and also giving it away.

This is illegal. We both agree there, I believe.

He's certainly using a computer for that. Are computers illegal? He's using an OS on that computer. Is that OS illegal? Is the FTP app he's using illegal?

No. He's using tools with legit purposes to his illegal purpose. ASV is a tool with many legit purposes.

***

A SWF file with AS is also a software, like ASV. And, no, there's no difference that applies in that respect.

There are disassemblers/decompilers/debuggers you can use to disassemble ASV. There are resource extractors, if you want to get the resources out. You can use a hex viewer to see the code for ASV.

The same is true for SWF files.

***

> When does a viewer become a cracker?

When you use a tool for your illegal purposes, what you do is illegal. That doesn't make the tool illegal. As for ASV, I don't think it will ever become a 'cracker'.

>What should a script owner do to let everyone know that his script should not be shown?!

Nothing. Every software is copyrighted at the moment it's created. Having a copyright notice will help.

The above is for normal people who respect intellectual rights. What about crackers?

That doesn't matter. Even if they know they don't have the right, they do the cracking. That's why you do the protection.

***

Actually what any decompiler does is to provide convenience. Windows API is documented, Pentium instructions are documented, SWF actions and SWF format are also documented. Anyone can look at a SWF file, or ASV executable, in a hex editor and thus see and interpret the code. But using a decompiler makes this more convenient.

If the only use for a decompiler or a hex editor was to do something illegal, then some *might* consider doing something about them (as with the millenium act). But that is not the case.

If the decompiler is illegal, then the compiler used to build the decompiler is illegal too. Where can you draw the line?

***

There was an old Win32 application I authored; after about 6 years I didn't have the source code anywhere near. I had to modify it and in the end I had to crack my own program for that! (This actually happened, I can provide details if anybody finds this interesting).

The same happens with SWF files too.

So 'cracking', 'hacking' your own SWF, or a SWF you have the rights for it, is not illegal.

But, you might say, what about a protection like at as-protect?

I can think of many cases. Like what if you go out of business? What if some big corporation purchases your company, but later decides to discontinue the service [happened many times to many business]? What if you lose your database somehow? In fact, if you lose your database, you may try to 'have a way' to retun the original code to your customers on the fly... What if you start having the protection free but charge 10.000 USD to give the code back? That might happen after a few years, and if your license agreement allows it, you can get away with it. Not that I think this will happen.

If the protection is technically strong, the best anyone could do will be displaying the p-code (bytecode instructions). Not much useful even to the original author...

If you 'own' a SWF (what I mean is if you own all the rights to a SWF), or you have the necessary license for a SWF, you can legally decompile it, modify it, protect it, compress it, delete it, copy it, paste it or eat it :) etc. Again my point is: You can do anything with it, if you have the rights.

[Even with millenium act (Digital Millennium Copyright Act) reverse engineering for interoperability is allowed.]

***

> A keygen for ASV or an ASV cracker in good hands is an excellent example for learning purposes.

No. Not true for ASV, not true for any software including any SWF file. I never bought the 'learning purposes' argument. It's only an excuse to use software illegally.

You can use (or decompile) ASV when you don't have any right to do so.

And/or you can use ASV to illegally steal AS code.

These are both *illegal* but *different*.

***

We have some protection in ASV against crackers. The purpose of it is to make cracking harder.

One has the right to have any protection in his own software. Because the 'crackers' exist, because there are people who don't respect the copyrights.

When ASV is cracked, we update our protection code. We also try to identify the cracker and take legal action. But this is hard, we weren't able to identify any cracker to this day (with concrete evidence).

There are also commercial protections for Win32 executables. Some are hard to crack some are easy. But all are crackable. We use our custom made protection, others use commercial protections.

There are also some 'shell' protections, that you can use after you have the EXE file. They work like old file viruses. They are very easy to use for a developer. But unfortunately, they can also be easily 'cleaned' like a file virus. One 'cleaner' for that protection will work for all files protected with it.

I don't think there's anything different here, all applies to SWF files as well.

***

So in summary,

I don't see any difference in cracking ASV or cracking a SWF file. I don't see any difference in using ASV or using a SWF file without first obtaining the right to do so.

I have explicitly stated that we will not 'even try' to bypass your protection, until, if ever, someone else does it first, at which time your protection will not have any 'protection' value.

I don't see how you can expect us to promise we'll never bypass your protection. Do you think we should do nothing, if another decompiler bypasses your protection and starts running ads about this? Should we sit and wait for you to take legal action and stop them? In the meanwhile, your protected SWF files will have no protection and we'll lose our market share. Every country has its own laws, you may lose in the court. And you might say 'this is all wrong but I did my best, OK, now let me go back to normal work', and we will be out of business! Sorry, I won't take that risk.

Again, I think we have done our best to show our good intentions with the change in our policy.

Best regards,

Posted by: Burak KALAYCI on May 26, 2004 05:37 AM

Dear Burak,

> [...] Sorry, I won't take that risk.
In this case you are ready to another risk:
- legal action can be successful.
What you will do in this situation?
You can take back sold copies of ASV with protection bypassing?
Do you think is your excuses will enough for developers?

I ask you again: The script is protected. What should a script owner do to let script-viewers developers know that his script should not be shown?

I don't ask you who have a rights to look a code.
I ask you who have rights to show a code.

My mind is solution is simple:
Now if anybody makes a code protection (using any program such as Flasm or Hex editor) know that he have a risk:
if he lost the FLA-file he can't receive source code using script viewers.
Developers understand it.
But developers can come back a code using the same programs. If he can protect a code - he can deprotect it too.
Depending as-protect type servises:
these programs must save a source code in database and take access to developers to this code.
(Now you can see how it works on as-protect.com.)
In any case it isn't a script viewers responsibility and it isn't script viewers right.
There is a risk of loss of the data in database.
But it isn't the reason for transfer of the rights and the responsibility to script viewers.
This risk is smal and developers know about it.
Database isn't single place of source code.

I don't like changes of your policy.
Your policy allow in future the rights infringement of as-protect users.
Your policy can push you to creation of an anonymous product for motivation of include a protection bypassing in ASV.
It's can't be a question of trust.

Little bit about low:
I have 6 years experience of copyright protection. I was an owner of big legal company specialised in copyrights.
(150 employeers, 36 branches in russia, 300-350 sucsessfull cases per year, no one losed per 6 year.)
There is an international copyrights low and all developed countries joined to copyrights conventions.
Low in every country have diferences, but international convences above national low.

Now ASV is a key for swf.
I hope in future it will not a pick-lock for swf.

Posted by: iv on May 26, 2004 04:10 PM

PS:
For what developers makes changes in swf?
For protect his code against script viewers.
For protect his copyrights.
No another targets.

Posted by: iv on May 26, 2004 04:19 PM

Dear Ivan:

I was really sorry to read your post.

I don't think you'll understand, but I still hope so and I'll try one last time.

[quote]I don't like changes of your policy.
Your policy allow in future the rights infringement of as-protect users.
Your policy can push you to creation of an anonymous product for motivation of include a protection bypassing in ASV.
It's can't be a question of trust.[/quote]

This is extremely offending. I feel insulted. What's your reasoning here? You say, I will make an anonymous product, in order to be able to bypass your protection with ASV. But why? If we wanted to do this, we would not have changed our policy. (The old policy was to bypass any protection).

Why do you think we have changed our policy? Because we were afraid of legal action? Absolutely NOT. Because we believe that there should be ways to protect code from bad people.

We are having a debate here, OK. But let me tell you this: You won't find the bad guys here talking to you (or me). If ASV were the only decompiler available, maybe talking about this between us would have made some sense (but even then not much).

Many people regard us at Manitu Group as very good to great programmers (and that's OK with me). But, as I've stated before, we were in awe the way ASV demo was cracked, we at once decided we cannot beat the cracker. I think what you fail to understand is that I'm not a bad guy, the bad people are there, no one can find them and they do the damage.

Lets assume I'm a bad guy. Why would we have a policy like that if we were afraid of legal action? I can simply say ASV won't bypass any obfuscation/protection (and make ASV so) and still have that anonymous app that bypasses your protection. Anonymous means free so as widely as your protection is used, bad people will be able find that app. I won't have the risk of a legal action, and that app would make your protection worthless so adding support for it to ASV would not mean much anyway... I don't think our new policy would make any sense at all, if we were the bad guys.

***

>In any case it isn't a script viewers responsibility and it isn't script viewers right.

I don't agree. If you 'own' some software, you have the right to do anything with it, you can protect it or deprotect it. For this, you can use services or other software.

We don't tell people who purchase ASV that they now have the right to see any code. What we sell is mainly a license for a software they should use legally. Software, in itself, does not have any rights (so to speak). It's people who have rights or not.

So you may say that I don't have the right to make a software that will bypass your protection. I don't agree [see below].

>For what developers makes changes in swf?
>For protect his code against script viewers.
>For protect his copyrights.
>No another targets.

You can't decide that. This maybe true for you, but you can't assume it's true for everyone. I gave you an example where I had to crack my own software (well, I call it a crack, but it was not protected in the first place. I just had to make a small change. Still I modified the executable without the source).

You seem to respect copyrights, but not respect peoples right to choose what to do freely. Where's the competition for you? You say if someone uses your services to protect code, he must also use your services to get it back. That's normally OK, I agree. But also that someone may choose to get his code back using another service (if such a service is available of course). People can simply choose this and you say it will be illegal. Getting my own code back is illegal??? Again, if you 'own' the code or the necessary rights, you can do what ever you like with it.

'If a decompiler is illegal, than the compiler used to build that decompiler is also illegal.' That doesn't make sense. And it's exactly what you're saying all along.

So as I believe that what we do and will do is legal and ethical, I have no fear of legal action.

You don't trust me, but I'll continue to be as sincere as I can.

If you take legal action against us, it will be bad for us. It will be a hassle, we'll have to spend lots of time and money (both of which we don't have too much to spare for something like that).

Sincerely, you can also win (though I don't think so). If you get a better lawyer or maybe bribe the judge etc. it may be so that we lose.

But we won't act based on fear of such an outcome. I'll fight for what I believe is true and I may die while fighting. As Sheakepeare said, cowards die many times. I'll prefer to die only once.

[Some clarification:

Yes, there are international copyright laws. I count on them too. But the justice does not work evenly every where. One judge says you're right, the other says you're wrong, in the same country under the same law. In some countries judges may take bribes, in others judges may value their friendship with some individual more than a just result. In some places mafia may influence judges. In Turkey, for example, the justice system is overloaded and slow, a simple case takes 3-5 years (In case of copyrights and patents, we have specialized courts here in Turkey, their workflow is somewhat faster, but still can be considered slow).

I'm sure you know more about this than I do.

But I believe, in the end, we need to trust in the justice system. Otherwise this will lead to chaos.
]

***

You don't trust me, but expect everyone to trust you with your protection, the way their unprotected code is stored, the way it's send to your server and with their unprotected code in your hands in the first place. When you are successfull, hackers may target your site, to get all the unprotected code, so you'll need to get more safe as you get successful. People may try to bribe you or your employees to get a competitors code.

I think you also have many other things to do, a long way to go until you really have a secure service, with very strong SWF protection, secure connection and probably you'll encrypt unprotected scripts so that you or any one of your employees can not have unauthorized access to them.

When I mentioned that an app might pop from nowhere, I was sincere. I didn't think of doing something like this, it didn't occur to me. I still think this is the danger you are facing (let me make it clear, not from me), if you don't make the protection technically strong. (You say it will be strong, then I see no problem). I'm trying to help you here (at least that's what I think, of course, you may have no need for it), and you are in doubt of my intentions, well, what can I say...

***

>There is a risk of loss of the data in database.
>But it isn't the reason for transfer of the rights and the responsibility to script viewers.
>This risk is smal and developers know about it.

There's no rights transfer, as I've tried to explain. People have the rights, not the software. Software is just a tool in that respect.

What makes you say that the risk is small? What is the criteria? How do you assume that developers know the risk? What is a small risk you consider? Is 1% over 5 years small or big? Will you make any more info available to your customers before they use your services? For example, will you say: We have 1.000.000USD in a bank here in Russia at this bank, so our company will not go bankrupt any time soon. We make multiple back up copies of the software and store them offsite in an earthquake safe place, so even in case of fire, we'll be able to get the database up in 24 hours. Our offices are insured for this sum by this company. The access to data is secure because... etc.

If you do so, people can decide if the risk is small or not, themselves, provided that they trust in you for the info in the first place.

***

>I don't ask you who have a rights to look a code.
>I ask you who have rights to show a code.

Anyone, any tool. You fail to realize that even a hex editor can show the code (as hex). The question is not complete in that sense.

I have the right to make an application to show me my own code. I have the right to provide services with that app, for example I can license it to other people who have the right to see their code, or, I may provide a web based service. (The same is true for protection).

If that service or application is used for an illegal purpose, only after that there's something wrong.

Lets say an employee for a company, who is authoring Flash under pay so that the FLA files belong to the company, one day left the company and deleted all the FLA files. And it turned out that the SWF files on the web were protected (additionally you may assume the company didn't realize they didn't have even the SWF files as they thought, because of the protection). Now, what that person has done is illegal and he used your services to do that! Has your protection become illegal?

What if that company takes legal action against you for its loss? (assume they had to change that SWF quickly and because they weren't able to find out that it was your protection that is used, they wasted lots of time and hence lots of money). [Their case will be that your protection is illegal - if the way you're thinking what is illegal is right, and in that case, they'll be right and win the case]

What will you do for cases like this? You'll make people sign an agreement before they use your services. You'll say that it's allowed to protect only SWF files you have the right to protect. You'll say that you'll not be liable if someone breaks the protection.

In fact, that's quite similar to what we do.

***

What I've written is probably not what you'd like to hear. I'm writing this all in good-will. If any part of it makes you offended, let me assure you that it's not intended.

Best regards,

Posted by: Burak KALAYCI on May 26, 2004 08:35 PM

Dear Burak,

Tank you for your replies.
Now we understand positions each other much better.
We have different positions but I hope we can respect each other view point.
Thank you.

Posted by: iv on May 28, 2004 11:39 AM

Dear Ivan:

My last post was written in a hurry and while I was feeling insulted. So while I still think the ideas are not wrong, they are not presented as they should have been. Sorry for that.

[quote]It's can't be a question of trust.[/quote]

You are correct here. It shouldn't be a question of trust for me, for you or for anybody.

While I felt insulted then, now a few days after, I think and believe that you didn't mean it.

And I realized that having a debate here actually means we trust and respect each other, to an healthy extent.

Yes, I think I understand your point of view better now.

I hope the best for you and your business.

Best regards,
Burak

Posted by: Burak KALAYCI on May 28, 2004 01:21 PM

Hi Everybody: I´ve been reading some of the comments here and although i´m not a business guy or a very experienced flash programmer, in some point i understand you. I just only want to say that i love flash, and everyday i try to improve my knowledges on this program. Specially the actionscript part. And i have to admint that i sometimes uses sothink to see how things were done. THat helped me to learn A LOT and helps me to improve my own coding knowledge. I also know that there are some guys out there that they only try to crack, copy and steal using those kind of decompilers. To me, is just another tool to learn more about it....

Bye and good luck.....
Federico

Posted by: Federico on June 22, 2004 07:42 PM

Hi, I do appreciate both opinions, although I'm still thinking:
Once a developer decides to obfuscate/protect the source code, then it surely means something (he does not want the code to be seen by others). The codes must be important and he/she should have a backup.

So ASV is supposed to un-obfuscate that code no matter what.

Well this is just my opinion btw. I do respect ASV when you lose your source file. But I still think if it is obfuscated, then it means something (important data and should not be able to be read by other people)

Posted by: Michael on June 23, 2004 06:54 AM

Sorry, typo:
So ASV is NOT supposed to un-obfuscate that code no matter what.

Posted by: Michael on June 23, 2004 07:03 AM

Burak, the people like you are the "absolute evil" in my eyes. I am a seasoned Flash developer, who has already written many lines of code with new and outstanding flash technology peaces, and I really hate it to know, that all of that can be stolen easily, although if I use all the existing protection tools. You should be really ashamed of your kind of business. It's a pity, that this is tolerated by law, and you can not be sued by now. For example, I know some of my competitors to have stolen some of the most valueable parts of my sources of one very big and innovative Flash project, using for sure either your or Sothink decompiler. You can not argument with the fact "we only provide a technology for unprotection", you are providing in fact a technology for STEALING intellectual property, nothing else. The cases about "rescuing some lost sources" are really ridiculous, and you know that as good as I know.

So I hope you will be some day sued and get jailed for those "nice tools" you provide for the software thiefs.

Posted by: X on July 18, 2004 05:34 PM

X,

Learn to code client/server applications in Flash MX 2004 and obfuscate your code. Your work won't be stolen anymore.

Posted by: iS on July 29, 2004 07:46 PM

as-protect.com still available now??

Posted by: xenz on September 7, 2004 09:44 PM

I’m sad to see that as-protect.com no longer exist. Anyone know what happened to the site?

Is there any other alternative?

Posted by: rasmus on September 8, 2004 07:59 AM

Its impossible to get a truly obfuscated code right now, I assume because of the fact, that AS has no reflection API possibilities (some kind of such API as in Java e.g.).

Server-sided code is NOT a kind of protection, but an application design issue. You will need in ANY case some client-side code, and IF this code is of any value, it can be stolen there with minor efforts.

Posted by: X on September 17, 2004 12:25 PM

I am C programmer.
I can crash Asv and all swf decompilers.
My code is not __bytecode__.
My code is real.
My code easily kill Asv and all.
Only I need full Asv4.0 to i can test code on Asv4.0 full.
I live in iran.
I can not buy Asv4.0 because no have credit card.
help me?

Posted by: Mehdi Ahmadi on October 14, 2004 01:57 AM

Hi every one,
I would like to suggest a better option for making our swf protect from decompilers by just compiling it with "Sothink Swf quicker".It is very similar to flash but it provides us the ease of adding new effects and once compiled it when opened in any decompiling software results in an error message and leads to closing of the decompiler,So why can't we ise this method!

Krash

Posted by: Krash on April 13, 2005 02:25 PM

Decompilers have their good and bad sides so I'm neutral on the whole issue.

Personally I don't mind of someone decompiled my SWF files because it's not illegal and doesn't affect me in anyway. However, if someone decompiled one of my SWF files and then used any of the ActionScript or library symbols from the SWF then that would be illegal.. I always copyright my work.

The SWF format is open source, the content contained within the SWF is the property of the person who created it. Just because SWF is open source doesn't mean that the contents are.

Posted by: Nutrox on July 19, 2005 08:54 AM

ActionScript Obfuscators:
http://www.kindisoft.com/
http://www.genable.com/

Posted by: swf_coder on September 9, 2005 06:06 AM
Post a comment
Name:


Email Address:


URL:


Comments:


Remember info?



Thank you!

Most Visited Entries
Sketches, Works & Source Code
Lectures
Contact
Backlog
In Love with
Powered by
Movable Type 2.661

© Copyright Mario Klingemann

Syndicate this site:
RSS 1.0 - RSS 2.0

Quasimondo @ flickr
Quasimondo @ LinkedIn
Quasimondo @ Twitter
Quasimondo @ Facebook
Quasimondo @ MySpace
Quasimondo is a Bright
Citizen of the TRansnational Republic
My other blog in german
Impressum


My family name is written Klingemann,
not Klingelmann, Klingeman, Klingaman, Kingemann,
Kindermann, Killingaman, Klingman, Klingmann, Klingonman
Klingemman, Cleangerman, Klingerman or Kleangerman

profile for Quasimondo at Stack Overflow, Q&A for professional and enthusiast programmers