It's this way because of the dynamic nature of ActionScript. If an object obj has an instance variable foo, the language allows that variable to be accessed by name lookup. For example, obj["foo"] or obj["f" + "o" + "o"] or obj[propName] , where propName has the value "foo", are all ways of accessing o.foo by name at runtime. If the name was not stored in the SWF, the variable could not be accessed by name lookup at runtime.
- Gordon -----Original Message----- From: Sean Thayne [mailto:[email protected]] Sent: Wednesday, February 19, 2014 12:41 PM To: [email protected] Subject: Re: Air apps easily decompiled and hacked It looks like every var declared inside a function is obscured/renamed. But all class vars(regardless of protected, public, private) are not obscured. They keep their original naming. Which would make sense if your compiling a swc, but not if your compiling a final application (I would think). Maybe it was created this way for RSLs? -Sean Thayne On Wed, Feb 19, 2014 at 1:33 PM, Gordon Smith <[email protected]> wrote: > Are you sure the others that aren't obscured are locals? I'd bet > they're instance variables. > > - Gordon > > -----Original Message----- > From: Sean Thayne [mailto:[email protected]] > Sent: Wednesday, February 19, 2014 12:24 PM > To: [email protected] > Subject: Re: Air apps easily decompiled and hacked > > Ya, you right Alex, I re-checked, and there are not comments. It does > keep > trace() calls though. > > I also noticed that it does obscure some local vars into _loc_# vars, > and but it doesn't obscure others, which I think is kinda weird. > > -Sean Thayne > > > On Wed, Feb 19, 2014 at 11:47 AM, Alex Harui <[email protected]> wrote: > > > Comments are easily viewable? I don't think so. It also depends on > > whether you have the original source files or not. For Google > > Closure, if you have a source map, you can get back to the source as > well. > > > > Try dumping out an export release version of one of your SWFs. Sure > > you can get back from the byte code to the basic algorithm, but I > > don't think it is that much easier than deciphering a minified js or > > even looking at intel byte code in an EXE file. > > > > -Alex > > ________________________________________ > > From: Sean Thayne <[email protected]> > > Sent: Wednesday, February 19, 2014 8:21 AM > > To: [email protected] > > Subject: Re: Air apps easily decompiled and hacked > > > > I'm actually more concerned about the plain readability of the AS3, > > even comments are easily viewable. Where as a JS site that has been > > compile with Google Closures is minimized and heavily obscured. I > > feel like it would be very easy to steal someones hard work. > > > > -Sean Thayne > > > > > > On Wed, Feb 19, 2014 at 9:18 AM, Gary Yang <[email protected]> > wrote: > > > > > Client side can not be trusted, server api should always be the > > > security gate! > > > > > > After all there are certain applications that can encrypt Flash > > > applications, Javascript application is just plain text!!! > > > > > > > > > On Wed, Feb 19, 2014 at 11:08 AM, Sean Thayne <[email protected]> > wrote: > > > > > > > Anybody else concerned about decompilers like SoThink? > > > > > > > > http://www.ericzhang.me/cracking-adobe-air-applications/ > > > > > > > > -Sean Thayne > > > > > > > > > >
