That does make a lot of sense. On Feb 19, 2014 2:01 PM, "Gordon Smith" <[email protected]> wrote:
> It's this way because of the dynamic nature of ActionScript. If an object > obj has an instance variable foo, the language allows that variable to be > accessed by name lookup. For example, obj["foo"] or obj["f" + "o" + "o"] or > obj[propName] , where propName has the value "foo", are all ways of > accessing o.foo by name at runtime. If the name was not stored in the SWF, > the variable could not be accessed by name lookup at runtime. > > - Gordon > > > -----Original Message----- > From: Sean Thayne [mailto:[email protected]] > Sent: Wednesday, February 19, 2014 12:41 PM > To: [email protected] > Subject: Re: Air apps easily decompiled and hacked > > It looks like every var declared inside a function is obscured/renamed. > But all class vars(regardless of protected, public, private) are not > obscured. > They keep their original naming. Which would make sense if your compiling > a swc, but not if your compiling a final application (I would think). Maybe > it was created this way for RSLs? > > -Sean Thayne > > > On Wed, Feb 19, 2014 at 1:33 PM, Gordon Smith <[email protected]> wrote: > > > Are you sure the others that aren't obscured are locals? I'd bet > > they're instance variables. > > > > - Gordon > > > > -----Original Message----- > > From: Sean Thayne [mailto:[email protected]] > > Sent: Wednesday, February 19, 2014 12:24 PM > > To: [email protected] > > Subject: Re: Air apps easily decompiled and hacked > > > > Ya, you right Alex, I re-checked, and there are not comments. It does > > keep > > trace() calls though. > > > > I also noticed that it does obscure some local vars into _loc_# vars, > > and but it doesn't obscure others, which I think is kinda weird. > > > > -Sean Thayne > > > > > > On Wed, Feb 19, 2014 at 11:47 AM, Alex Harui <[email protected]> wrote: > > > > > Comments are easily viewable? I don't think so. It also depends on > > > whether you have the original source files or not. For Google > > > Closure, if you have a source map, you can get back to the source as > > well. > > > > > > Try dumping out an export release version of one of your SWFs. Sure > > > you can get back from the byte code to the basic algorithm, but I > > > don't think it is that much easier than deciphering a minified js or > > > even looking at intel byte code in an EXE file. > > > > > > -Alex > > > ________________________________________ > > > From: Sean Thayne <[email protected]> > > > Sent: Wednesday, February 19, 2014 8:21 AM > > > To: [email protected] > > > Subject: Re: Air apps easily decompiled and hacked > > > > > > I'm actually more concerned about the plain readability of the AS3, > > > even comments are easily viewable. Where as a JS site that has been > > > compile with Google Closures is minimized and heavily obscured. I > > > feel like it would be very easy to steal someones hard work. > > > > > > -Sean Thayne > > > > > > > > > On Wed, Feb 19, 2014 at 9:18 AM, Gary Yang <[email protected]> > > wrote: > > > > > > > Client side can not be trusted, server api should always be the > > > > security gate! > > > > > > > > After all there are certain applications that can encrypt Flash > > > > applications, Javascript application is just plain text!!! > > > > > > > > > > > > On Wed, Feb 19, 2014 at 11:08 AM, Sean Thayne <[email protected]> > > wrote: > > > > > > > > > Anybody else concerned about decompilers like SoThink? > > > > > > > > > > http://www.ericzhang.me/cracking-adobe-air-applications/ > > > > > > > > > > -Sean Thayne > > > > > > > > > > > > > > >
