PDA

View Full Version : Flash Decompilation Challenge


mattkenefick
07-11-2007, 06:11 AM
Okay. Before you go tearing this thing apart trying to find the answer, there are some rules to this.

The only rules are:


Don't hack my server trying to get it. That doesn't count. :(
Don't use a network analyzer to monitor packets sent.


The real version can and probably will use SSL to provide an even more secure transfer , but for now, just try what you can to get the goal. Decompilers, downloading files, tracing things, whatever programs / ideas you have that are within reason without brutally attacking or trying to hack my server , etc.. you know? Keep the illegal / damaging to my server stuff out.

The goal is.. you should see a file load up with 3 shapes and a congratulations message. In that SWF file is a comment. Find out what the comment is, post it here, and you win.

Here is the link to the file. Good luck!!


http://www.seesaw2.net/matt/swftest/


:rolleyes:

astgtciv
07-11-2007, 06:42 AM
Hm, I didn't know the comments got compiled into SWFs... now that might explain why that swf I was hoping to be around 5Kb came out to 105Kb :) No more comments from now on! ;)

mattkenefick
07-11-2007, 07:04 AM
Hm, I didn't know the comments got compiled into SWFs... now that might explain why that swf I was hoping to be around 5Kb came out to 105Kb :) No more comments from now on! ;)

Okay I guess maybe it doesn't. They are variables now. I just decompiled it to see, and they show up. So you shouldn't have a problem finding the variables.

atomic
07-11-2007, 07:05 AM
// Action script...

// [Action in Frame 1]

Can you provide your own cracked copy of the Sothink 3.6 decompiler you had up on your server a few days ago, so that I can have a go at this?

If all fails and I don't win... Well, at least I'll have a decompiler I can use for research!

mattkenefick
07-11-2007, 07:08 AM
We don't talk about, distribute, or discuss cracked software. Read CyanBlue's comment in the last post about that.

One decompiler is just as good as another. Nothing is encrypted so SoThink 1.0 should do the trick just as good as anything else.

astgtciv
07-11-2007, 07:56 AM
How come you didn't have the php just return the flash data? I think it would make it harder for the attacker. I tried and stopped short of having to spoof HTTP_REFERER, at which point I looked at a network analyzer.

mattkenefick
07-11-2007, 08:07 AM
How come you didn't have the php just return the flash data? I think it would make it harder for the attacker. I tried and stopped short of having to spoof HTTP_REFERER, at which point I looked at a network analyzer.

So you're saying you got the message in the flash file? Msg it to me.

PS, read the 2nd rule in bold that says Don't use a network analyzer.

And i'm not sure what you're talking about with the "Why didnt I just have it return flash data?"
Another thing: There is no HTTP_REFERER involved in this. If you're comparing this to the post in the AS2 forum, they are two different things. This went through a lot of changes since then and HTTP_REFERER was dropped.

astgtciv
07-11-2007, 08:19 AM
Yes, I did see the 2nd rule, which is why I didn't go on to decompile the "RealURL" swf and get the message, since that would be against the "rules of this challenge"; the admission of using the network analyzer was equivalent to admission of defeat. :) I still reported my actions in the interest of collecting data on what an attacker would do.

I assumed that HTTP_REFERER was involved since what I tried before going to network analyzer was to fetch the page's html (with the session key) without loading the swf which would use that key (the assumption being that this was a one-time key) used by the php. However, that key did not work when I tried to use it from the fla in Studio, which led me to the assumption that the php checks HTTP_REFERER as well as the key. If this assumption is incorrect, I can imagine that some other check (such as a timeout, which wouldn't be great) is being made in the php.

And i'm not sure what you're talking about with the "Why didnt I just have it return flash data?"

I meant the php simply returning the flash data instead of returning the RealURL or whatever it was called. That is, the test.swf loading the real swf directly from the php.

mattkenefick
07-11-2007, 08:33 AM
There's not much that can be done about the network besides SSL or securing it from server side. ( Didn't feel like setting up all the security or whatnot just for this test so I just assumed setup the rule that you can't do it aka: SSL )

There's no REFERER and no Timeout, etc..

If by "loading the real SWF directly from PHP" you mean switching out to the new SWF file using Javascript or something, that's useless because you can view real-time generated source code which would display the link. Not only that, a SWF catcher would be able to grab it.

This method is incapable of being caught by a SWF catcher, of being read through HTML at runtime or real-time, of being received by test.swf through a different server, and being monitored (other than a network analyzer).

PM me the link you found to the real file

mooska
07-11-2007, 09:01 AM
a the comment return key to win this contest is <– b ab-102FIND_ME
Is that it ?

Flash Gordon
07-11-2007, 09:14 AM
Big problem with your way. I don't allow cookies. You script is contingent upon that. I originally though you did some cool stuff with faking 404's....but know...you don't don't alert the user :(

Kind of a weird challenge. why would you challenge someone in a "real life scenario" and then tie their hands? The more "appropriate" way to get the url would have been to POST the cookie via a php script and then just read the output plain and simple....but that is too much work.....network analyzer and cache it is :p

mooska
07-11-2007, 09:23 AM
How come you didn't have the php just return the flash data? I think it would make it harder for the attacker. I tried and stopped short of having to spoof HTTP_REFERER, at which point I looked at a network analyzer.

Only difference, would be that loaded swf would have php extension ;)
Anyway - swf is loaded and cached, and you wont do anything with that, after that, you dont even need any decompiler ...

astgtciv
07-11-2007, 09:37 AM
Only difference, would be that loaded swf would have php extension

I think that shouldn't matter if the php sets the mime type correctly ("application/x-shockwave-flash"). I am not saying this solution would be fullproof then, just that it would be slightly better :)

mooska
07-11-2007, 09:45 AM
I think that shouldn't matter if the php sets the mime type correctly ("application/x-shockwave-flash")
Exactly, for the attacker it doeasnt matter, its still swf.

Besides, this way of doing it is way to easy.
I would try with Sockets|FMS - no caching, and dynamic swf building on the server side.

asf8
07-11-2007, 11:41 AM
:eek:

I am not sure what "security" is currently in place but it took .000001 seconds to see this

http://seesaw.net/mara/tests/cd105236/realMovie.swf

and to then have access to the SWF with "NOTHING" but a common 'standard web browser'. So in essence is there any security being achieved here or rather just a fancy way of putting the SWF into the browser cache (via PHP) to be available to anyone as normal ?

Am I missing something ? :confused:

:o

mattkenefick
07-11-2007, 11:56 AM
Did everyone besides the network analysts pull it from cache?

mattkenefick
07-11-2007, 11:58 AM
Big problem with your way. I don't allow cookies. You script is contingent upon that. I originally though you did some cool stuff with faking 404's....but know...you don't don't alert the user :(

Kind of a weird challenge. why would you challenge someone in a "real life scenario" and then tie their hands? The more "appropriate" way to get the url would have been to POST the cookie via a php script and then just read the output plain and simple....but that is too much work.....network analyzer and cache it is :p

There are no cookies.

astgtciv
07-11-2007, 12:29 PM
it took .000001 seconds to see this

Wow! Are you running a dual-core brain, asf8? The hardware in my head definitely can't pull speeds like these... ehehe, getting old...

asf8
07-11-2007, 12:44 PM
Did everyone besides the network analysts pull it from cache?

Did you not see my previous post (http://www.actionscript.org/forums/showpost.php3?p=630008&postcount=15) ?

var Standard Web Browser = 'Safari';
// Safari --> Window Menu --> Activity Window -- >
// I am sure with other browsers its similar but didnt waste time trying

Using a standard Browser (AND NOTHING ELSE) - you can see this:
http://seesaw.net/mara/tests/cd105236/realMovie.swf <<-- Link to actual SWF in Browser Cache!

Which since you have the path to the file of course you can download it :confused:

----
var a = 'the comment return key to win this contest is';
var b = 'ab-102FIND_ME';
----
Which mooska already posted (post #10) (http://www.actionscript.org/forums/showpost.php3?p=629963&postcount=10).

so again where is the "Security" if all I need is my normal web browser to see some fancy php script is putting the SWF in normal browser cache to be available to all? :o

I think the cookie being referenced is this:
Cookie = Website: www.seesaw2.net Name: PHPSESSID Path: / Secure:no Expires: -- Contents:490ceb2d8e7091..a3d661a2a8534

AGAIN Repeat --> Nothing fancy to get to this point - just a regular web browser in .000001 seconds to see the "realMovie.swf" file path!

Again am I missing something :confused: (was really hoping this would offer security)

So that is without any special Network Analyzer, just a web browser, but even so why limit people if your authentically trying to find a accurate secure solution for this?

Its like hanging signs on the outside of your house telling thieves they can try to break in but they are not allowed to use the doors or windows ;)

asf8
07-11-2007, 12:47 PM
Wow! Are you running a dual-core brain, asf8? The hardware in my head definitely can't pull speeds like these... ehehe, getting old...

astgtciv - it was an exaggeration :p No dual-core brain here, but lots of memory leaks. =)

asf8
07-11-2007, 01:48 PM
ummm ... so is the "Challenge" over ? Back to the drawing board? :confused:

mattkenefick
07-11-2007, 03:36 PM
ummm ... so is the "Challenge" over ? Back to the drawing board? :confused:

You guys are right about the leak. I forgot to patch that before I posted it because I was in such a hurry last night. This posted at like 230am or something.

The way this is setup is this:


realMovie is setup on server X. Doesn't matter where.
reader.php + loader(test).swf + index.php are in same directory.

Index.php will start a session and post your session id and time it was set in a file or on a db or something. It'll delete and repost it every time you visit and it'll never be up there twice. Then it embeds the Flash loader file with the flashVars of the session id.

test.swf will get the key, sendAndLoad to reader.php

reader.php will check for posted data and try to select the matching id row, if you're using a db, and also the time. It uses unix time to determine the difference from what you posted before and what you're reading now. If it took you longer than 5 seconds to process from posting the key in index.php to sending a post request in reader.php, it will kill the session and your id. If the seed in your flashvars doesn't match the seed in the db, it will kill your session. If the seed in the db doesn't match the session on the site, it will kill your session.

The only way for it to send back the code is to have a flashvars session id, DB session id, and site assigned session id that all match. And they have to be set and read within 5 seconds of each other. (You can set the time, if you wanna make the delay only 2 seconds, you can do that)


I thought this method would be good because that's not something you can easily spoof (as far as I know) and it works as a replacement for the easily spoofable HTTP_REFERER.

----------------

As for, "Why not use Network Analysts?" Because I didn't setup SSL on this test. I was trying to run it under the assumption that SSL was on it and you couldn't read the network anyway. I really didn't feel like writing up a CA for this test. I said that to start but I guess everyone loves network monitoring. :eek:


There was also a lot of the server configurations I left out that I talked about in the other post that would have helped make this more effective.

I'll look into the cache. That is the one thing I neglected to test. I put in headers but never tried to actually test it.


-------------------

Why isn't this more complex? I'm trying to set it up in a way that any Joe Blow, even with a shared server, can use it. I could go deep into server configurations, this and that, setup the httpd.conf and such, but not everyone has access to those files on their server.

I'm trying to make a method that everyone can use.


So with your "answers" that aren't found from network analyzing, let me know how you got them so I can fix that. I know Cache is one of them but what else?

astgtciv
07-12-2007, 04:49 AM
Heh, this is exactly the solution that I used in the previous "Flash Hacker Challenge" :) Except that I gave it up to 1 minute I think instead of 5 seconds - 5 seconds is a bit of a tall order, what if it's a busy page, and the client CPU is stressed, and who knows what's going on with the browser? The swf just won't appear then. You have to remember that this whole solution is more of an afterthought, in no way should it cripple the functionality of the swf.

Using SSL will not help as long as you keep using a separate swf URL - the real swf url will still show up in the network listener, SSL or not. What I was saying about serving the swf directly - for that realMovie.swf and reader.php need to be on the same server, reader.php simply reads out the contents of realMovie.swf and returns the data. The loader.swf loads its target directly from reader.php. In this case there is no realMovie.swf url to worry about. The cache is still there to worry about though.

asf8
07-13-2007, 12:36 PM
Hmm.. not a peep.. has this effort been abolished and given up on as unattainable due to good ol' browser cache ;)

just curious.

3pepe3
07-13-2007, 05:56 PM
mmmmmmmmmmhhhhhhhhhh.... i think that code must be shown... it was a challange that a lot of people acomplished; but code will be a great way to learn and understand how this can be done for some others persons (like me).

mattkenefick
07-13-2007, 09:23 PM
Well it's impossible to load a file and keep it hidden.

asf8
07-14-2007, 01:24 AM
Well it's impossible to load a file and keep it hidden.

:o

Ah.. what does that mean then? Your conceding and moving on to other things and giving up the fight for universal SWF security ? Say it aint so Matt! Keep the dream alive! It was such a nice dream.

;) Ok, ok, just kidding, but serious is this whole concept a bust then ? No further development, no tutorial yada yda .... defunct-a-roanie.

Side Note Off topic: -----------
Matt - Hey I was wondering what is - MARA: Pre-release Coming Soon ? What is Mara? Just curious.

atomic
07-14-2007, 03:23 AM
What about this?

http://oddhammer.com/tutorials/dont_cache/

asf8
07-14-2007, 01:35 PM
What about this?http://oddhammer.com/tutorials/dont_cache/

atomic,

Thanks for the link! Was some good reading.

I think to sum up the whole SWF security issue we all admit it pretty hard and even impossible to get 100% swf security, due to the open format of swf files, browser cache, decompilers, etc... its just a burden when it comes to tackling all the methods a person can take to get your info.

But I think the real method of security is to confuse and make it hard for the masses.

Complexity is the best you can do, aside from actually obfuscating and encrypting your swfs, but the decompiler makers keep pretty good pace with the encryption software makers also unfortunatly.

2 things that I have read online at some point, that apply:

1.) If you ever come up with a method to protect your SWF, dont tell anyone ;)
2.) If you have important info that you dont want people to see, dont put it online, and delete it from your hard drive ;)

I forget where I read those, but they are actually true and quite funny.

jsebrech
07-16-2007, 06:50 AM
Since the file has to played on the client it has to be sent to the client. Bottom line: don't send anything to the client you don't want the client to have.

The only good security would be if MS built in kernel-level support for securing SWF files on the client, like they did with some video formats.

mattkenefick
07-17-2007, 03:39 AM
Well asf8,

I looked at that dont_cache example too and I played for hours and hours trying to change content-types, loading it as a different file, changing file properties for the send, and all that jazz before I even posted this.. but it always ended up in the same SWF file so I never bothered putting all that in. I looked at pretty much every possible scenario and change/combination I could think of or research and it always ended up the same way.

It's true that sure you can try and confuse people, but I figure even if you confuse people.. all it takes is one post to leak out from someone and it's no longer a confusing workaround.

I was hoping I could find something that would make it just possible to read it by the computer but after seeing that Safari Activity Monitor, I realize its not. The idea was that you keep things alive just long enough that they can be accessed by the computer but not long enough for human hands to find out where they are or locally access them. But after seeing that the activity monitor gives you the direct link to the file no matter what.. I guess thats just fighting a fire with gasoline isn't it?

I mean, it semi works that you can't use view-source.. view-generated source.. swf catchers.. or any of that jazz.. but if you use network analyzer or activity monitor, forget about it.

I'm not totally conceeding because I'd love to secure SWFs more than anyone.. I'm just saying "back to the drawing board"


-------------------------------------
Edit:


I dont think I'm going to write the article about this because even though it can be confusing, it'll easily be figured out once someone spills the beans. When I write articles about cracks or securing things for other programs or whatnot, I like to also say "How would you try to crack this" Or how would you go about cracking it if you were to try so people know what to watch out for and that it can't be done.

Sometimes even if it can be cracked, it's not a bad idea to say "This method will not work against it" so X hacker guy will see that and say "Oh. well thats what I was gonna do, I guess i'll have to try something else". It'll at least set them off course .. for a little while..

asf8
07-17-2007, 12:59 PM
Well asf8, I looked at pretty much every possible scenario and change/combination I could think of or research and it always ended up the same way. I'm not totally conceeding because I'd love to secure SWFs more than anyone.. I'm just saying "back to the drawing board"

Hey Matt,

Thanks for your input. I appreciate your time and effort on the subject and I look forward to any further ideas you may have on the topic. Its definitely an interesting challenge/task and a subject that has been talked about alot over the years.

Thanks again for the feedback.

atomic
07-20-2007, 05:55 PM
How does Bigshot Media seem to be able to prevent caching?

http://www.bigshotmedia.com/search/lightbox/details.php?type=bs&idPhoto=11702&anchor=anchor0

mattkenefick
07-20-2007, 06:05 PM
They're not..


http://www.bigshotmedia.com/index_images/bs_nav.swf?tab=search&section=1&base_url=http%3A%2F%2Fwww.bigshotmedia.com

atomic
07-20-2007, 06:11 PM
You are talking about the cat movie right?

Flash Gordon
07-20-2007, 06:16 PM
in efforts to keep the peace

mattkenefick
07-20-2007, 06:22 PM
You are talking about the cat movie right?

Why? You trying to steal it?

Thief

atomic
07-20-2007, 06:38 PM
No, not really... Just wondering why those movies never ended up in my IE cache...

Although I can get at the .swf in FF through...

http://www.bigshotmedia.com/search/lightbox/read.php?sku=ANI959950&size=A

I still can't open it up in IE or the Flash player, in the same manner ASF8 got to my previous posted link...

Thought you might be interested to look into it... It's certainely over my head!

kdawg
07-20-2007, 06:41 PM
Just because no one mentioned it I was able to use Safari's "activity viewer" to find the original SWF then used Gordon to quickly decompile it and find the comment "ab-102FIND_ME". Took about 15 seconds. The activity viewer also works for BigShot Media BTW. I'm sure you figured out I was on a Mac as well.

asf8
07-20-2007, 06:48 PM
I would not call atomic a theif, I think he is just trying to find a working example online where someone has a working solution.

kdawg - Read back through the thread "Safari Activity viewer" is already discussed in detail.

mattkenefick
07-20-2007, 06:51 PM
Just because no one mentioned it I was able to use Safari's "activity viewer" to find the original SWF then used Gordon to quickly decompile it and find the comment "ab-102FIND_ME". Took about 15 seconds. The activity viewer also works for BigShot Media BTW. I'm sure you figured out I was on a Mac as well.

The candles already burned out on that and the stripper is dead. Sorry man, you're late to the party. :)

kdawg
07-20-2007, 07:20 PM
Right my bad......blush.

atomic
07-20-2007, 07:36 PM
@asf8...

As I posted I did get to the same file with FF, but can't open it with the Flash player as you did in post #29 with the swf_proxy.swf... So then what?

I just installed Safari on my PC... Would the cat.swf be cached in Safari?
If so, how do you access the cache with Safari on PC?

Would this be leading to your...
If you ever come up with a method to protect your SWF, dont tell anyone!

kdawg
07-20-2007, 07:47 PM
> Activity viewer > Open the PHP?sku=# entry and save with .swf. There is your file.

atomic
07-20-2007, 08:22 PM
Nah! Doesn't work on PC...

asf8
07-20-2007, 10:06 PM
@asf8...

As I posted I did get to the same file with FF, but can't open it with the Flash player as you did in post #29 with the swf_proxy.swf... So then what?

I just installed Safari on my PC... Would the cat.swf be cached in Safari?
If so, how do you access the cache with Safari on PC?

Would this be leading to your...
If you ever come up with a method to protect your SWF, dont tell anyone!

Nah! Doesn't work on PC...

@ atomic

1.) would this be leading to your ..... <<-- @ atomic -- huh ?? I know what I stated but what are you referencing about it ?

2.) So Safari on PC does not have the --> activity window, at all ? If not bummer!

Anyway to be honest I really have not taken the time to digg into the bigshotmedia site/example you provided to try and see whats going on. So at this time no further info on that example.

atomic
07-20-2007, 10:41 PM
No, Safari on PC does have the activity window and I see the related files (also did on FF)... I'm just not understanding what Kdawg meant with Open the PHP?sku=# entry and save with .swf., or how I can get to the cat.swf itself, or even find the Safari cache folder on my PC, to see if it may be in the cache or not... No ~Library/caches/Safari... on PC!

The point is, I'm not trying to steal that or any other of those .swfs, it's just that this protection, seems to be a step ahead than that other link I had posted, and is at least making it even more harder to get to the targeted .swf...

If you can't break it, Bigshot which has had this for years, might not want to make it public either, which led me to reference your If you ever come up with a method to protect your SWF, dont tell anyone!

asf8
07-21-2007, 04:01 AM
No, Safari on PC does have the activity window and I see the related files (also did on FF)... I'm just not understanding what Kdawg meant with Open the PHP?sku=# entry and save with .swf., or how I can get to the cat.swf itself, or even find the Safari cache folder on my PC, to see if it may be in the cache or not... No ~Library/caches/Safari... on PC!

The point is, I'm not trying to steal that or any other of those .swfs, it's just that this protection, seems to be a step ahead than that other link I had posted, and is at least making it even more harder to get to the targeted .swf...

If you can't break it, Bigshot which has had this for years, might not want to make it public either, which led me to reference your If you ever come up with a method to protect your SWF, dont tell anyone!

Hmmm... so Safari does have the Activity window on PC - wow interesting!

On a Mac if you hold down Option Key and double click on an item in the Activity window, instead of opening it in a new browser window, it downloads the file. -- But I am not sure what key (maybe ALT Key?) it is or if you can do that on a PC, try it! Let me know if it works. That is how I was referencing in my previous posts and examples.

I understand what your saying now, I will look into it further when I get a chance.

atomic
07-21-2007, 04:15 AM
No, don't bother... Got to the file and decompiled it easily enough...
I was stopped by only seeing the bigshot logo when I tried to play it, and didn't even try to decompile it at first. When I did, it was all there!
So this ain't any better protection after all!

Oh! And I did find the Safari cache folder... And CTRL-> double-click on the file in the activity window, downloads it!

asf8
07-21-2007, 04:32 AM
No, don't bother... Got to the file and decompiled it easily enough...I was stopped by only seeing the bigshot logo when I tried to play it, and didn't even try to decompile it at first. When I did, it was all there! So this ain't any better protection after all!

Oh! And I did find the Safari cache folder... And CTRL-> double-click on the file in the activity window, downloads it!

So where is the chache folder ?

atomic
07-21-2007, 04:50 AM
I just had to decompile the read.swf and it worked...

As for the safari cache folder, on my PC machine it's at...

C:\Documents and Settings\Myself\Local Settings\Application Data\Apple Computer\Safari...

asf8
07-21-2007, 04:58 AM
I just had to decompile the read.swf and it worked...

Well yeah you can see all of it (in the read.swf) but without changing anything it wont play on its own, the swf will just give you the logo screen. Until you do what I described with the spacer.gif.

right ?? :confused:

atomic
07-21-2007, 05:25 AM
Assuming I'd only been interested in the cat clip and since I wasn't really interested in that code, all I did, was clear all of it, and just set the cat clip on the first frame of the movie...
I could of also exported the cat pictures from the decompiler and re-created my own .swf...

In any case, it was only the fact that the movie clip stuck on the logo, that kept me from trying to decompile it... As soon as I did try to decompile it, it was all there...

Thanks for making me see the light! Or should I say the cat... ;)

asf8
07-21-2007, 02:08 PM
Assuming I'd only been interested in the cat clip and since I wasn't really interested in that code, all I did, was clear all of it, and just set the cat clip on the first frame of the movie...
I could of also exported the cat pictures from the decompiler and re-created my own .swf... In any case, it was only the fact that the movie clip stuck on the logo, that kept me from trying to decompile it... As soon as I did try to decompile it, it was all there... Thanks for making me see the light! Or should I say the cat... ;)

Well I am just discussing what the thread is about and that is coming up with a viable solution for protection. So that was my focus, I wanted to see how they set things up and how it was working. Thats the information I provided.

They tried to do a confusing setup for secruity, but once you know it, then it becomes rendered useless - as do most unfortunatly. So yes if all you wanted was the assets then that was achieved from just the single swf as you described.

I thought both links you provided seemed interesting, but unfortunatly each was quite easily broken :-(

I think there are ways to do it to achieve high rates of security (never 100%), but at this point we seem to be disclosing more ways to break the problem than to fix the problem with secure solutions, perhaps the thread is becoming counter-productive?

:confused: :eek:

atomic
07-21-2007, 02:48 PM
I agree... But that said, I'm not at all against decompilers for research, learning purposes, or up against a lost, not found or corrupted .fla. In the end, this security wich hunt will cause more harm to the honest & legitimate decompiler users, than to the few real hackers...
Have you taken a plane recently? ;)

mattkenefick
07-21-2007, 03:15 PM
I think there are ways to do it to achieve high rates of security (never 100%), but at this point we seem to be disclosing more ways to break the problem than to fix the problem with secure solutions, perhaps the thread is becoming counter-productive?

:confused: :eek:

It's not counter-productive.. We've just learned a lot of ways of how to NOT secure a SWF.

asf8
07-21-2007, 03:40 PM
In the end, this security wich hunt will cause more harm to the honest & legitimate decompiler users, than to the few real hackers... Have you taken a plane recently? ;)

@ Atomic: I am not against it either, and was just poising the thought about us disclosing things (ha, ha). But yeah agreed, this discussion and its results will help do as you said. (Just hope bigshotmedia isnt getting there servers pummeled now ;-)

Yeah I flew across the ocean recently from Europe.. point is ? You mean --> TSA | Transportation Security Administration

Are we forming a FSA | Flash Security Administration, here via this thread ;)

It's not counter-productive.. We've just learned a lot of ways of how to NOT secure a SWF.

@ Matt: I know, I was just being whimsical with my thoughts. By the way Matt, where you been and where is your input on the subject ? Come on man! (ha, ha).

:)

mattkenefick
07-21-2007, 04:05 PM
My input is that the Activity Monitor is evil.

asf8
07-21-2007, 04:25 PM
My input is that the Activity Monitor is evil.

Yeah it probably makes the list on this subject ;). But it has "good uses also"! There seems to be long list of evil items when it comes to the ability to unsecure "would be" flash security techniques.

Thus the FSA is being formed (NOT!).

So your out of creative ideas and input, come on Matt! :) Get jiggy wid it.

mattkenefick
07-22-2007, 04:34 AM
ASF you'll be happy to know I think I may have found a new solution. I'm making a new thread for it cause this one is huge.

asf8
07-23-2007, 12:10 AM
ASF you'll be happy to know I think I may have found a new solution. I'm making a new thread for it cause this one is huge.

asf"8" here, okie dokie Matt, seen it, thanks!

Greg SS
12-12-2007, 09:55 PM
Forbidden?

mattkenefick
12-13-2007, 01:53 AM
Forbidden?

6 month old thread

atomic
12-13-2007, 02:42 AM
Not our fault! :o

PS: I've already read part of your explanation...

Greg SS
12-13-2007, 08:49 AM
Oops! sorry... I'm a bit slow on dates uptake... probably because I'm already married...

asf8
12-13-2007, 04:18 PM
6 month old thread

@ mattkenefick

To be more accurate everyone has been waiting 6 months for you to supply the method as you stated you would in this thread "NEW Flash Decompliation Challenge (http://www.actionscript.org/forums/showthread.php3?t=142516)"

:eek: seems like we are all still waiting... :eek: