Flash Decompilation Challenge

[mattkenefick]

Okay. Before you go tearing this thing apart trying to find the answer, there are some rules to this.

The only rules are:


Don't hack my server trying to get it. That doesn't count.
Don't use a network analyzer to monitor packets sent.


The real version can and probably will use SSL to provide an even more secure transfer , but for now, just try what you can to get the goal. Decompilers, downloading files, tracing things, whatever programs / ideas you have that are within reason without brutally attacking or trying to hack my server , etc.. you know? Keep the illegal / damaging to my server stuff out.

The goal is.. you should see a file load up with 3 shapes and a congratulations message. In that SWF file is a comment. Find out what the comment is, post it here, and you win.

Here is the link to the file. Good luck!!


http://www.seesaw2.net/matt/swftest/

[astgtciv]

Hm, I didn't know the comments got compiled into SWFs... now that might explain why that swf I was hoping to be around 5Kb came out to 105Kb No more comments from now on!

[mattkenefick]

Quote:

Originally Posted by astgtciv

Hm, I didn't know the comments got compiled into SWFs... now that might explain why that swf I was hoping to be around 5Kb came out to 105Kb No more comments from now on!

Okay I guess maybe it doesn't. They are variables now. I just decompiled it to see, and they show up. So you shouldn't have a problem finding the variables.

[atomic]

// Action script...

// [Action in Frame 1]

Can you provide your own cracked copy of the Sothink 3.6 decompiler you had up on your server a few days ago, so that I can have a go at this?

If all fails and I don't win... Well, at least I'll have a decompiler I can use for research!

[mattkenefick]

We don't talk about, distribute, or discuss cracked software. Read CyanBlue's comment in the last post about that.

One decompiler is just as good as another. Nothing is encrypted so SoThink 1.0 should do the trick just as good as anything else.

[astgtciv]

How come you didn't have the php just return the flash data? I think it would make it harder for the attacker. I tried and stopped short of having to spoof HTTP_REFERER, at which point I looked at a network analyzer.

[mattkenefick]

Quote:

Originally Posted by astgtciv

How come you didn't have the php just return the flash data? I think it would make it harder for the attacker. I tried and stopped short of having to spoof HTTP_REFERER, at which point I looked at a network analyzer.

So you're saying you got the message in the flash file? Msg it to me.

PS, read the 2nd rule in bold that says Don't use a network analyzer.

And i'm not sure what you're talking about with the "Why didnt I just have it return flash data?"
Another thing: There is no HTTP_REFERER involved in this. If you're comparing this to the post in the AS2 forum, they are two different things. This went through a lot of changes since then and HTTP_REFERER was dropped.

[astgtciv]

Yes, I did see the 2nd rule, which is why I didn't go on to decompile the "RealURL" swf and get the message, since that would be against the "rules of this challenge"; the admission of using the network analyzer was equivalent to admission of defeat. I still reported my actions in the interest of collecting data on what an attacker would do.

I assumed that HTTP_REFERER was involved since what I tried before going to network analyzer was to fetch the page's html (with the session key) without loading the swf which would use that key (the assumption being that this was a one-time key) used by the php. However, that key did not work when I tried to use it from the fla in Studio, which led me to the assumption that the php checks HTTP_REFERER as well as the key. If this assumption is incorrect, I can imagine that some other check (such as a timeout, which wouldn't be great) is being made in the php.

Quote:

And i'm not sure what you're talking about with the "Why didnt I just have it return flash data?"

I meant the php simply returning the flash data instead of returning the RealURL or whatever it was called. That is, the test.swf loading the real swf directly from the php.

[mattkenefick]

There's not much that can be done about the network besides SSL or securing it from server side. ( Didn't feel like setting up all the security or whatnot just for this test so I just assumed setup the rule that you can't do it aka: SSL )

There's no REFERER and no Timeout, etc..

If by "loading the real SWF directly from PHP" you mean switching out to the new SWF file using Javascript or something, that's useless because you can view real-time generated source code which would display the link. Not only that, a SWF catcher would be able to grab it.

This method is incapable of being caught by a SWF catcher, of being read through HTML at runtime or real-time, of being received by test.swf through a different server, and being monitored (other than a network analyzer).

PM me the link you found to the real file

[mooska]

Quote:

a the comment return key to win this contest is <– b ab-102FIND_ME

Is that it ?