Community Expert

Question

SWF Encryption and Security by kglad

Forum|Forum|19 years ago
February 12, 2007
35 replies
15163 views

i have developed a swf encryption program (jsfl) that, i believe, is relatively uncrackable. relatively means if it were worth tens of thousands of dollars to crack, it wouldn't take more than a few weeks for a professional to crack.

it does have two weaknesses. one i'd rather not reveal but has nothing to do with the encryption scheme, the swf or anything else under the control of the encryption scheme. and the other is the possibility someone could hold a gun to the head of the encrypter and demand the code. (which i think would be a pretty successful tactic.)

but other than that it is much more secure than anything else i've seen.

i've uploaded a test file to my website. i'd like to invite users to decompile, check the source code or otherwise mess with it to see if they can find a weakness.

there's no need to crack the code and spend a lot of time. i'm just looking to see if someone can see a method to attack the encryption that would eventually lead to success.

http://www.gladstien.com/test.html

p.s. the swf displays a much faster and much more versatile (than g skinner's) hit detection scheme that i made after working on a project for urami. click on the dot or weird shape to drag. release and the object released turns green if it has a positive hit with the other shape.

p.p.s. please don't hack my server. i'm not challenging anyone to destroy all my files or otherwise bring down my website. i'm just looking for challenges to the encryption scheme.

ActionScript

This topic has been closed for replies.

kglad

Author

Community Expert

yes, there's an authentication that should only allow keygen.pl to execute if it's called by gladstien.com/test.swf.

dikuno10

Known Participant

For some odd reason, when I try opening your test encryption file, all I get is a blank white page. Same for the "keygen.pl" file, too.

P.S. I have a Windows 7 x64, with Internet Explorer 8.

kglad

Author

Community Expert

i probably removed the files long ago when i stopped working on this.

G

ggshow

Participating Frequently

i mean open immediately on another browser tab
http://www.gladstien.com/cgi-bin/keygen.pl
after i open
http://www.gladstien.com/test.swf
at first

kglad

Author

Community Expert

ggshow, what did you do to view the keygen.pl output: k1 etc?

luigi, i'll google that info about put statements to see what i can learn.

G

ggshow

Participating Frequently

quote:

Originally posted by: kglad
ggshow, what did you do to view the keygen.pl output: k1 etc?

I'm using MSIE7
if I open
http://www.gladstien.com/cgi-bin/keygen.pl
i can only get a blank page

i try open
http://www.gladstien.com/test.swf
& then follow by
http://www.gladstien.com/cgi-bin/keygen.pl

then i get
k1=83314612&k2=1944728553&k3=2947867&k4=67593022
displayed on my browser

it is not always happen, have to try a few time to get the answer, dont know why.

May be is something about authentication?

G

ggshow

Participating Frequently

tried to change
lv.load("cgi-bin/keygen.pl");
to
lv.load(" http://www.gladstien.com/cgi-bin/keygen.pl");
not working :-(

tried to run the function like
asDecF(83314612, 1944728553, 2947867, 67593022);
not working :-(

wonder why...

P

Peter Lorent

Inspiring

Oh, forgot to mention. He also said that on some servers you can use PUT statements to write to or read from from executables. Don't know your level of expertise with server technology but I would probably consult a specialist in this case.

A

Anonymous

I still don't understand what encrypt/decrypt at runtime actually means. Are you jumbling string data, used in references and values? But at any rate, could someone use a memory editor to take a snapshot of the SWF after it has decrypted itself?

kglad

Author

Community Expert

thank you luigi. i think i know what they are talking about. there must be some way in perl (like in flash when you use an include statement) to add data from another file. i'll have to test to see what i can accomplish. but that might be a big help.

yes, on my current server the cgi-bin directory isn't a protected directory. i'm using yahoo web hosting and you can put your perl files anywhere. i just made a cgi-bin directory because i recently moved from a hosting service where you had to have your executables in a cgi-bin directory and all my website paths are directed towards that directory.

and crandom, i don't know what your point is about posting those links, but you're not close to decrypting anything if that represents all the progress you made.

C

Crandom

Known Participant

Waht are you trying to achieve with this? Scripting language and coding = BAD! They can always be broken and you have put your decrypt function in with the encrpyt function (easy) and keygen.pl relies on perl (not entirely actionscript) and can be braoken into with elementary moral hacking (if a hacker wanted to...)

Attached decompiled code:
Frame2
MainMovie
(Sothink Flash Decompiler MX)

And if none of those work, there is always the brute force meathod = unstoppable

P

Peter Lorent

Inspiring

kglad, talked with a network guy about this and he told me:
-if the vars (k1 etc) are send over http on a non-secure line, a http sniffer is enough to catch the vars.
-you can put the perl file outside of the root of the webserver and have another file include the .pl file
Now, I don't know exactly what he means with that last line but it seems there is way to at least hide the .pl file.
And, I really tried to get to the .pl file but again to no avail (not much help...).
I'll ask other specialists I know if and how they can get to the .pl file. If anything turns up I'll let you know.
Oh, and the cgi-bin is unprotected (might be intentional but I thought I should mention it).

kglad

Author

Community Expert

the primary weakness is securing a server file so it's readable by flash but not by the user.

ggshow and danredman both viewed the contents of the keygen.pl file that needs to be secure. i cannot view this file and do not know how they viewed it. neither has responded to my question regarding what they did to view it.

kglad

Author

Community Expert

danred, how did you get www.gladstien.com/cgi-bin/keygen.pl? did you use a download manager or use your browser or something else?

M

mstone-638EfM

Participating Frequently

oops! Back to the drawing board...

I have a quick question. I have a Flash application that calls xml files from the server. I have heard that there are ways of reading the requests that Flash Player is making over the network therefore exposing my path to the php generated xml files.
In this thread it was mentioned that there is a way that I can make sure it is my Flash app that is making the call. I'm worried about someone else with a server mining my data. What methods are best for checking if it is my app making the request? There are a few competitors that would like access to my data feed which I would prefer to keep private to my own application even though it is public.

A

Anonymous

Wow, a thread *started* by kglad; must be important! Still waiting for the day you ask a question, I'll be first to spout "42".

1) "when the swf is run the encrypted code is decrypted into executable actionscript."
I don't understand this part. So you aren't dealing with encrypted byte-code, but basically obfuscated AS syntax, that can be unobfuscated at runtime? How do you unobfuscate something at runtime?

2) I'd be interesting in seeing this hitTest method, sounds very useful!

D

danredman

Inspiring

I download the test.swf and on my computer does not work
decompiled
open with flash and said that cgi-bin/keygen.pl not exist
goto www.gladstien.com/cgi-bin/keygen.pl and get k1=83314612&k2=1944728553&k3=2947867&k4=67593022
make a dir next to .fla cgi-bin, and keygen.pl
edit the keygen.pl with notepad and paste k1=83314612&k2=1944728553&k3=2947867&k4=67593022&
publish the flash and IT WORKS!!!

ETA:10min

Show more replies

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded