SWF Encryption and Security by kglad

Report · Feb 12, 2007

i have developed a swf encryption program (jsfl) that, i believe, is relatively uncrackable. relatively means if it were worth tens of thousands of dollars to crack, it wouldn't take more than a few weeks for a professional to crack.

it does have two weaknesses. one i'd rather not reveal but has nothing to do with the encryption scheme, the swf or anything else under the control of the encryption scheme. and the other is the possibility someone could hold a gun to the head of the encrypter and demand the code. (which i think would be a pretty successful tactic.)

but other than that it is much more secure than anything else i've seen.

i've uploaded a test file to my website. i'd like to invite users to decompile, check the source code or otherwise mess with it to see if they can find a weakness.

there's no need to crack the code and spend a lot of time. i'm just looking to see if someone can see a method to attack the encryption that would eventually lead to success.

http://www.gladstien.com/test.html

p.s. the swf displays a much faster and much more versatile (than g skinner's) hit detection scheme that i made after working on a project for urami. click on the dot or weird shape to drag. release and the object released turns green if it has a positive hit with the other shape.

p.p.s. please don't hack my server. i'm not challenging anyone to destroy all my files or otherwise bring down my website. i'm just looking for challenges to the encryption scheme.

Report · Feb 14, 2007

i didn't change anything. www.gladstien.com/test.html is still working and visible and keygen.pl is in the same location at www.gladstien.com/cgi-bin/keygen.pl

Report · Feb 14, 2007

obfuscation technique..
but it really works to protect ur work..
even thought it's not 100% secured, but at least, your code have filter out a lot of people from stealing ur work.

Nice job...!!!
~Salute..

Report · Feb 15, 2007

Very very nice job... however i am very junior to say this... But its really great job...
All the very best... 😄

Report · Feb 15, 2007

But it is possible import all your movieClips on a stage. it should be password protected with your style. so no one could import your layout 2.

Report · Feb 15, 2007

But it is possible import all your movieClips on a stage. it should be password protected with your style. so no one could import your layout 2.

Report · Feb 15, 2007

I download the test.swf and on my computer does not work
decompiled
open with flash and said that cgi-bin/keygen.pl not exist
goto www.gladstien.com/cgi-bin/keygen.pl and get k1=83314612&k2=1944728553&k3=2947867&k4=67593022
make a dir next to .fla cgi-bin, and keygen.pl
edit the keygen.pl with notepad and paste k1=83314612&k2=1944728553&k3=2947867&k4=67593022&
publish the flash and IT WORKS!!!

ETA:10min

Report · Feb 15, 2007

danred, how did you get www.gladstien.com/cgi-bin/keygen.pl? did you use a download manager or use your browser or something else?

Report · Feb 15, 2007

oops! Back to the drawing board...

I have a quick question. I have a Flash application that calls xml files from the server. I have heard that there are ways of reading the requests that Flash Player is making over the network therefore exposing my path to the php generated xml files.
In this thread it was mentioned that there is a way that I can make sure it is my Flash app that is making the call. I'm worried about someone else with a server mining my data. What methods are best for checking if it is my app making the request? There are a few competitors that would like access to my data feed which I would prefer to keep private to my own application even though it is public.

Report · Feb 15, 2007

Wow, a thread *started* by kglad; must be important! Still waiting for the day you ask a question, I'll be first to spout "42".

1) "when the swf is run the encrypted code is decrypted into executable actionscript."
I don't understand this part. So you aren't dealing with encrypted byte-code, but basically obfuscated AS syntax, that can be unobfuscated at runtime? How do you unobfuscate something at runtime?

2) I'd be interesting in seeing this hitTest method, sounds very useful!

Report · Feb 16, 2007

the primary weakness is securing a server file so it's readable by flash but not by the user.

ggshow and danredman both viewed the contents of the keygen.pl file that needs to be secure. i cannot view this file and do not know how they viewed it. neither has responded to my question regarding what they did to view it.

Report · Feb 16, 2007

Waht are you trying to achieve with this? Scripting language and coding = BAD! They can always be broken and you have put your decrypt function in with the encrpyt function (easy) and keygen.pl relies on perl (not entirely actionscript) and can be braoken into with elementary moral hacking (if a hacker wanted to...)

Attached decompiled code:
Frame2
MainMovie
(Sothink Flash Decompiler MX)

And if none of those work, there is always the brute force meathod = unstoppable

Report · Feb 16, 2007

kglad, talked with a network guy about this and he told me:
-if the vars (k1 etc) are send over http on a non-secure line, a http sniffer is enough to catch the vars.
-you can put the perl file outside of the root of the webserver and have another file include the .pl file
Now, I don't know exactly what he means with that last line but it seems there is way to at least hide the .pl file.
And, I really tried to get to the .pl file but again to no avail (not much help...).
I'll ask other specialists I know if and how they can get to the .pl file. If anything turns up I'll let you know.
Oh, and the cgi-bin is unprotected (might be intentional but I thought I should mention it).

Report · Feb 16, 2007

thank you luigi. i think i know what they are talking about. there must be some way in perl (like in flash when you use an include statement) to add data from another file. i'll have to test to see what i can accomplish. but that might be a big help.

yes, on my current server the cgi-bin directory isn't a protected directory. i'm using yahoo web hosting and you can put your perl files anywhere. i just made a cgi-bin directory because i recently moved from a hosting service where you had to have your executables in a cgi-bin directory and all my website paths are directed towards that directory.

and crandom, i don't know what your point is about posting those links, but you're not close to decrypting anything if that represents all the progress you made.

Report · Feb 16, 2007

I still don't understand what encrypt/decrypt at runtime actually means. Are you jumbling string data, used in references and values? But at any rate, could someone use a memory editor to take a snapshot of the SWF after it has decrypted itself?

Report · Feb 16, 2007

tried to change
lv.load("cgi-bin/keygen.pl");
to
lv.load(" http://www.gladstien.com/cgi-bin/keygen.pl");
not working :-(

tried to run the function like
asDecF(83314612, 1944728553, 2947867, 67593022);
not working :-(

wonder why...

Report · Feb 16, 2007

Oh, forgot to mention. He also said that on some servers you can use PUT statements to write to or read from from executables. Don't know your level of expertise with server technology but I would probably consult a specialist in this case.

Report · Feb 16, 2007

ggshow, what did you do to view the keygen.pl output: k1 etc?

luigi, i'll google that info about put statements to see what i can learn.

Report · Feb 17, 2007

quote:

Originally posted by: kglad
ggshow, what did you do to view the keygen.pl output: k1 etc?

I'm using MSIE7
if I open
http://www.gladstien.com/cgi-bin/keygen.pl
i can only get a blank page

i try open
http://www.gladstien.com/test.swf
& then follow by
http://www.gladstien.com/cgi-bin/keygen.pl

then i get
k1=83314612&k2=1944728553&k3=2947867&k4=67593022
displayed on my browser

it is not always happen, have to try a few time to get the answer, dont know why.

May be is something about authentication?

Report · Feb 17, 2007

i mean open immediately on another browser tab
http://www.gladstien.com/cgi-bin/keygen.pl
after i open
http://www.gladstien.com/test.swf
at first

Report · Feb 17, 2007

yes, there's an authentication that should only allow keygen.pl to execute if it's called by gladstien.com/test.swf.

Report · May 17, 2010

For some odd reason, when I try opening your test encryption file, all I get is a blank white page. Same for the "keygen.pl" file, too.

P.S. I have a Windows 7 x64, with Internet Explorer 8.

Report · May 18, 2010

i probably removed the files long ago when i stopped working on this.