Macromedia Flash Server - Flash Player 8 and swf 8 security!

Author

Flash Player 8 and swf 8 security!

Naicu Octavian

2005-07-14, 5:45 pm

Today I've found out that a FCS project for a client
was cracked and it's freely distributed on the
internet!

After a little research I've found a swf decompiler
which could edit swf's as I edit the fla's. I mean
this wasn't one of those tools that shows you the AS
and you can export the images and sound, this one
showed up the exact layer, the exact frames with
actions on them, buttons, movies everything. It's just
like opening the damn fla.

so MacromediaI really hope you did something about
this in Flash Player 8.

________________________________________
__________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Bill Sanders

2005-07-14, 5:45 pm

Naicu,

What I've found (and I hope I'm not naively wrong) is that the more I
had in the Server Side script, including necessary bits of "call"
code, they could do anything they wanted with the decompilers, but
they could not get to the .asc code. (AFAIK) or get the CS code to work.

I've tested the SWF decompilers on my FCS code, and while the CS code
is vulnerable (including external .as classes), I still have not
found how to break into my own ASC using SWF decompilers.

Bill

On Jul 14, 2005, at 10:12 AM, Naicu Octavian wrote:

> Today I've found out that a FCS project for a client
> was cracked and it's freely distributed on the
> internet!
>
> After a little research I've found a swf decompiler
> which could edit swf's as I edit the fla's. I mean
> this wasn't one of those tools that shows you the AS
> and you can export the images and sound, this one
> showed up the exact layer, the exact frames with
> actions on them, buttons, movies everything. It's just
> like opening the damn fla.
>
> so MacromediaI really hope you did something about
> this in Flash Player 8.
>
>
> ________________________________________
__________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>

bill sanders | www.sandlight.com | bloomfield, ct | 860-242-2260

=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Michael D. Randolph

2005-07-14, 5:45 pm

I'm not sure they are changing anything here. Their file format spec is
public information, anyone can take it and build programs around it.
This makes it easy for a decent C++ developer to build a decompiler,
although the one you describe sounds pretty sophisticated (is it the
SoThink one?). Here's what I do to ensure protection: =20

1. Obfuscate my code
2. Put all important logic on the server-side (either FlashComm or
Flash Remoting...we use both)
3. Check the Client.referrer on FCS (I hear this is easy to crack, but
might as well put this there as an added means of security)

Good luck.

Michael Randolph

=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

András Csizmadia

2005-07-14, 5:45 pm

use this tool for client side swf encrypting - it's far not enough but it
works: http://www.amayeta.com/software/swfencrypt/
and use much SSAS as possible.

Stefan Richter

2005-07-14, 5:45 pm

It's a bit of a pain for sure .

I also don't get the idea of compiled components when they can - once in =
swf
format - be decompiled again.

I second everyone's suggestion: try to obfuscate and shift stuff =
serverside.

Stefan

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Andr=E1s
Csizmadia
Sent: Thursday, July 14, 2005 3:27 PM
To: FlashComm Mailing List
Subject: Re: [FlashComm] Flash Player 8 and swf 8 security!

use this tool for client side swf encrypting - it's far not enough but =
it
works: http://www.amayeta.com/software/swfencrypt/
and use much SSAS as possible.

Regards, Andrew

----- Original Message -----
From: "Naicu Octavian" <naicuoctavian-/E1597aS9LQAvxtiuMwx3w@public.gmane.org>
To: <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
Sent: Thursday, July 14, 2005 4:12 PM
Subject: [FlashComm] Flash Player 8 and swf 8 security!

> Today I've found out that a FCS project for a client
> was cracked and it's freely distributed on the
> internet!
>
> After a little research I've found a swf decompiler
> which could edit swf's as I edit the fla's. I mean
> this wasn't one of those tools that shows you the AS
> and you can export the images and sound, this one
> showed up the exact layer, the exact frames with
> actions on them, buttons, movies everything. It's just
> like opening the damn fla.
>
> so MacromediaI really hope you did something about
> this in Flash Player 8.
>
>
> ________________________________________
__________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
>
> --=20
> No virus found in this incoming message.
> Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | =
www.vpmedia.hu
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: =
2005.07.12.
>
>

--=20
No virus found in this outgoing message.
Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: =
2005.07.12.

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Naicu Octavian

2005-07-14, 5:45 pm

Yes, there is this one below which I understand does
not change the code but just makes it nvisible to the
decompilers by putting some erroneous AS that Flash
will never compile.
http://www.amayeta.com/software/swfencrypt/

And there are some obfuscators out there. The swf
files that these ones generate do not make the code
invisible to the decompilers but they change it to
something like:
if (eval ("464- 9(*2)=3D-*)+3)*7-=3D3+03--063)=3D") =3D=3D 2) {
var _local3 =3D "";
var _local2 =3D 0;
while (_local2 < _local1.length) {
_local3 =3D _local3 + _local1.charAt(_local2);
_local2 =3D _local2 + 2;
}
....

..

--- Andr=E1s Csizmadia <cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org> wrote:

> use this tool for client side swf encrypting - it's
> far not enough but it
> works: http://www.amayeta.com/software/swfencrypt/
> and use much SSAS as possible.

>=20
>=20
> Regards, Andrew
>=20
> ----- Original Message -----=20
> From: "Naicu Octavian" <naicuoctavian-/E1597aS9LQAvxtiuMwx3w@public.gmane.org>
> To: <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
> Sent: Thursday, July 14, 2005 4:12 PM
> Subject: [FlashComm] Flash Player 8 and swf 8
> security!
>=20
>=20
> client
> decompiler
> AS
> just
> protection around
>
=3D-----------------------------------------------------------
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
> cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
> Release Date: 2005.07.12.
>=20
>=20
>=20
> --=20
> No virus found in this outgoing message.
> Andr_s Csizmadia | 0036703308043 |
> cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.13/47 -
> Release Date: 2005.07.12.
>=20
>=20
>
=3D-----------------------------------------------------------
> Supported by Fig Leaf Software -
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
>=20
> To change your subscription options or search the
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20

=09
__________________________________=20
Yahoo! Mail=20
Stay connected, organized, and protected. Take the tour:=20
http://tour.mail.yahoo.com/mailtour.html=20

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Michael D. Randolph

2005-07-14, 5:45 pm

Compiled components are hardly compiled. They are zip files with a =
different extension. Try it yourself, open em in WinRAR and check out =
whats inside them.

Michael Randolph

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org =
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Stefan =
Richter
Sent: Thursday, July 14, 2005 10:42 AM
To: 'FlashComm Mailing List'
Subject: RE: [FlashComm] Flash Player 8 and swf 8 security!

It's a bit of a pain for sure .

I also don't get the idea of compiled components when they can - once in =
swf
format - be decompiled again.

I second everyone's suggestion: try to obfuscate and shift stuff =
serverside.

Stefan

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Andr=E1s
Csizmadia
Sent: Thursday, July 14, 2005 3:27 PM
To: FlashComm Mailing List
Subject: Re: [FlashComm] Flash Player 8 and swf 8 security!

use this tool for client side swf encrypting - it's far not enough but =
it
works: http://www.amayeta.com/software/swfencrypt/
and use much SSAS as possible.

Regards, Andrew

----- Original Message -----
From: "Naicu Octavian" <naicuoctavian-/E1597aS9LQAvxtiuMwx3w@public.gmane.org>
To: <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
Sent: Thursday, July 14, 2005 4:12 PM
Subject: [FlashComm] Flash Player 8 and swf 8 security!

> Today I've found out that a FCS project for a client
> was cracked and it's freely distributed on the
> internet!
>
> After a little research I've found a swf decompiler
> which could edit swf's as I edit the fla's. I mean
> this wasn't one of those tools that shows you the AS
> and you can export the images and sound, this one
> showed up the exact layer, the exact frames with
> actions on them, buttons, movies everything. It's just
> like opening the damn fla.
>
> so MacromediaI really hope you did something about
> this in Flash Player 8.
>
>
> ________________________________________
__________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
>
> --=20
> No virus found in this incoming message.
> Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | =
www.vpmedia.hu
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: =
2005.07.12.
>
>

--=20
No virus found in this outgoing message.
Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: =
2005.07.12.

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=3D---------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D---------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Naicu Octavian

2005-07-14, 5:45 pm

Obfuscation might not work in some cases: like when
you load an external .swf containing variables used
in swf loading it. I need to test this!

I'm going to do some research on this in the next
weeks...

--- "Michael D. Randolph" <mrandolph-BLI8p3VsWNHtqXgxI/4nyg@public.gmane.org>
wrote:

> Compiled components are hardly compiled. They are
> zip files with a different extension. Try it
> yourself, open em in WinRAR and check out whats
> inside them.
>=20
> Michael Randolph
>=20
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On
> Behalf Of Stefan Richter
> Sent: Thursday, July 14, 2005 10:42 AM
> To: 'FlashComm Mailing List'
> Subject: RE: [FlashComm] Flash Player 8 and swf 8
> security!
>=20
> It's a bit of a pain for sure .
>=20
> I also don't get the idea of compiled components
> when they can - once in swf
> format - be decompiled again.
>=20
> I second everyone's suggestion: try to obfuscate and
> shift stuff serverside.
>=20
> Stefan
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On
> Behalf Of Andr=E1s
> Csizmadia
> Sent: Thursday, July 14, 2005 3:27 PM
> To: FlashComm Mailing List
> Subject: Re: [FlashComm] Flash Player 8 and swf 8
> security!
>=20
> use this tool for client side swf encrypting - it's
> far not enough but it
> works: http://www.amayeta.com/software/swfencrypt/
> and use much SSAS as possible.

>=20
>=20
> Regards, Andrew
>=20
> ----- Original Message -----
> From: "Naicu Octavian" <naicuoctavian-/E1597aS9LQAvxtiuMwx3w@public.gmane.org>
> To: <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
> Sent: Thursday, July 14, 2005 4:12 PM
> Subject: [FlashComm] Flash Player 8 and swf 8
> security!
>=20
>=20
> client
> decompiler
> AS
> just
> protection around
>
=3D-----------------------------------------------------------
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
> cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
> Release Date: 2005.07.12.
>=20
>=20
>=20
> --=20
> No virus found in this outgoing message.
> Andr_s Csizmadia | 0036703308043 |
> cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.13/47 -
> Release Date: 2005.07.12.
>=20
>=20
>
=3D-----------------------------------------------------------
> Supported by Fig Leaf Software -
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
>=20
> To change your subscription options or search the
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20
>=20
>
=3D---------------------------------------------------------
> Supported by Fig Leaf Software -
> http://www.figleaf.com
>
=3D---------------------------------------------------------
>=20
> To change your subscription options or search the
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20
>=20
>=20
>
=3D-----------------------------------------------------------
> Supported by Fig Leaf Software -
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
>=20
> To change your subscription options or search the
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20

________________________________________
__________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Michael D. Randolph

2005-07-14, 5:45 pm

That's where better obfuscation comes in. We have a tool where you can =
exclude certain words from being obfuscated.

Michael Randolph
IMAGE PLANT
(973) 244-9220
mrandolph-PMb9m0z8LQpWk0Htik3J/w@public.gmane.org

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org =
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Naicu =
Octavian
Sent: Thursday, July 14, 2005 10:48 AM
To: FlashComm Mailing List
Subject: RE: [FlashComm] Flash Player 8 and swf 8 security!

Obfuscation might not work in some cases: like when
you load an external .swf containing variables used
in swf loading it. I need to test this!

I'm going to do some research on this in the next
weeks...

--- "Michael D. Randolph" <mrandolph-BLI8p3VsWNHtqXgxI/4nyg@public.gmane.org>
wrote:

> Compiled components are hardly compiled. They are
> zip files with a different extension. Try it
> yourself, open em in WinRAR and check out whats
> inside them.
>=20
> Michael Randolph
>=20
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On
> Behalf Of Stefan Richter
> Sent: Thursday, July 14, 2005 10:42 AM
> To: 'FlashComm Mailing List'
> Subject: RE: [FlashComm] Flash Player 8 and swf 8
> security!
>=20
> It's a bit of a pain for sure .
>=20
> I also don't get the idea of compiled components
> when they can - once in swf
> format - be decompiled again.
>=20
> I second everyone's suggestion: try to obfuscate and
> shift stuff serverside.
>=20
> Stefan
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
> [mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On
> Behalf Of Andr=E1s
> Csizmadia
> Sent: Thursday, July 14, 2005 3:27 PM
> To: FlashComm Mailing List
> Subject: Re: [FlashComm] Flash Player 8 and swf 8
> security!
>=20
> use this tool for client side swf encrypting - it's
> far not enough but it
> works: http://www.amayeta.com/software/swfencrypt/
> and use much SSAS as possible.

Stefan Richter

2005-07-14, 5:45 pm

Yeah fair point

=20

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Michael D.
Randolph
Sent: Thursday, July 14, 2005 3:48 PM
To: FlashComm Mailing List
Subject: RE: [FlashComm] Flash Player 8 and swf 8 security!

Compiled components are hardly compiled. They are zip files with a
different extension. Try it yourself, open em in WinRAR and check out =
whats
inside them.

Michael Randolph

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Stefan =
Richter
Sent: Thursday, July 14, 2005 10:42 AM
To: 'FlashComm Mailing List'
Subject: RE: [FlashComm] Flash Player 8 and swf 8 security!

It's a bit of a pain for sure .

I also don't get the idea of compiled components when they can - once in =
swf
format - be decompiled again.

I second everyone's suggestion: try to obfuscate and shift stuff =
serverside.

Stefan

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Andr=E1s
Csizmadia
Sent: Thursday, July 14, 2005 3:27 PM
To: FlashComm Mailing List
Subject: Re: [FlashComm] Flash Player 8 and swf 8 security!

use this tool for client side swf encrypting - it's far not enough but =
it
works: http://www.amayeta.com/software/swfencrypt/
and use much SSAS as possible.

Regards, Andrew

----- Original Message -----
From: "Naicu Octavian" <naicuoctavian-/E1597aS9LQAvxtiuMwx3w@public.gmane.org>
To: <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
Sent: Thursday, July 14, 2005 4:12 PM
Subject: [FlashComm] Flash Player 8 and swf 8 security!

> Today I've found out that a FCS project for a client was cracked and=20
> it's freely distributed on the internet!
>
> After a little research I've found a swf decompiler which could edit=20
> swf's as I edit the fla's. I mean this wasn't one of those tools that=20
> shows you the AS and you can export the images and sound, this one=20
> showed up the exact layer, the exact frames with actions on them,=20
> buttons, movies everything. It's just like opening the damn fla.
>
> so MacromediaI really hope you did something about this in Flash=20
> Player 8.
>
>
> ________________________________________
__________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around=20
> http://mail.yahoo.com
>
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
>
> --
> No virus found in this incoming message.
> Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org |=20
> www.vpmedia.hu Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: =
2005.07.12.
>
>

--
No virus found in this outgoing message.
Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: =
2005.07.12.

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=3D---------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D---------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=3D---------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D---------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Fabio Sonnati

2005-07-14, 5:45 pm

I suggest you to use obfuscation tools and, as suggested
by Bill, to use as much SS action script as possible.
Another possibility is (but only for some appliactions)
deliver an executable produced by a program like MDM
studio or a Visual Basic or Visual C program with
Flash Action script embedded.

----- Original Message -----=20
From: "Andr=E1s Csizmadia" <cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org>
To: "FlashComm Mailing List" <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
Sent: Thursday, July 14, 2005 4:26 PM
Subject: Re: [FlashComm] Flash Player 8 and swf 8 security!

> use this tool for client side swf encrypting - it's far not enough but =
it
> works: http://www.amayeta.com/software/swfencrypt/
> and use much SSAS as possible.

>
>
> Regards, Andrew
>
> ----- Original Message -----=20
> From: "Naicu Octavian" <naicuoctavian-/E1597aS9LQAvxtiuMwx3w@public.gmane.org>
> To: <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
> Sent: Thursday, July 14, 2005 4:12 PM
> Subject: [FlashComm] Flash Player 8 and swf 8 security!
>
>
hu[vbcol=seagreen]
>
>
>
> --=20
> No virus found in this outgoing message.
> Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.h=
u
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: 2005.07.=
12.
>
>
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

stoica ionut

2005-07-14, 5:45 pm

Its not about MM, but i think they could implement
some rsa algorithm for the flash player, like they do
for coldfusion components and scripts.

Also like zend encoder in php does.

When selling flash ide they could also implement
something like a certificate for the client and one
that remains on the server of macromedia.

The flasher(coder,designer,etc) would then compile his
swf and attach his certificate to it. The flash player
would then decrypt it and run it (flash player is
mostly on the internet, so i dont think there is any
serious developer that wouldnt allow it to connect to
mm site to check for the other half of the
certificate). This is not privacy viollation, it is ip
protection.

For the standalone or intranet version (like it
happens mostly with flex) they could licence a
universal reader that doesnt need to connect to their
servers ( its not even needed, what serious developer
creates uncertain flash applications for an intranet ?
no one ).

For the cd+presentation versions they are already
doing something like this in central.

I mean, a better and good way is to really check if
that certificate is issued by mm (even allow it to run
if it is not).

If the certificate is reported back from the servers
that is also used in other apps, than that is for sure
your licence of flash or your flash files were
decompilled by someone and you could easly sue them.

too simple ? maybe they can speed up things there,
everything has a sollution. including levitation :p

--- Fabio Sonnati <sonnati-6XAXFxi7MR1y6ZJYwPuT2FaTQe2KTcn/@public.gmane.org>
wrote:

> I suggest you to use obfuscation tools and, as
> suggested
> by Bill, to use as much SS action script as
> possible.
> Another possibility is (but only for some
> appliactions)
> deliver an executable produced by a program like MDM
> studio or a Visual Basic or Visual C program with
> Flash Action script embedded.
>=20
>=20
> ----- Original Message -----=20
> From: "Andr=E1s Csizmadia" <cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org>
> To: "FlashComm Mailing List"
> <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
> Sent: Thursday, July 14, 2005 4:26 PM
> Subject: Re: [FlashComm] Flash Player 8 and swf 8
> security!
>=20
>=20
> it's far not enough but it
> security!
> client
> decompiler
> mean
> AS
> just
> about
> ________________________________________
__________
> protection around
>
=3D-----------------------------------------------------------
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
> cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
> Release Date:=20
> cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
> Release Date: 2005.07.12.
>
=3D-----------------------------------------------------------
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20
>=20
>
=3D-----------------------------------------------------------
> Supported by Fig Leaf Software -
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
>=20
> To change your subscription options or search the
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20

=09
________________________________________
____________
Start your day with Yahoo! - make it your home page=20
http://www.yahoo.com/r/hs=20
=20

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Frédéric v. Bochmann

2005-07-14, 5:45 pm

OT: Remember your fridge letters sliding down slowly, and pushing down =
the
letters that where under them? :P

That was a fun one :P

Fredz./

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Stefan =
Richter
Sent: July 14, 2005 10:42 AM
To: 'FlashComm Mailing List'
Subject: RE: [FlashComm] Flash Player 8 and swf 8 security!

It's a bit of a pain for sure .

I also don't get the idea of compiled components when they can - once in =
swf
format - be decompiled again.

I second everyone's suggestion: try to obfuscate and shift stuff =
serverside.

Stefan

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of Andr=E1s
Csizmadia
Sent: Thursday, July 14, 2005 3:27 PM
To: FlashComm Mailing List
Subject: Re: [FlashComm] Flash Player 8 and swf 8 security!

use this tool for client side swf encrypting - it's far not enough but =
it
works: http://www.amayeta.com/software/swfencrypt/
and use much SSAS as possible.

Regards, Andrew

----- Original Message -----
From: "Naicu Octavian" <naicuoctavian-/E1597aS9LQAvxtiuMwx3w@public.gmane.org>
To: <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
Sent: Thursday, July 14, 2005 4:12 PM
Subject: [FlashComm] Flash Player 8 and swf 8 security!

> Today I've found out that a FCS project for a client
> was cracked and it's freely distributed on the
> internet!
>
> After a little research I've found a swf decompiler
> which could edit swf's as I edit the fla's. I mean
> this wasn't one of those tools that shows you the AS
> and you can export the images and sound, this one
> showed up the exact layer, the exact frames with
> actions on them, buttons, movies everything. It's just
> like opening the damn fla.
>
> so MacromediaI really hope you did something about
> this in Flash Player 8.
>
>
> ________________________________________
__________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =3D-----------------------------------------------------------
> Supported by Fig Leaf Software - http://www.figleaf.com
> =3D-----------------------------------------------------------
>
> To change your subscription options or search the archive:
> http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>
>
> --=20
> No virus found in this incoming message.
> Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | =
www.vpmedia.hu
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: =
2005.07.12.
>
>

--=20
No virus found in this outgoing message.
Andr_s Csizmadia | 0036703308043 | cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.13/47 - Release Date: =
2005.07.12.

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=3D---------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D---------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

Frédéric v. Bochmann

2005-07-14, 5:45 pm

There is more than 1 compiler out there for generating swf files.
The same problem would arise and the weight of having such a tool =
built-in
the player would become useless.=20

But I like the idea.

-----Original Message-----
From: flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org
[mailto:flashcomm-bounces-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org] On Behalf Of stoica =
ionut
Sent: July 14, 2005 3:13 PM
To: FlashComm Mailing List
Subject: Re: [FlashComm] Flash Player 8 and swf 8 security!

Its not about MM, but i think they could implement
some rsa algorithm for the flash player, like they do
for coldfusion components and scripts.

Also like zend encoder in php does.

When selling flash ide they could also implement
something like a certificate for the client and one
that remains on the server of macromedia.

The flasher(coder,designer,etc) would then compile his
swf and attach his certificate to it. The flash player
would then decrypt it and run it (flash player is
mostly on the internet, so i dont think there is any
serious developer that wouldnt allow it to connect to
mm site to check for the other half of the
certificate). This is not privacy viollation, it is ip
protection.

For the standalone or intranet version (like it
happens mostly with flex) they could licence a
universal reader that doesnt need to connect to their
servers ( its not even needed, what serious developer
creates uncertain flash applications for an intranet ?
no one ).

For the cd+presentation versions they are already
doing something like this in central.

I mean, a better and good way is to really check if
that certificate is issued by mm (even allow it to run
if it is not).

If the certificate is reported back from the servers
that is also used in other apps, than that is for sure
your licence of flash or your flash files were
decompilled by someone and you could easly sue them.

too simple ? maybe they can speed up things there,
everything has a sollution. including levitation :p

--- Fabio Sonnati <sonnati-6XAXFxi7MR1y6ZJYwPuT2FaTQe2KTcn/@public.gmane.org>
wrote:

> I suggest you to use obfuscation tools and, as
> suggested
> by Bill, to use as much SS action script as
> possible.
> Another possibility is (but only for some
> appliactions)
> deliver an executable produced by a program like MDM
> studio or a Visual Basic or Visual C program with
> Flash Action script embedded.
>=20
>=20
> ----- Original Message -----=20
> From: "Andr=E1s Csizmadia" <cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org>
> To: "FlashComm Mailing List"
> <flashcomm-1Ss2GqJETD3yZ38Mhd3e/9ZfFG6BLHNm@public.gmane.org>
> Sent: Thursday, July 14, 2005 4:26 PM
> Subject: Re: [FlashComm] Flash Player 8 and swf 8
> security!
>=20
>=20
> it's far not enough but it
> security!
> client
> decompiler
> mean
> AS
> just
> about
> ________________________________________
__________
> protection around
>
=3D-----------------------------------------------------------
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
> cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
> Release Date:=20
> cs.andras-J+jpbPhcmEAHWmgEVkV9KA@public.gmane.org | www.vpmedia.hu
> Release Date: 2005.07.12.
>
=3D-----------------------------------------------------------
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20
>=20
>
=3D-----------------------------------------------------------
> Supported by Fig Leaf Software -
> http://www.figleaf.com
>
=3D-----------------------------------------------------------
>=20
> To change your subscription options or search the
> archive:
>
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm
>=20

=09
________________________________________
____________
Start your day with Yahoo! - make it your home page=20
http://www.yahoo.com/r/hs=20
=20

=3D-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=3D-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm

=-----------------------------------------------------------
Supported by Fig Leaf Software - http://www.figleaf.com
=-----------------------------------------------------------

To change your subscription options or search the archive:
http://chattyfig.figleaf.com/mailman/listinfo/flashcomm