Chapter 5  ■ Bypassing Client-Side Controls

The following example shows Flasm being used to extract a human-

 readable representation of bytecode from an SWF file for a simple Flash-based

car racing game:

C:\flash>flasm racer.swf > racer.flm

C:\flash>more racer.flm

movie ‘racer.swf’ compressed // flash 7, total frames: 3, frame rate: 24

fps, 64

0x500 px

exportAssets

1 as ‘engineStart’

end // of exportAssets

exportAssets

2 as ‘engineLoop’

end // of exportAssets

frame 0

stop

push ‘car1’

getVariable

push ‘code’, ‘player’

setMember

push ‘totalLaps’, 10

setVariable

push ‘acceleration’, 1.9

setVariable

push ‘gravity’, 0.4

setVariable

push ‘speedDecay’, 0.96

setVariable

push ‘rotationStep’, 10

setVariable

push ‘maxSpeed’, 10

setVariable

push ‘backSpeed’, 1

setVariable

push ‘currentCheckpoint1’, 1

setVariable

push ‘currentLap1’, 0.0

setVariable

push ‘checkpoints’, 2

setVariable

push ‘currentLapTXT’, ‘1/10’

setVariable

end // of frame 0

frame 0

constants ‘car’, ‘code’, ‘player’, ‘speed’, ‘speedDecay’, ‘Key’,

‘isDown’, ‘

...

126

Chapter 5 

■

Bypassing Client-Side Controls

70779c05.qxd:WileyRed  9/16/07  5:14 PM  Page 126

Here, you can immediately see various bytecode instructions that are of

interest to someone wishing to attack and modify the game. For example, you

could change the value of the 

maxSpeed

variable from 10 to something a bit

more competitive. After doing this, the modified disassembly can then be con-

verted back into bytecode in a new SWF file, as follows:

C:\flash>flasm –a racer.flm 

racer.flm successfully assembled to racer.swf, 31212 bytes

The car should now virtually fly around the track (to make it literally fly,

you could try changing the 

gravity

variable!).

In the previous example, the functionality implemented within the Flash

object was sufficiently simple that an attacker could fundamentally reengineer

the object by inspecting the disassembled bytecode and changing a single vari-

able. In more complex Flash objects, this may not be possible, and it may be

necessary to recover the original source and review it in detail to discover how

the object works and where best to attack it. The Flare tool can be used to

decompile an SWF file back into the original ActionScript source:

C:\flash>flare racer.swf && more racer.flr

movie ‘racer.swf’ {

// flash 7, total frames: 3, frame rate: 24 fps, 640x500 px, compressed

frame 1 {

stop();

car1.code = ‘player’;

totalLaps = 10;

acceleration = 1.9;

gravity = 0.4

speedDecay = 0.96;

rotationStep = 10;

maxSpeed = 10;

backSpeed = 1;

currentCheckpoint1 = 1;

currentLap1 = 0;

checkpoints = 2;

currentLapTXT = ‘1/10’;

}

...

While modifying recreational games is usually straightforward and may be

fun for personal amusement and beating a coworker, the client-side controls

implemented within the Flash objects used by enterprise applications and

online casinos are typically better protected. As with Java, obfuscation tech-

niques have been devised in an attempt to hinder decompilation attacks. Two

available tools are ActionScript Obfuscator and Viewer Screwer, which can

change both meaningful variable names and text references into scrambled

sequences of letters, making the decompiled code harder to understand.

Download 5,76 Mb.

Do'stlaringiz bilan baham: