All geek questions in one place

Best Approach to Changing Variable Values โ€‹โ€‹in a Compiled SWF File

Is it possible to change the value of a variable in a compiled SWF (using as3) through a servlet (say, for each session) before returning the modified SWF back to the client. I noticed that there are several command line commands as Open Source, but they seem to focus on AS2. Is this possible with AS3 code? What libraries are available from java? (i.e. basically editing the resulting pcode in a parsed SWF, and then repacking it).

Ideally, I would like to embed in the main swf for each session token (without using flash-drives), which can then be used to authenticate the request. The goal is to use this as another step in XSS support (combined with cross-domain permission files). Flash vars is still in the DOM, but this will only let the bootloader know the key value (very difficult for java script), and we can block the flash memory so that it doesnโ€™t show the value for any loaded swfs, and cross-domain files can limit any xml reading files on the source server only the source SWF (only one of this domain).

+4
source share
2 answers

Part of the problem is that the compiled SWF is compressed using the zlib stream inside, so it is not trivial to modify the binary without recompiling from the SDK command line.

It's not difficult to configure and automate the Flex SDK using the command line tools (either mxmlc or Ant - we use both in our projects), but if you really insist that you want to change the binaries without recompiling, then you can find this post in blog post . It includes a utility for unpacking the internal stream into its original data and re-compression using a different compression algorithm. In the middle of this script (while the data is being unpacked), you can search through the binary file for the value you are looking for (either through the known offset found as a result of the experiments, or using a shortcut with an open element), change the data, recompress stream, and voila - you have a custom .swf. If you change the value in the embedded resource (for example, an XML text file), it may be easier for you to find the data to change in binary format.

swf_recompress.zip

+2
source

You can use the Flex SDK to compile swf from the source at the time of the request. I would suggest a very small swf, which then possibly loads other more complex swfs.

0
source

Source: https://habr.com/ru/post/1285687/

More articles:


All Articles