⬆️ ⬇️

Adobe Profiler Fail

Good evening to all habravchanam. I thought for a long time how to call this post and decided to name the first thing that comes to mind. In principle, this name almost completely describes what I want to talk about. And I will tell you how you can easily and easily make changes to absolutely any swf file you are viewing without decompiling.





So, let's begin. Our experimental will be a YouTube player.



First I will tell you a little background. In Flex, as in any decent technology, there is the possibility of profiling applications. For profiling, a special agent is used - which loads the final swf file into itself and transfers data to the profiler via the socket connection.

')

Here, those who work with flash may have the question "How can our agent retrieve data from a file for profiling, if they are in different domains?"

In Flash, there is a restriction of access rights. For example, if we load file A from siteA.com, and load file B from siteB.com into it, in order for B to be able to access code A, we must manually give access rights to code A (using ApplicationDomain and LoaderContext) or pass the link to object A to B. In addition, there must be a crossdomain.xml file on siteB.com that allows cross-domain downloads. So it goes.


Everything is very simple. When our flash application is loaded, it creates a special undocumented event "allComplete" , which catches our Flex Profiler, and from the event we can already get a link to the object of our application. This link is the hole through which we can crawl into any application.



And the most interesting thing is that in this agent, absolutely all files that are opened by the Flash player are loaded - from all players and plug-ins for browsers.



Well, let's move on from theory to practice (if you do not understand all of what I said above, just look at what I will do before and what it will lead to).



Stage Zero



For debugging, we need a debug player. In size, it is slightly larger than the standard. You can download it here .



Stage One



The first thing we need is our own custom profiling agent. All its code will be 60 lines. Here is its code ( due to the lack of a normal backlight AS3 code, inserted as a picture, at the bottom of the code there is a link to download the source code ).







Download: Source Code | Compiled agent



Download the compiled agent itself, and place it in any folder we like.



Stage Two



Ok, now we have our own agent that receives a link to the downloaded application and passes it to the debager. Add it to trusted applications. To do this, go to the player settings page , and select the file Injector.swf



Now download debager itself. In this case, DeMonsterDebugger is used - a great debugger made as an AIR application. Install it.



Stage Three



Now we need to set the value of our profiler in the player configuration file. The file is named mm.cfg and lies in the following directories.



Windows 2000 / XP C:\Documents and Settings\{username}\mm.cfg

Windows Vista / 7 C:\Users\{username}\mm.cfg

Mac OSX /Library/Application Support/Macromedia/mm.cfg

Linux / /home/username/mm.cfg



If the file does not exist, simply create it.



Now we prescribe the path to the profiler. Add the following line to your mm.cfg:



PreloadSWF={ }



Example:



PreloadSWF=D:/Workspace/Injector/bin/Injector.swf



Stage Four





Restart our browser / browsers or flash player. We start again, and open our DeMonsterDebugger.







The main thing to remember is that you only have to open 1 swf file, otherwise the one whose code will be executed first will connect to the debugger client.



What is all this about?



It is fraught with hemorrhoids for developers. Thanks to this bug, you can create your own wrappers for any application on flash and make code injection inside these applications. At what to determine such an injection on the side of the application is extremely difficult.



I can think of several uses of this bug:

There are many applications of this bug, and I'm not sure that Adobe will close it soon, since it is an integral part of profiling and debugging code in Flex. This bug was found by Jean- Philippe Auclair, you can express your respect to him in the comments to this post or subscribe to his twitter .



Source: https://habr.com/ru/post/84736/



All Articles