Adobe Profiler Fail
Good evening to all habravchanam. I thought for a long time how to call this post and decided to name the first thing that comes to mind. In principle, this name almost completely describes what I want to talk about. And I will tell you how you can easily and easily make changes to absolutely any swf file you are viewing without decompiling.
So, let's begin. Our experimental will be a YouTube player.
First I will tell you a little background. In Flex, as in any decent technology, there is the possibility of profiling applications. For profiling, a special agent is used - which loads the final swf file into itself and transfers data to the profiler via the socket connection.
')
Here, those who work with flash may have the question "How can our agent retrieve data from a file for profiling, if they are in different domains?"
Everything is very simple. When our flash application is loaded, it creates a special undocumented event "allComplete" , which catches our Flex Profiler, and from the event we can already get a link to the object of our application. This link is the hole through which we can crawl into any application.
And the most interesting thing is that in this agent, absolutely all files that are opened by the Flash player are loaded - from all players and plug-ins for browsers.
Well, let's move on from theory to practice (if you do not understand all of what I said above, just look at what I will do before and what it will lead to).
For debugging, we need a debug player. In size, it is slightly larger than the standard. You can download it here .
The first thing we need is our own custom profiling agent. All its code will be 60 lines. Here is its code ( due to the lack of a normal backlight AS3 code, inserted as a picture, at the bottom of the code there is a link to download the source code ).
Download: Source Code | Compiled agent
Download the compiled agent itself, and place it in any folder we like.
Ok, now we have our own agent that receives a link to the downloaded application and passes it to the debager. Add it to trusted applications. To do this, go to the player settings page , and select the file Injector.swf
Now download debager itself. In this case, DeMonsterDebugger is used - a great debugger made as an AIR application. Install it.
Now we need to set the value of our profiler in the player configuration file. The file is named mm.cfg and lies in the following directories.
Windows 2000 / XP
Windows Vista / 7
Mac OSX
Linux /
If the file does not exist, simply create it.
Now we prescribe the path to the profiler. Add the following line to your mm.cfg:
Example:
Restart our browser / browsers or flash player. We start again, and open our DeMonsterDebugger.
The main thing to remember is that you only have to open 1 swf file, otherwise the one whose code will be executed first will connect to the debugger client.
It is fraught with hemorrhoids for developers. Thanks to this bug, you can create your own wrappers for any application on flash and make code injection inside these applications. At what to determine such an injection on the side of the application is extremely difficult.
I can think of several uses of this bug:
So, let's begin. Our experimental will be a YouTube player.
First I will tell you a little background. In Flex, as in any decent technology, there is the possibility of profiling applications. For profiling, a special agent is used - which loads the final swf file into itself and transfers data to the profiler via the socket connection.
')
Here, those who work with flash may have the question "How can our agent retrieve data from a file for profiling, if they are in different domains?"
In Flash, there is a restriction of access rights. For example, if we load file A from siteA.com, and load file B from siteB.com into it, in order for B to be able to access code A, we must manually give access rights to code A (using ApplicationDomain and LoaderContext) or pass the link to object A to B. In addition, there must be a crossdomain.xml file on siteB.com that allows cross-domain downloads. So it goes.
Everything is very simple. When our flash application is loaded, it creates a special undocumented event "allComplete" , which catches our Flex Profiler, and from the event we can already get a link to the object of our application. This link is the hole through which we can crawl into any application.
And the most interesting thing is that in this agent, absolutely all files that are opened by the Flash player are loaded - from all players and plug-ins for browsers.
Well, let's move on from theory to practice (if you do not understand all of what I said above, just look at what I will do before and what it will lead to).
Stage Zero
For debugging, we need a debug player. In size, it is slightly larger than the standard. You can download it here .
Stage One
The first thing we need is our own custom profiling agent. All its code will be 60 lines. Here is its code ( due to the lack of a normal backlight AS3 code, inserted as a picture, at the bottom of the code there is a link to download the source code ).
Download: Source Code | Compiled agent
Download the compiled agent itself, and place it in any folder we like.
Stage Two
Ok, now we have our own agent that receives a link to the downloaded application and passes it to the debager. Add it to trusted applications. To do this, go to the player settings page , and select the file Injector.swf
Now download debager itself. In this case, DeMonsterDebugger is used - a great debugger made as an AIR application. Install it.
Stage Three
Now we need to set the value of our profiler in the player configuration file. The file is named mm.cfg and lies in the following directories.
Windows 2000 / XP
C:\Documents and Settings\{username}\mm.cfg
Windows Vista / 7
C:\Users\{username}\mm.cfg
Mac OSX
/Library/Application Support/Macromedia/mm.cfg
Linux /
/home/username/mm.cfg
If the file does not exist, simply create it.
Now we prescribe the path to the profiler. Add the following line to your mm.cfg:
PreloadSWF={ }
Example:
PreloadSWF=D:/Workspace/Injector/bin/Injector.swf
Stage Four
Restart our browser / browsers or flash player. We start again, and open our DeMonsterDebugger.
The main thing to remember is that you only have to open 1 swf file, otherwise the one whose code will be executed first will connect to the debugger client.
What is all this about?
It is fraught with hemorrhoids for developers. Thanks to this bug, you can create your own wrappers for any application on flash and make code injection inside these applications. At what to determine such an injection on the side of the application is extremely difficult.
I can think of several uses of this bug:
- Use in browser multiplayer games - this will allow you to see hidden parameters that are not displayed on the screen, you can control the transmitted data, or simply write a bot.
- Wrappers for getting links to resources, relevant for sites with music and video
- Wrappers that turn off ad serving or bypassing checks embedded in the application
Source: https://habr.com/ru/post/84736/
All Articles