Microsoft has released the latest version of their Internet Browser Internet Explorer. It goes in hand with the release of Windows Vista(formerly known as Windows Codename Longhorn).
For further information have a look at heise.de (only german language) IT News.
For a flash game platform a friend and i were searching for a security solution.
The problem with flash is that a possible hacker could decompile swf-files and looking for the URL where the score of the game is uploaded. For sure obfuscater is a possibility, but we are searching for a method which is not decompileable in any ways.
In flash there are some properties of movieclips which are not readable with the common AS Decompiler (Sothing, Burak, etc.). And there are undocumented methods and AS 1.0 hacks which made it nearly impossible to understand the code.
With this primitive possibilities we have tried to build a secure checksum. This checksum will be send to server where a PHP script check if it is valid or not. The important thing was to generate a key with all these parameters which is not readable threw a Decompiler. For a better camouflage we use some hacks with __resolve, static variables, pseudo functions and a little bit we obfuscate the code.
As a summary we can say, a pretty secure solution, but we know the disadvantages. If there is the chance to win a big price, maybe 99% of possible attacks will be a failure, but the 1% percent left is enough anger. Never use only flash based solutions for things wich require security standards and obfuscate what you can.
For an increase of security we build-in some other features, like Sessions, SSL(Secure Socket Layer) and a random based interval where we check the validation. Another possibility would be given threw a XML-Socket, but maybe this is oversized for 99% of all flash games.
An italian Action Script Community has announced a flash lite game competition.
Every programmer who will win a Flash MX 2004 Pro version or cool Nokia mobile is invited to join the competition.
I will try it!
Today i want to implement an easy contact form in one of my older projects but there was a strange behaviour.
I have created 2 new instances of LoadVars class and set a release event on to a button for calling a sendAndLoad event.
[as]
public function init():Void {
mailInfo = new LoadVars();
mailStatus = new LoadVars();
mailStatus._container = this;
mailStatus._container.sucField = _container.sucField;
mailStatus.onLoad = onMailLoad;
}
public function release():Void {
mailInfo.fVorname = _container.forename.text;
mailInfo.fNachname = _container.surename.text;
mailInfo.fEMail = _container.mailadress.text;
mailInfo.fFeedback = _container.feedback.text;
mailInfo.sendAndLoad(“kontakt.php”, mailStatus);
}
[/as]
This is the callback function
[as]
public function onMailLoad(success):Void {
if(success) {
_container.sucField._visible = true;
_container.sucField.gotoAndStop(1);
} else {
_container.sucField._visible = true;
_container.sucField.gotoAndStop(2);
}
}
[/as]
The callback is defined in the same scope where loadVars are defined.
The problem:
After compiling fla-file and testing contact form, i recieved email and get answer from server(i tested with packet-sniffer Etherreal), so i thougt, what the hell is wrong.
The next try i set an additional debug textfield in my fla and trace the reference to the class where the callback is defined and to the output field which is set visible in callback function.
Both where undefined and so thought about how it was in Action Script 1.0 . There you have to create an anonymous function if you wanna get a callback, or setting an other function to overwrite the LoadVars onLoad.
Example:
[as]
var l = new LoadVars();
var l2 = new LoadVars();
l2.onLoad = myFunction;
l.sendAndLoad(“test.php”, l2);
function myFunction() {
trace(“callback”);
}
[/as]
With this construct the scope of the function was to the LoadVars object l2.
In ActionScript 2.0 there is the same behaviour, the function onMailLoad will be called, but with another scope. It is not longer member of the class where the method is defined, but the method is member of loadVars instance.
very strange
An Obfuscator is a tool which allows you to save your bytecode from the decompiling gang.
After obfuscating a precompiled file under normal circumstances it is not possible to decompile.Why?
Not all Obfuscator tools works similiar or produce exactly the same output, but the concept is nearly the same. One idea is to rename variable names to constructs like this; “ooooooooooooooooooox”, no one will be able to read source code like this. But a good decompiler maybe could reproduce the code. So what can a good obfuscator do?. A solution is to rename source via a mathematical formular and a key-string.
The developers of the Motion-Twin Action Script Compiler have a page on their website where they serve a tool for irreversible obfuscating. The only possibility is maybe a brute-force attack, but only for short variables.
The tool is called OBFU (for OBFUscator).
Obfuscation process is irreversible. Every identifier string found in the SWF is hached with a irreversible proven mathematical function. For short variable names however, brute force is still a possible attack. In order to prevent this Obfu accepts an obfuscation key as parameter (using the -key parameter). Two SWF will be obfuscated in the same way if and only if they have the same obfuscation key. In order to ensure maximum security, one should use -rndkey to generate a random key everytime an obfuscation is done. If however several SWF needs to communicate between each other, there is several possibilities :
* use the same keys (with -key) for the two SWF. This way they will be obfuscated the same way and thus a function f declared in the first SWF and called in the second will be correctly executed.
* protect the variables that need to be shared so they don´t get obfuscated (see below).
Sounds good, but there is only one problem, professional licence costs are about 1500 $.
Maybe only for agencys, but if you have seen the results in the sample swf, it is maybe rentable.
The famous guys from OSFlash have published several demos and scripts for the new Flash player version. What sounds most interesting for me is the possibility to upload files from the local hard drive directly from inside the flash application without any workaround.
Here is a little demo:
File Upload Demo
For viewing this demo you need Flash Player 8 Public Beta. The file upload only demonstrate that it is possible, you are not able to do something.
Since my first day with Typo3 i had a love-hate with it. On the one side you are able to do really complex and interactive layouts with TypoScript and template architecture, but on the other site the available extensions are not very good.
I want an extension where i can set a number of content variables, add a custom stylesheet-style, easy to maintenance and there should be a posibility for an assimilation into different backend requirements.
But i think I have to program my own extension 
.
While I searched for an easier alternative to Typo3 i found a nice Open Source CMS gallery.
The greatest feature on this website is the live-preview of the available CM – Systems. I think Mambo could be an alternative.
Mambo has a very nice backend interface and functionality seems to be similar to the standard Typo3 features. But i have to read a lot of recensions before i am going to start a new adventure with a new CMS.
If you are a satisfied SEPY user you maybe wanna check the synatx rules inside the editor and not to flush time by time.
Now it is possible with the open souce Action Script 2 compiler MTASC.
In newer SEPY versions there it is an easy thing to implement the MTASC compiler.
In SEPY IDE there is a button, similar to the check synatx button in Flash IDE. If you press and there are some errors, SEPY will go to the line where the error occured.
If you remember to the release of Flash Player 7, there was introduced a new security object into the System. Flash Player 8 is much more restrective than in version 7.
Today i have tried an easy getURL – Tag.
[as]
getURL(“impossiblearts.com”, “_blank”);
[/as]
As a result the player open an javascript-like alert box with the message, that this is maybe an unwanted action.
I think this behaviour is stoppable with the allowDomain commands of the System class.
[as]
System.security.allowDomain();
System.security.allowInsecureDomain();
[/as]
I have played around with some action script and the new flash player 8. There seems to be a lot of new functionality inside, filters, bitmaps, etc.
If you also wanna play around you need a Hex-Editor, Flash MX 2004 and Flash Player 8 installed.
Insert the following Action Script into the first frame of a new movie. Create a new dynamic textfield with the instancename “textF”.
[as]
function returnObjs(obj) {
for(var i:String in obj) {
if(typeof(obj[i]) == “object” || typeof(obj[i]) == “function”){
_root.textF.text += ”
objroot name: ” + i + “, value: ” + obj[i] + ”
“;
returnObjs(obj[i]);
} _root.textF.text += “name: ” + i + “, value: ” + obj[i] + ”
“;
}
}
returnObjs(flash);
[/as]
Export the flash movie and open the generated “.swf” with the Hex-Editor. Now you have to change the value of Byte number three. It will maybe look like this.
13 57 53 07 CF 01 00 00
By this exmaple Byte number three has the value “07″. This value you have to change to “08″.
Save the file and open it with flash player 8. Now in the textfield there are the names and the values of the new functions, try to play around with it.