ChainedSWF

From WikiFlashed

Actionscript 3 is the new ECMAScript-standard object-oriented programming language used in Flash Player 9, 10 and whatever that might come in the future. Maybe 11? It is faster, cleaner and better with however some hard hills for designers and Actionscript 2 scriptors to climb. For more info visit: Adobe Labs!

Anyways, ChainedSWF is a newly developed platform provided to all users for free to protect their files and yet at the same time without the need to embed advertisement.

All sources and blueprints for this mechanism has been provided to all users. (Released to prevent people/companies from trying to patent this technology and prevent it from use by average user)

This tool is released under the MIT License if its outside China and is released under the Public Protection General Provisions in the Copyright IP Regulations of China. For more details on the license please visit [China].

""Make a small donation!""

Contents 1 General Idea 2 Encryption Tool 3 Backend 4 Clevel Design 5 ChainSWF Service 6 Interested on the project?

General Idea

There are no protection that is 100% safe proof. You are bound to be hit by a bored yet talented hacker. However, if you are REALLY talented, you probably would not be sniffing around for swf files to dissemble. (there are banks, money oriented systems, files for these serious people) But for the majority of the community this should be more than enough.

So this encryption service involves a number of things:

A backend to handle the automation of the encryption service

A encryption tool for the SWF (obfuscation)

A clever design of data manipulation involving backend and AS3/AS2

Encryption Tool

The best encryption tool so far for SWF is Kindisoft's SecuredSWF. They seem to provide the best protection and the most complete tool set for command line use. Of course, if you like something else, you can always write your own command line binary that utilises a different swf encryption tool.

Backend

The backend can be any backend but the backend here uses PHP because it is free, easy to easy and widely available. (Feel free to redevelop into ASP or other complicated systems like JAVA if you have to) The backend system basically provides a front end for user to upload a swf file. Then the core of the backend will perform some magic to the swf file which will be described below in details steps:

Clevel Design

• Takes in SWF Binary File (not protected)
• Encrypt(Obfuscate) the SWF using KindiSoft
• Backend will RE-Encrypt the encrypted swf with a special key, a hash key word (any string, e.g. "MAMA1234") using a simple crypto such as AES or Blowfish or whatever. I do not think it makes a difference what you use, because most people will give up at this step anyway.
• Attaches the SWF (join or widely known as Steganography) to a KindiSoft Obfuscated ChainSWF header swf file. Or use a common technique called bytecode injection that simply replaces a part of a swf file with new content.
• ChainSWF Header is a swf file that takes its own body content and split into two portions dynamically. So in flash, you will use root/stage's contentLoaderInfo's byte data and apply a AES decryption on the byte array object. Then simply add this object onto stage.
• There is one more key function that is important at this point which is the AES decryption key. This key is saved inside the ChainSWF Header in a special way so that by normal means of decryption, it can not be broken apart. A good way is to compile a small swf class file with the key denoted as public static variable. Then convert or manually sniff out the HEX content of this swf class file into an array and embed this as a string into the ChainSWF header. Inside the ChainSWF, again dynamically convert the hex string into a byte array and load it as a class for accessing the decryption key.
• The resulting joined SWF is of course provided back to the user for download so that he can go publish the file to where ever he wants without having to worry about the content of the file as much as he would have otherwise.
• In my ChainSWF platform, the ChainSWF header is also stored on the server so that the joined SWF will always check the live platform for updates and if an update is available then it is possible to download the latest upload. So the published swf file in a way acts as a satellite node that will always show the latest content on the central server. A risk in this setup is the centralised data issue which is out of scope for this project.

ChainSWF Service

The domain name is still getting registered and possibly changed to something else more creative? The system is still under testing but the idea is what you see above. The source codes, binaries, examples and the rest are all COMING SOON.

Interested on the project?

If you are also interested on this project and wants to make it bigger or better, drop me an email.