[WEB SECURITY] Flash (SWF) Encryption/Obfuscation

lists at foo.io lists at foo.io
Sat Apr 25 10:22:00 EDT 2009


Hi Rafal,

On 22.04.2009, at 18:30, Rafal @ IsHackingYou.com wrote:
>    I wrote up a post today on my "Following the White Rabbit" blog  
> regarding Flash (SWF) media file obfuscation and encryption.  I've  
> done some initial research into the options as many of you have  
> asked me to following the "A Laugh RIAt" talk, and wanted to share  
> with you a short, informative post on exactly what you're gaining by  
> buying tools that encrypt or obfuscate your Flash code.

Flash obfuscation works well, i.e. for attacks, when:
- byte loaders are used
- the secret is not inside the Flash file

In order to discover how an attack was launched one need to fully log  
every traffic received by the player. So it's feasible for an attacker  
to use Flash for one time exploits without disclosing a 0day for  
example.

But you are right, for legitimite Flash applications the existing  
solutions for obfuscation are just a joke. The only way a developer  
can give RE a hard time I can think of is to utelizing Alchemy. Most  
decompiler and disassembler cannot handle it properly by now.


Cheers,
   fukami




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list