(a bit of) whitespace

Has someone just said “lowlevel”?

Heads up!

This is my old blog, which is no longer updated, doesn't reflect my current opinions, and remains here for archival purposes only. Please don't take it too seriously; and visit whitequark.org to see my current work!

Let's Destroy Flash Together

Adobe Flash is obsolete. It is a proprietary technology controlled by a single company, it has hundreds of gaping security holes, it drains battery like crazy, it is not supported anymore on mobile devices (Apple, Google and Microsoft) and Linux. Even Adobe themselves think that Flash should die; let’s help them to weed the garden!

Quite a few people are still relying on Flash for publishing dynamic content. One of their reasons is, apparently, the possibility of code protection (1, 2, 3, 4, etc.) This is plain wrong: there is no viable code protection in Flash. I’m going to prove this once and for all.

Update: There seems to be a misunderstanding. I’m talking about Flash Player here; if you use AIR or any other toolkit to produce desktop/mobile application, I don’t care which framework do you use. Just make it fast and integrate good with underlying OS.

The Problem

Pretty much the only viable alternative to Flash is HTML5. It’s an evolving open standard, and it already has all of the features which made it possible for Flash to dominate the market for more than a decade. As a consequence of being an open standard, HTML5 does not have a way to protect code and assets of your application.

Sure, you can obfuscate your code…

… but if you’re running a browser like Chrome, you are one mouse click away from making it (kind of) readable again:

What’s the primary market for Flash obfuscators, cryptors and protectors? Online games, and especially online multiplayer games. A lot of developers think that if they hide the internals good enough, and maybe also encrypt the protocol, then cheat and bot authors won’t understand how it works, and so the developers don’t implement any sensible security measures at all. In other words, they employ security through obscurity.

In reality, surpassing such countermeasures takes significantly less time than to create them.

The Plan

I have already written an advanced ActionScript 3 analysis toolkit which includes a decompiler, a rudimentary deobfuscator (26 lines of code are enough to bypass some commercial solutions) and a framework which can, for example, automatically dissect things as complex as polymorphic encrypted loaders. It’s also highly modular and extensible.

I challenge everyone to present a Flash protector I could not circumvent. Every week I would pick one application and implement a module which reverses whichever modifications it has made to the code to make it unreadable, then release it publicly along with a description in a blog entry. Flash protectors are already useless; this should make it obvious.

Ultimately I want to wipe the entire market of protectors and obfuscators.

But I like Flash!

Chances are that you’re a Flash developer. Please, do everyone a favor and learn a good piece of technology. You will also benefit from being able to find a new job after your current one vanishes in a year or so.

Oh, you also wrote an obfuscator? Stop selling snake oil.


Jane is an IT security specialist. She finds a bug (like this) in a common piece of software which allows anyone to execute arbitrary code on your computer. (Behind the word “arbitrary” most often hides a trojan horse which steals your credit card number or something similarly vicious.) What could she do?

First, she could keep it for herself or sell it to a malware author. This will leave her with a huge sum of money, very bad karma and, possibly, a conviction.

Second, she could disclose it: release some or all information about the bug to general public. This will allow software author to fix the bug and everyone else to check if their system is vulnerable (so-called penetration testing). She could also report it to the vendor first and wait for a month or so to allow them to fix the bug, if she wants. Immediate release can be a bit controversional, but is generally accepted too.

There’s even an open-source project dedicated to penetration testing, Metasploit. It has exploits for thousands of security holes, some still unfixed for lots of systems, and hardly requires a brain to use. Nevertheless, it’s a mature and well-respected system used by a lot of people and companies across the world.

Absence of public information about deficiences, may them be security holes or false claims, is not going to create any obstacles for those who want to exploit these deficiences. But it does create a false sense of security.

You’re an evil greedy bastard anyway

I have released Furnace::AVM2 under a permissive MIT license. Basically that means that you have a right to rename the project whatever you like then sell it for $500/copy without even notifying me. (The only thing you cannot do is to pretend that you wrote it instead of me). All of the deobfuscation modules will be released under the same license, too.

A note on submissions

I would prefer to receive .swf files for analysis rather than obfuscators. First, obfuscators can have restrictive licensing terms and three digit price tags; some of them might even be unavailable for general public. Second, chances that most of them won’t run on Linux, which I use for my work.

As a single obfuscator might be using various protection techniques, it would be helpful to get several different samples; even more so if it has different protection levels.

Of course, you should not send me copyrighted .swf’s or do anything similarly illegal.

I won’t accept any legacy ActionScript 2 submissions. I don’t have analysis infrastructure for that format, and it’s not worth developing anyway, as it was deprecated long time ago and isn’t used much these days.