-----------------------------------------------------------------------------------------------------------------
[Kernel32 the underground army of digital hybrids]
This document was released by : Black Death
E-mail:roozbeh@mailbox.as
We may not agree with what you say, but We will defend to the death your right to say it.
-----------------------------------------------------------------------------------------------------------------
FLASH HACKING And the real world:

Notice:This is not a how to crack tutorial.
The document tries to aware you of the weaknesses in most flash based authentication boxes.As an example i have selected coffeecup's password wizard that creates a flash based authentication box.

Why coffecup?I have e-mailed the company many times about their software not being safe last year but they did not seem to care about the security of the software as a result I am making it public.

Flash based authentication is in no way reliable,because it simply stores all strings in plain text so anyone that views the file using A text editor can see most of the information you have tried to hide,this even includes the action script you have used in the flash source file(blah.fla).

While you can encrypt text with your desired algorithms in most web based authentication applications(java,perl,..)this is not a good thing to do using flash(as i have stated before flash dose not change the text you have included in your file so your script is human readable).

Flash is not a good base for long and complex programming so if you try to encrypt your text(username,password or other important data) using flash you will actually limit yourself to not reliable algorithms that can be understood easily, on the other hand script extracting is possible for any swf file.

till now we have only said things you might have known before so lets go to the things that might seem a little more interesting.

Coffeecup Password waizard(it would be a good idea if you download the app www.Coffeecup.com)

This app makes a flash authentication box that is 100% insecure,you can
easily hack any box that was made using coffeecup password wizard(cpw).

Execute cpw and add a user to the list ,like mark and assign it a password for instance GOD and save your work as blah.swf.

Open blah.swf with your favorite text editor and find the string "mark"(with out the quotation marks)and bingo! can you see the password you assigned for mark yes you have found it was't it simple.

Now it is time for a little bit of reverse engineering:

We have found the password by searching for a username we knew before,what if we want to hack a flash box made by CPW and we don't know any of the usernames?

As simple as A B C,view the blah.swf file agian what can you see around the part that includes the username and password ?
yes,some text.
Dose that give you some idea about how to hack other files that were created using CPW?
aha,i can search the file for a string that dose not change no matter what the usernames are and that would be the "pass box"string that never changes no matter what.


---------------------------------------------------------------------------------------------------------------
by:Black Death
Kernel32 webdevelopment unit
---------------------------------------------------------------------------------------------------------------