Archive for April, 2008

30AprAvoid crossdomain.xml restrictions

Let's go with a little bit of hacking for the masses. Adobe implementation of security relies in some cases on the crossdomain.xml file hosted at the server that holds the data. You can access that data, generally, with your browser, but you can't with the Flash Player if the crossdomain file doesn't allow you. Actionscript will throw a Sandbox violation error.

In many cases we want access to data that is available to us by other means but restricted to Flash by this file. In my case I was trying to access Google Geolocation API from actionscript:
http://maps.google.com/maps/geo?q=...
This is the content of http://maps.google.com/crossdomain.xml :

<cross-domain-policy>
<site-control permitted-cross-domain-policies="by-content-type"/>
</cross-domain-policy>

I have yet to figure out if there is a workaround in actionscript, but I come across a nifty php that will let you overpass those crossdomain restrictions. Here it goes:

crossdomain-proxy.php

<?php
$post_data = $HTTP_RAW_POST_DATA;
$header[] = "Content-type: text/xml";
$header[] = "Content-length: ".strlen($post_data);
preg_match("/url=(.*)/",$_SERVER['REQUEST_URI'],$params);
$ch = curl_init( $params[1] );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
if ( strlen($post_data)>0 ){
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
}
$response = curl_exec($ch);     
if (curl_errno($ch)) {
    print curl_error($ch);
} else {
    curl_close($ch);
    header("Content-type: text/xml; Content-length: ".strlen($response));
    print $response;
}
?>

This code was extracted from Yoppa blog where he goes into detail explaining how to use it. In case your Japanese is rusty here's how it goes.
Instead of requesting the url:

var url:String = "http://maps.google.com/maps/geo?q=...";

we are going to request:

var url:String = "crossdomain-proxy.php?url=http://maps.google.com/maps/geo?q=...";

This bypasses the security error and retrieves the exact same content as the original url.

Now I have to admit that I don't understand every bit of code in that php file, but I checked it first to make sure that my server wasn't going to explode with it, and it works really well..

Php n00bies, beware.

If I were you, I would restrict the calls to this php to my own domain only.

Just to make sure that those smart-ass hackers out there won't use my php's url to retrieve their content.

in actionscript. Comments

22AprInspiration: Get out and Play

FarFar is at it again, this time with a funky site for N-Gage.

So don't you Get out and Play but stay in and click.

Get out and Play

Get out and Play

Get out and Play

via: ThatBasqueGirl
in Uncategorized. Comments

17AprActionScript Security: About Flash Pirates and Swf Hackers

The very basis of Flash security that concern many content creators is the protection of the intellectual property around websites and other flash powered RIAs. The most common security breach is the easiness to "steal material" from the web (note the quotes).

If it's digital it can't be "stolen"
and it for sure can't be called "material".
  • Flash Pirates

    • Ok, so this is your common guy. Stealing for them can be as easy as checking their browser cache, or fiddling with FireBug and download SWF files or other assets that might be dynamically loaded from the flash (swf files, images, xmls, mp3s, ....). We all know them, and -let's be honest- we all have been there.

    We all have a hacker inside.
    It's the size what makes the difference

    Then again, nosing around your computer cache can hardly be called "stealing", and in many circumstances keeping a file at one's computer for personal use doesn't harm its author either.
    On the other hand one example comes to my mind: Flash Game developers. I have read through the years how some of this developers have seen their games stolen reposted on other sites, and appropriated by others. Something one doesn't want to deal with specially when the intent for the piece of work was freeware software and the copies are being monetized. In this case we are dealing with more than "stealing" we are dealing with "appropriation".

    Flash pirates are numerous, but they lack in many cases further technological knowledge. They can steal but they can't modify. That is the labor of other guys...

  • SWF Hackers

    • These are the clever guys. They will bypass any trick you've set up, and successfully download your SWFs. Then, if they so desire, they will expose your creations inner core. There are out there a handful of decompilers that will do the trick and they keep up to date with their counterpart the obfuscators.

    Sometimes it is a very useful tool for content creators. I'll explain. I recently found about a set of components that an individual was selling on his web when I opened a SWF file in FlashDevelop. I would have never been exposed to this creations if it wasn't for the fact that I check the classes involved on the application. This particular SWF file was nothing but a clever use of Google APIs, PaperVision and some commercial components from this site. If you have released a component or other code, you know that once an author encapsulates their flash there is no easy way to claim that some of your code might be there.

    You can rest assured that, for the hackers, you will always get some credit.
  • So what can you do?

    • OpenSource is a great idea, and probably unavoidable, but for content creators, programmers and artist (they are all the same) this might be a hard road.

    Ask yourself first: Do I have to do something?

    Flash Pirates can be more or less deceived. Protect your work to a minimum and you will be saving yourself from 95% of your work appropriation. Still worried about the rest 5%? It's futile. SWF Hackers can be as persistent and methodological as your browser is. If your content is open to be read and interpreted by a browser, it can be too be read and interpreted by a human given enough time.

    If they want it bad enough
    they will have it.

    "Bad enough" is the key here, and I will be posting some tools and techniques to test how far those hackers are eager to go to open your code. But in the end, remember, you learned from other's code. Be generous and let other learn from you. Spend your time coding the next thing, not protecting what you've already finish!.

    Amen
in actionscript and security. Comment

13AprEasingAround tween equations Cheatsheet

Download
EasingAround.zip v.1.0.2

After discovering the cheatseet available for the Tweener API, I've adapted it to display the equations from the EasingAround classes.

It is helpful to compare this graphs with the ones from the original equations, so I've included the original cheatseet created by the Tweener team.

This movie requires Flash Player 9

And this is the original cheatsheet from the Tweener project.

This movie requires Flash Player 9

Tweener is a popular framework for creating tweens in actionscript 2 and 3.
in EasingAround. Comment

11AprEasingAround equations: simple easing back and forth

That should be "forth and back".

EasingAround is a class to simplify even more very basic tweens. The idea behind this class is to provide a means to create a tween that starts and ends at the same value.

Download
EasingAround.zip v.1.0.2

If your regular Easing function [from 1 to 10] behaves as follows:

   1 . . . . 5 . . . . 10

then, an EasingAround function with the same parameters behaves as:

   1 . .5. . 10 . .5. . 1

in the same amount of time.

These equations come in handy when we want to create some quick animation -like button rollovers- with the shortest code, without having to "chain" two consecutive tweens.

Example (rollover the icon or click the stage to tween):

This movie requires Flash Player 9

This is the code for the rollover tween:

new Tween(box, "scaleX", EasingAround.easeInOutSine, 1, 2, 0.3, true)
new Tween(box, "scaleY", EasingAround.easeInOutSine, 1, 2, 0.3, true)

This class contains only the easing equations and should be compatible with any AS3 tween engine out there (e.g. Tweener) or with code that uses fl.motion.easing.* or fl.transitions.easing.*

The functions are named as follows:

EasingAround.easeNone

EasingAround.easeInQuad
EasingAround.easeOutQuad
EasingAround.easeInOutQuad
EasingAround.easeOutInQuad

EasingAround.easeInCubic
EasingAround.easeOutCubic
EasingAround.easeInOutCubic
EasingAround.easeOutInCubic

etc...

Note: EasingAround uses the original easing equations by Robert Penner.

in EasingAround and actionscript. Comments