I've mentioned a few times that I can look at the code embedded in a flash file, and use that code to gain information for exploiting a weakness (if I find one) or stealing the flash app. Well, here's a basic rundown of how I do that.

Flasm, baby. It's at http://flasm.sourceforge.net/ and is a really nice little tool. You can rip the code out of a flash app, read it, modify it, and then re-embed your changes. It's a command-line tool, so it's not for the faint of heart. But it's very good at what it does.

If you saw a flash site you wanted to steal (which you wouldn't, because they're stupid and there's no reason on earth anybody who's smart enough to steal them would be stupid enough to want one), you might look for the source of the app to get more information. In the case of a winklet, finding the trial is key to easily stealing it. But what if you can't find where it came from, or who created it? This is where flasm is really handy. If you disassemble a winklet, and read up a bit on Flash Actionscript, you can figure out where configuration, sound files, and other customizations are coming from. The flash bytecode is very long, and difficult to parse for a beginner. But finding references like the LoadVars class (and others) will point you toward at least the basic things you need to dig into.

As I said, in the case of winklets, this work is unnecessary unless you're just trying to fool around with flasm.... But say you're looking for a real challenge, and come across a Bludomain app. They don't offer a trial, and they're very expensive (haven't figure this out yet - yeah, they look a bit nicer, but they're still just another flash website to me). You have no choice but to rip the flash open and look for information.

I'm not going to go into an in-depth tutorial on how flasm works, and what the actioncode output means, so I'm just going to mention some superficial things I noticed. After a bit of digging I found that a Bludomain app was much more complex than a winklet. They get their config information out of a collection of php scripts, and they seem to be a lot more configurable that a winklet. Since they cost so much, though, I wouldn't be surprised if they do custom flash per client, loosely based around a template (as I mentioned above, customizing the app for each client is one way to make it much more difficult to steal).

As I'm not terribly interested in acquiring a flash website, I didn't dig much deeper into Bludomain. I'm guessing, based on what I've briefly seen, that they're just as susceptible to theft as Winklet, but they simply make it harder. You have to dig through actionscript code to find out where settings are being gathered, and hit the many php settings pages, usually located in a clever "/admin" directory (who'd ever think to look there?), to figure out what settings exist (or else dig through the actionscript to see what settings are being read in). If you're keen on learning about actionscript tinkering, a project like that may be a great starting point. Otherwise, I think it'll just be more time than it's worth.

All in all, flasm is your friend if you want to expose the horrors of flash websites. Or play a hacked version of "Penguin Swing" where you can kick your coworkers' asses. Speaking of which, as my grand finale, here it is - note that when you hit the penguin at the right angle, his bounce takes him much further than in the original app: