[osflash] SWF Verification
Nicolas Cannasse
ncannasse at motion-twin.com
Mon May 26 05:15:04 PDT 2008
EECOLOR a écrit :
> Hello,
>
> As you might know, the combination of Flash player 9.0.115 and Flash
> Media Server 3 allows for swf verification. This means that the
> NetConnection will be closed if the swf where the call came from
> will not match a physical swf present on the server.
>
> If it would be clear how this is done, we can secure our backends a bit
> better without logging in. We can make sure calls to a server originate
> from a certain swf.
>
> My guess is that in 9.0.115 the rtmp protocol was changed in order to
> add a signature of the swf file. On the server the same swf will be
> 'hashed' or something and this signature will be checked against the
> incoming connection. I have no experience with reverse engeneering a
> protocol. It would be nice to check the difference between a
> NetConnection.connect call from an single swf in the player <
> 9.0.115 and 9.0.115. <http://9.0.115.>
>
> Does any one have any ideas or tips about this?
You can try to connect to haxevideo (http://haxevideo.org) and check the
log to see the parameters sent to NetConnection. However, haxevideo does
not support yet AMF3 encoding so I wonder if it's available using AMF1
encoding.
Nicolas
More information about the osflash
mailing list