This is why I live over hundred years old. I just need to see all the new amazing technologies and inventions the future will bring. John Gage (21st person to join Sun Microsystems, Chief Researcher and Director of the Science Office) gave a speech with this title "The Impact of Future Technology on Society" today at Software Development Forum's Distinguished Speaker Event. I normally don't idolize anybody, but that was one remarkably imposing talk. I feel my brain is on overdrive. Some people do drugs to get high, but I just get enormous kicks out this kind of futuristic and yet realistic visions. I might post some quotes later and a bit more organized thoughts, but for now, I think it's enough if you go check out the World Summit on The Information Technology homepage. Probably the easiest way to dive into this is to read the Summit news headlights first.
And not to forget... Merry Christmas to everyone!
So you want to book a hotel room for $1 and cheat in games? Luckily, if they are implemented in Flash it's really easy. The problem really isn't that Flash can be fully reverse engineered and that when you are deploying a swf, you are actually shipping source code with it. The actual security problem is that you can change the program behavior run-time. And that's bad.
So how do you go about doing it? If you just need to change a few values or jump a few frames inside a Flash app, you can use the Flash ActiveX control's public interface to do that. To do that to a typical Flash game, you just need to check the url where it's loaded from and write your own html page that loads the same Flash movie. Often you also need to pass a few parameters to the Flash movie, so you probably need to trace the http traffic first, which you can easily do for example with this handly little Http Sniffer tool. For more complex cases, such as for replacing methods, you need to build your own Flash movie container first and load the target application inside it. If you are working in Flash 7, remember to lock the _root level of the child application so you don't get any complications. For Flash 6 and older, you can always load the app on some other level than the level 0.
Now there's a couple of things to keep in mind. Flash does have primitive security mechanisms, like the domain sandbox, so movies from different domains are not generally allowed to access the properties of movies from other domains. However, the movies loaded from the localhost are not limited by the security sandbox. So you want to run your own web server or just simply launch the file from your file system. Another thing is that if you want to use Javascript to modify the Flash movie, you need to specify an id for the movie in its OBJECT / EMBED tag. That's it, happy hacking!
I've done this thing, just to test it out of course, a couple of times so I know the approach works. However, I haven't tried booking hotel rooms, as they typically use https to load the Flash movies. The use of https makes it a bit harder, but it shouldn't be impossible at all. Because of this lack of security I wouldn't do any, even remotely security related development work in Flash.