Suninatas Game 12

Posted on Edited on In Views: Disqus:

challenges

Game 12

Challenge: Reverse engineering a Flash SWF file

Step 1: Scan QR Code

Access the admin panel at http://suninatas.com/admin/ and scan the QR code.

QR Data: 

1
MECARD:N:;TEL:;EMAIL:;NOTE:;URL:http://suninatas.com/admin/admlogin.asp;ADR:;

Step 2: Download SWF File

Navigate to the URL in the QR code and find the Flash embed:

1
<embed src="admlogin.swf">

Download the SWF file.

Step 3: Identify File

1
file admlogin.swf

Output: Macromedia Flash data (compressed), version 8

Step 4: Decompile with FFDec

Install FFDec (Free Flash Decompiler):

1
2
paru -Ss ffdec
# aur/ffdec 25.0.0-2 - Open Source Flash SWF decompiler and editor

Import the SWF file into FFDec and search for authentication logic.

Decompiled Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
on(release){
    function receipt()
    {
        if(flashid != "admin" or flashpw != "myadmin!@")
        {
            flashmessage = "Wrong ID or PW";
            play();
        }
        else
        {
            flashmessage = "Auth : Today is a Good day~~~";
            play();
        }
    }
    receipt();
}

Credentials: - ID: admin - Password: myadmin!@

Today is a Good day~~~