Skip to content

One SWF to rule them all : The Almighty PreloadSWF

February 17, 2010

*EDIT 2010-08-27*
this tool = @deprecated
the NEW (and way better) version can be found at: FlashPreloadProfiler
*END EDIT*

In my last article I introduced you to a bunch of features hidden in mm.cfg,

Many were very happy to see advanced tracing and logging features.
Many were happy to be able to see the byte code easily.
But everybody missed the most important feature!

The Almighty PreloadSWF

  • Would you like to have debugging information (fps, memory, etc.) for you flash app?
  • Would you like to have Debugging information for other people flash app?
  • Would you like to be able to see flash var passed to a live SWF?
  • Would you like to be able to edit live flash app on any website?
  • Would you like to be able to retrieve encrypted files that have been loaded in an unencrypted format?
  • It’s all possible, and more!


    How does it work

    PreloadSWF is a feature mostly used by the Flex Profiler. When a profiling start, the Flex Profiler will write its own PreloadSWF entry in the mm.cfg file and launch its sampler SWF. When the sampler SWF is loader, it passes information about the profiled SWF to the profiler via socket connection.

    Ok, but what is the relation between the sampler app and the profiled app? Both file are supposedly in separated domains and hence are not supposed to have direct communication one with the other. When the PreloadSWF starts, you have aboslutly no information conserning the other swf being loaded and you have nothing to hook on to get that access (for now).

    First, you need the Flash Player debug version
    You have to setup you mm.cfg file to point to a SWF.
    Then ANY (as3) flash app you load will load your SWF first.
    (By the way, when I say any… it’s really ANY! (Mode: debug OR release!)
    And it’s also valid in any context: Stand alone Player, Browser, Bridge, ActiveX, anything.
    At this point you can add stuff to your stage and actually see it in a public flash app on the internet.
    But since there is no communication between the public SWF and your SWF, and your SWF is local to your computer, there is not much to do.

    Here come the Magic: Another hidden feature of flash.
    When the second flash app is loaded, there is an (undocumented) event triggered called “allComplete“. And the good thing about this event is that it has a valid target! And guess what target this is? The Main flash app! The only thing you have to do is add an event listener on “allComplete” and wait for it to be triggered!

    Ok so what can be done with that?
    Well, by having access to the Main stage, you can do anything you want! Add sprite, manipulate DisplayList…
    You can also have the Flash params because since you got the stage, you also have:

  • loaderInfo.url (URL of the main app)
  • loaderInfo.bytes (actual bytes of the file loaded in an unencrypted format)
  • loaderInfo.parameters (all flash parameters passed to the Main app)
  • Wow that’s awesome!

    But let’s think about it: if I’m loaded first, and I have access to the stage, then what restrain me from calling an external profiler like DeMonsterDebugger?
    Again, no restriction here!
    Just add the MonsterDebugger classes to you SWF, and run your favorite video from a live website; you can now edit all the interfaces and controlof that flash instance right away!
    Using that you can also call public function with parameters inside MonsterDebugger.

    But what more could be done…
    Class merging? Wrong… you can’t because securityDomains won’t let you.
    And what would happen if you take the loaderInfo.bytes, and do a
    loader.loadBytes(bytes, Application.currentDomain);
    Well that is working, you can now override classes! (But it’s kind of useless since after that your URL won’t be the same and most transactions will be refused after that.
    Still it’s a nice trick ;)
    If you’re interested in fake SWF loading with class merge, read my advanced flash player security walkthrough!

    Don’t forget that once you modified the mm.cfg file to run your SWF, all flash will run your code, so make sure it’s lightweight!


    Example

    I made a simple app to show statistic on the currently played flash app.
    The objective was to have all the most important information while still keep the smallest interfaces possible.


    MicroProfiler


    The profiling information I showed are:
    FPS (Frame per Second) with a graph
    Current Memory and Max Memory with a graph
    Connectivity with MonsterDebugger (The Icon is in color when the connection is established)

    The memory graph reflect changes over time.

  • The yellow bar is the lowest memory in the last 60 seconds.
  • The white line with trailing is the current memory.
  • The bar is from 0 to MaxMemory
  • The app also add a contextMenu item “Show Profiler” which toggle on/off the profiler visibility

    open your mm.cfg and set PreloadSWF=c:\MicroProfiler.swf
    Enjoy the (profiled) web!

    SVN Source Code
    Direct View Source
    bin/MicroProfiler.swf


    Request

    The app I made is very experimental and the code is very messy. If someone wants to add feature or make it better please do! Just send it back to me so that I can update it here. Thanks!


    Conclusion

    I hope that this feature will be used more for “good” reason than for bad ones.
    I know that it enables people to manipulate live data and that it can be very tricky, but I really think that better and bigger tools will comes out of all the hidden features I released yet.

    I also think that releasing all these information is good for ActionScript because it encourage senior programmer from many other languages to look at as3 and flash in a different way.

    Link to my new twitter: @jpauclair

    add to del.icio.usAdd to Blinkslistadd to furlDigg itadd to ma.gnoliaStumble It!add to simpyseed the vineTailRankpost to facebook

    *Edit*
    I entered a bug in the Adobe bug base to fix this issue. (But since it’s under Security, no one can see it)
    The way I see it: The could block all PreloadSWF action when the loaded SWF is in release mode.

    Also, if you want to prevent being targeted by this, follow good coding practice:
    If something does not NEED to be public, set it to protected or private. (won’t be seen in MonsterDebugger)
    Do not read data like Sprite.x, Sprite.y, just write to them. All manipulation should be done in a background DataStructure.
    *End edit*


    References

    De MonsterDebugger
    DisplayLoader
    Sampler Package


    About these ads
    45 Comments
    1. damian permalink

      Hi,

      Nice work!
      I’ve been trying to get this to run but no joy so far. I downloaded DeMonsterDebugger and your source files and compiled a version which shows up as normal (fps, memory etc).

      I’ve added a line to my mm.cfg file with the path to the preloader swf.

      So far i’ve tried:
      * youtube: No debug bar, but i get some more context links on right-click (copy embed html, show video info, copy debug info)
      * the flash on my own site: no change
      * a full flash website: no change (though on that site, a context menu is used to hide all the non essential links)
      * a project with a preloader (built from flashdevelop and adding a “-frame start Main” line to the precompile options): SWF opens and closes immediately
      * a project with no preloader: crashes immediately

      Am I perhaps missing something?
      Thanks

      • you need flash (debug version)
        youtube is not all as3, there is many avm1 movie.

        • damian permalink

          yep,
          The last 2 points (project with and without preloader) are running from FlashDevelop using the debug player.

          Is there a particular site or swf that you test this on?
          thanks

        • I’m in the same boat. Using FP 10.1 debug viewing AS3 movies, and I don’t see the toolbar. Anyone else have suggestions?

        • Make sure MicroProfiler.swf is located inside a secure location. You will most likely need to change your Flash Player’s global security settings:

          http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html

          After altering it you might need to restart your browser. I was kinda curious so I tested this in the debug FP standalone, IE 8, FF 3.5, Chrome 4, Safari 4.0 and Opera 10.5 ^^. The toolbar works fine anywhere ;)

          Thanks Jean Phillipe, you rock!

        • Took me a few to figure out how to get it set up as well, but just as a help to anyone else, running the standalone debugger from the command line can help you figure out what’s wrong.
          In my case: “PreloadSwf paths must be local trusted: /opt/MicroProfiler.swf”
          So I just added it to the trusted programs list in the settings page Fernando França linked and it worked. :]
          Thanks for the interesting info and test prog jpauclair!

      • Are you able to run flex Profiler?
        Are you sure you have the Flash Player Debug running?

    2. Awesome work ! I was wondering where you get the Flash undocumented features giving that they are… not documented ?

      • Jean-Philippe Doiron permalink

        Trial and error ;)

        btw, good post JP.

    3. Nice !
      But maybe another undoc feature that will remove in the next player release…

    4. Jérémie Charest permalink

      Go JP! Go JP!

    5. Thierry permalink

      Very interesting, thanks JP !!

    6. Just came across your blog for the first time , have read several posts and am super impressed with everything, I take my hat off to all super programmers eg Joa , Andre and yourself etc.. that unravel inner workings of flash player and push the boundaries contributing to better more functional and optimized further development of the player.

      Thanks

      • Wow.. Well thanks to you!
        Being put in the same category of thoses guys really make me proud of what I’ve done here!!

    7. Suman permalink

      I tried it, but no luck so far. I have debug version of flash player, modified mm.cfg file, modified flash player security settings, still not able to see the profiler bar.
      Thanks

    8. Suman permalink

      I see this error in log file “PreloadSwf paths must be local trusted:”

      Thanks in advance

    9. Suman permalink

      Thanks for providing this information but it did not work for me. I have added full swf path to settings at
      http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html
      Still no luck.
      Thanks
      Suman

    10. jonathanasdf permalink

      Wow.. awesome post!

      I just have one small problem. At first there was the “PreloadSwf paths must be local trusted”. Ok, so I added the exception to the settings. But now I’m getting this error instead:

      Warning: Not a known player download type, file:///G|/projects/flashlogs/MicroProfiler.swf

      Has anyone run into this problem?

      Another observation: The error “PreloadSwf paths must be local trusted” uses “paths”. I’m not sure whether this is a typo, or whether that means there may be multiple PreloadSwfs that you could load… :D

      then you can create multiple layers of PreloadSwfs, and then create various scripts to create a mm.cfg file before compilation that loads in the correct layers of PreloadSwfs that you want to have. This could be very powerful.

      • Im getting the same issue in my flashlog.txt

        Warning: Not a known player download type, file:///D|/Dropbox/Settings/MicroProfiler.swf

        FP 10,0,45,2 Windows 7

        I have added D:\ and D:\Dropbox\Settings\MicroProfiler.swf to the trusted security…

        Mike

        • +1 to Mike , having the same problem here as well with the same version of FP 10.0.45.2 windows xp.

        • Yoz has written a small procedure that you could try.

          http://blog.yoz.sk/2010/04/the-ultimate-debugging-and-profiling/

          There is also the fact that PreloadSWF is very hazardous and may just not show for any reasons..
          When it happen for me, I just close every browser window, any flash instance, and start over with only one flash target.

          Tell me if you find any other solution!

        • Nope, still getting the same error, after closing everything. Tried restarting the computer still nothing.

          Not tried rolling my own SWF yet, tho I cant think why that would work.

          Mike

        • jonathanasdf permalink

          I’ll try creating my own swf tonight when I get home, but like Mike said I don’t believe that it would make a difference… Could the preloadSWF thing have been patched in the newest FP? I noticed the thing in common between the 3 of us is that we use 10,0,45,2…

    11. Suman permalink

      Great post!! Thanks for all the information.
      I am able to make AS3 project as preload swf. I am curious if we can use Flex project as preload swf?

      • peace.lion permalink

        ok so what’s your secret ???!!! i’m following all the steps, global security and blah… but still “PreloadSwf paths must be local trusted:” !!!!! thanks in advance.

      • 4j67Pp That’s not just the best answer. It’s the bestest answer!

    12. For everyone with “Warning: Not a known player download type” error, simply recompile from source.

      Or try this version http://www.failsafegames.com/MicroProfiler.swf

    13. Tomasz Lisiewicz permalink

      Thanx JP for great profiler!

      I’ve got a question although – maybe I’m missing something: is it possible to user Your or similar tool to debug AS2 SWF’s? ;)

      • Sadly, it’s not.

        The tool use a AS3 only event “allCompleteEvent”.
        you COULD launch a SWF before an AS2swf.. but you would never receive the magical event, hence not being able to bind to the interface.

        what you could do is a “trace”, “localconnection”, or socket connect profiler. But there is not much data that could be retreived by this.

        You should take a look at the new version of the tool:
        http://jpauclair.net/flashpreloadprofiler/

        I’m also releasing a new version soon. With a LOT more stuff for profiling.

    14. Enrique permalink

      Hi, I don’t know If I’m understanding this.
      Can this be used for stealing our code? even if it’s encrypted and obfuscated?

      • Well, you can always steal code. One way or another.
        But yes this could help someone with bad intention.. and for that it’s sad. But it can also help making better tool, easier debugging, profiling and finding probems.

        The FlexProfiling tool (selled by Adobe) is using that tech.

    15. Thomas Pujolle permalink

      How about in a AIR Flex App ? I cannot manage to get this event in this context… :(

    Trackbacks & Pingbacks

    1. links for 2010-02-18 – Confessions of an Flash Addict
    2. Weekly Shared Items – 23. February, 2010 | TOXIN LABS - weblog of a german design student from wuerzburg
    3. AS3 hidden treasure in the mm.cfg file. Revealing and documenting many Flash secrets! « jpauclair
    4. New Flash Visual Profiler « jpauclair
    5. The Ultimate Debugging And Profiling at Jozef Chúťka's blog
    6. jpauclair.net: 6 Months – Articles recap. « jpauclair
    7. Swf.hu 2.0 – flash és webfejlesztés » Heti link gyűjtemény 2
    8. Flash security: Protecting against PreloadSWF (SWF Hijacking) « jpauclair
    9. Blimey! « Deceptive Resolution
    10. AssetsProtector – Protect Your Media Files – BJÖRN ACKER | Interactive Media
    11. 神奇的PreloadSwf | Kanefan 开饭哥

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    Follow

    Get every new post delivered to your Inbox.

    Join 33 other followers

    %d bloggers like this: