One SWF to rule them all : The Almighty PreloadSWF

February 17, 2010

*EDIT 2010-08-27*
this tool = @deprecated
the NEW (and way better) version can be found at: FlashPreloadProfiler
*END EDIT*

In my last article I introduced you to a bunch of features hidden in mm.cfg,

Many were very happy to see advanced tracing and logging features.
Many were happy to be able to see the byte code easily.
But everybody missed the most important feature!

The Almighty PreloadSWF

Would you like to have debugging information (fps, memory, etc.) for you flash app?

Would you like to have Debugging information for other people flash app?

Would you like to be able to see flash var passed to a live SWF?

Would you like to be able to edit live flash app on any website?

Would you like to be able to retrieve encrypted files that have been loaded in an unencrypted format?

It’s all possible, and more!

How does it work

PreloadSWF is a feature mostly used by the Flex Profiler. When a profiling start, the Flex Profiler will write its own PreloadSWF entry in the mm.cfg file and launch its sampler SWF. When the sampler SWF is loader, it passes information about the profiled SWF to the profiler via socket connection.

Ok, but what is the relation between the sampler app and the profiled app? Both file are supposedly in separated domains and hence are not supposed to have direct communication one with the other. When the PreloadSWF starts, you have aboslutly no information conserning the other swf being loaded and you have nothing to hook on to get that access (for now).

First, you need the Flash Player debug version
You have to setup you mm.cfg file to point to a SWF.
Then ANY (as3) flash app you load will load your SWF first.
(By the way, when I say any… it’s really ANY! (Mode: debug OR release!)
And it’s also valid in any context: Stand alone Player, Browser, Bridge, ActiveX, anything.
At this point you can add stuff to your stage and actually see it in a public flash app on the internet.
But since there is no communication between the public SWF and your SWF, and your SWF is local to your computer, there is not much to do.

Here come the Magic: Another hidden feature of flash.
When the second flash app is loaded, there is an (undocumented) event triggered called “allComplete“. And the good thing about this event is that it has a valid target! And guess what target this is? The Main flash app! The only thing you have to do is add an event listener on “allComplete” and wait for it to be triggered!

Ok so what can be done with that?
Well, by having access to the Main stage, you can do anything you want! Add sprite, manipulate DisplayList…
You can also have the Flash params because since you got the stage, you also have:

loaderInfo.url (URL of the main app)

loaderInfo.bytes (actual bytes of the file loaded in an unencrypted format)

loaderInfo.parameters (all flash parameters passed to the Main app)

Wow that’s awesome!

But let’s think about it: if I’m loaded first, and I have access to the stage, then what restrain me from calling an external profiler like DeMonsterDebugger?
Again, no restriction here!
Just add the MonsterDebugger classes to you SWF, and run your favorite video from a live website; you can now edit all the interfaces and controlof that flash instance right away!
Using that you can also call public function with parameters inside MonsterDebugger.

But what more could be done…
Class merging? Wrong… you can’t because securityDomains won’t let you.
And what would happen if you take the loaderInfo.bytes, and do a
loader.loadBytes(bytes, Application.currentDomain);
Well that is working, you can now override classes! (But it’s kind of useless since after that your URL won’t be the same and most transactions will be refused after that.
Still it’s a nice trick 😉
If you’re interested in fake SWF loading with class merge, read my advanced flash player security walkthrough!

Don’t forget that once you modified the mm.cfg file to run your SWF, all flash will run your code, so make sure it’s lightweight!

Example

I made a simple app to show statistic on the currently played flash app.
The objective was to have all the most important information while still keep the smallest interfaces possible.

MicroProfiler

The profiling information I showed are:
FPS (Frame per Second) with a graph
Current Memory and Max Memory with a graph
Connectivity with MonsterDebugger (The Icon is in color when the connection is established)

The memory graph reflect changes over time.

The yellow bar is the lowest memory in the last 60 seconds.

The white line with trailing is the current memory.

The bar is from 0 to MaxMemory

The app also add a contextMenu item “Show Profiler” which toggle on/off the profiler visibility

open your mm.cfg and set PreloadSWF=c:\MicroProfiler.swf
Enjoy the (profiled) web!

SVN Source Code
Direct View Source
bin/MicroProfiler.swf

Request

The app I made is very experimental and the code is very messy. If someone wants to add feature or make it better please do! Just send it back to me so that I can update it here. Thanks!

Conclusion

I hope that this feature will be used more for “good” reason than for bad ones.
I know that it enables people to manipulate live data and that it can be very tricky, but I really think that better and bigger tools will comes out of all the hidden features I released yet.

I also think that releasing all these information is good for ActionScript because it encourage senior programmer from many other languages to look at as3 and flash in a different way.

Link to my new twitter: @jpauclair

*Edit*
I entered a bug in the Adobe bug base to fix this issue. (But since it’s under Security, no one can see it)
The way I see it: The could block all PreloadSWF action when the loaded SWF is in release mode.

Also, if you want to prevent being targeted by this, follow good coding practice:
If something does not NEED to be public, set it to protected or private. (won’t be seen in MonsterDebugger)
Do not read data like Sprite.x, Sprite.y, just write to them. All manipulation should be done in a background DataStructure.
*End edit*

References

De MonsterDebugger
DisplayLoader
Sampler Package

From → actionscript, general, security

46 Comments

damian permalink

Hi,

Nice work!
I’ve been trying to get this to run but no joy so far. I downloaded DeMonsterDebugger and your source files and compiled a version which shows up as normal (fps, memory etc).

I’ve added a line to my mm.cfg file with the path to the preloader swf.

So far i’ve tried:
* youtube: No debug bar, but i get some more context links on right-click (copy embed html, show video info, copy debug info)
* the flash on my own site: no change
* a full flash website: no change (though on that site, a context menu is used to hide all the non essential links)
* a project with a preloader (built from flashdevelop and adding a “-frame start Main” line to the precompile options): SWF opens and closes immediately
* a project with no preloader: crashes immediately

Am I perhaps missing something?
Thanks
- jpauclair permalink
  
  you need flash (debug version)
  youtube is not all as3, there is many avm1 movie.
  - damian permalink
    
    yep,
    The last 2 points (project with and without preloader) are running from FlashDevelop using the debug player.
    
    Is there a particular site or swf that you test this on?
    thanks
  - Chris Deely permalink
    
    I’m in the same boat. Using FP 10.1 debug viewing AS3 movies, and I don’t see the toolbar. Anyone else have suggestions?
  - Fernando França permalink
    
    Make sure MicroProfiler.swf is located inside a secure location. You will most likely need to change your Flash Player’s global security settings:
    
    http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html
    
    After altering it you might need to restart your browser. I was kinda curious so I tested this in the debug FP standalone, IE 8, FF 3.5, Chrome 4, Safari 4.0 and Opera 10.5 ^^. The toolbar works fine anywhere 😉
    
    Thanks Jean Phillipe, you rock!
  - Wa permalink
    
    Took me a few to figure out how to get it set up as well, but just as a help to anyone else, running the standalone debugger from the command line can help you figure out what’s wrong.
    In my case: “PreloadSwf paths must be local trusted: /opt/MicroProfiler.swf”
    So I just added it to the trusted programs list in the settings page Fernando França linked and it worked. :]
    Thanks for the interesting info and test prog jpauclair!
- jpauclair permalink
  
  Are you able to run flex Profiler?
  Are you sure you have the Flash Player Debug running?
sroucheray permalink

Awesome work ! I was wondering where you get the Flash undocumented features giving that they are… not documented ?
- Jean-Philippe Doiron permalink
  
  Trial and error 😉
  
  btw, good post JP.
Eric Priou permalink

Nice !
But maybe another undoc feature that will remove in the next player release…
- jpauclair permalink
  
  If they remove it, we lose flex profiler.
Jérémie Charest permalink

Go JP! Go JP!
Thierry permalink

Very interesting, thanks JP !!
ian pretorius permalink

Just came across your blog for the first time , have read several posts and am super impressed with everything, I take my hat off to all super programmers eg Joa , Andre and yourself etc.. that unravel inner workings of flash player and push the boundaries contributing to better more functional and optimized further development of the player.

Thanks
- jpauclair permalink
  
  Wow.. Well thanks to you!
  Being put in the same category of thoses guys really make me proud of what I’ve done here!!
Suman permalink

I tried it, but no luck so far. I have debug version of flash player, modified mm.cfg file, modified flash player security settings, still not able to see the profiler bar.
Thanks
Suman permalink

I see this error in log file “PreloadSwf paths must be local trusted:”

Thanks in advance
Suman permalink

Thanks for providing this information but it did not work for me. I have added full swf path to settings at
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager04.html
Still no luck.
Thanks
Suman
jonathanasdf permalink

Wow.. awesome post!

I just have one small problem. At first there was the “PreloadSwf paths must be local trusted”. Ok, so I added the exception to the settings. But now I’m getting this error instead:

Warning: Not a known player download type, file:///G|/projects/flashlogs/MicroProfiler.swf

Has anyone run into this problem?

Another observation: The error “PreloadSwf paths must be local trusted” uses “paths”. I’m not sure whether this is a typo, or whether that means there may be multiple PreloadSwfs that you could load… 😀

then you can create multiple layers of PreloadSwfs, and then create various scripts to create a mm.cfg file before compilation that loads in the correct layers of PreloadSwfs that you want to have. This could be very powerful.
- Mike permalink
  
  Im getting the same issue in my flashlog.txt
  
  Warning: Not a known player download type, file:///D|/Dropbox/Settings/MicroProfiler.swf
  
  FP 10,0,45,2 Windows 7
  
  I have added D:\ and D:\Dropbox\Settings\MicroProfiler.swf to the trusted security…
  
  Mike
  - anupam permalink
    
    +1 to Mike , having the same problem here as well with the same version of FP 10.0.45.2 windows xp.
  - jpauclair permalink
    
    Yoz has written a small procedure that you could try.
    
    http://blog.yoz.sk/2010/04/the-ultimate-debugging-and-profiling/
    
    There is also the fact that PreloadSWF is very hazardous and may just not show for any reasons..
    When it happen for me, I just close every browser window, any flash instance, and start over with only one flash target.
    
    Tell me if you find any other solution!
  - Mike permalink
    
    Nope, still getting the same error, after closing everything. Tried restarting the computer still nothing.
    
    Not tried rolling my own SWF yet, tho I cant think why that would work.
    
    Mike
  - jonathanasdf permalink
    
    I’ll try creating my own swf tonight when I get home, but like Mike said I don’t believe that it would make a difference… Could the preloadSWF thing have been patched in the newest FP? I noticed the thing in common between the 3 of us is that we use 10,0,45,2…
Suman permalink

Great post!! Thanks for all the information.
I am able to make AS3 project as preload swf. I am curious if we can use Flex project as preload swf?
- peace.lion permalink
  
  ok so what’s your secret ???!!! i’m following all the steps, global security and blah… but still “PreloadSwf paths must be local trusted:” !!!!! thanks in advance.
- Snowy permalink
  
  4j67Pp That’s not just the best answer. It’s the bestest answer!
Failsafe Games permalink

For everyone with “Warning: Not a known player download type” error, simply recompile from source.

Or try this version http://www.failsafegames.com/MicroProfiler.swf
Tomasz Lisiewicz permalink

Thanx JP for great profiler!

I’ve got a question although – maybe I’m missing something: is it possible to user Your or similar tool to debug AS2 SWF’s? 😉
- jpauclair permalink
  
  Sadly, it’s not.
  
  The tool use a AS3 only event “allCompleteEvent”.
  you COULD launch a SWF before an AS2swf.. but you would never receive the magical event, hence not being able to bind to the interface.
  
  what you could do is a “trace”, “localconnection”, or socket connect profiler. But there is not much data that could be retreived by this.
  
  You should take a look at the new version of the tool:
  https://jpauclair.net/flashpreloadprofiler/
  
  I’m also releasing a new version soon. With a LOT more stuff for profiling.
Enrique permalink

Hi, I don’t know If I’m understanding this.
Can this be used for stealing our code? even if it’s encrypted and obfuscated?
- jpauclair permalink
  
  Well, you can always steal code. One way or another.
  But yes this could help someone with bad intention.. and for that it’s sad. But it can also help making better tool, easier debugging, profiling and finding probems.
  
  The FlexProfiling tool (selled by Adobe) is using that tech.
Thomas Pujolle permalink

How about in a AIR Flex App ? I cannot manage to get this event in this context… 😦
- jpauclair permalink
  
  Try the new tool, it has evolved a lot since this post:
  https://jpauclair.net/flashpreloadprofiler/