.comment-link {margin-left:.6em;}
Xavier's Security Post
Sunday, May 07, 2006
  Google, Interactive Marketing, and SWF Decompiler
For weeks Google and Sony have been running a promotion for the film The DaVinci Code. It's even linked right on the front page of Google.com, and if you have a Google/Gmail account (and are logged into it) you can easily participate in the promotion by completing several logic games. And, after enduring repetitive content and subliminal messages referring to The DaVinci Code, you may win some prizes. It is called "Interactive Marketing".

In doing some research, it seems the developers of the logic games themselves are not Google folks, but instead flash designers at BIG SPACESHIP. Sony uses the Google.com link and name brand to promote their film, and thats that. All parties are happy, as would anyone in a business deal be.

Curious, and aware that the promotional games were developed in Flash, I went ahead and used a (recent) favorite toy Sothink SWF Decompiler. With it, I was able to decompile the flash file involved and found a few things of interest.

In Sprite 248 (or __Packages.com.sony.davinci.puzzles.hang.HangPuzzle: which seems to be the code the game where you hang paintings on the wall) starting from line 218 to 222:
if (_loc5)
big.utils.Out.info(this, "A WINNER IS YOU");
The quoted bit, "A WINNER IS YOU", is a reference to a Nintendo game called Pro Wrestling. It's used by old time Nintendo gamers, and posers.

In Sprite 255 (or __Packages.com.sony.davinci.puzzles.sudoku.Sudoku: which seems to be the main code for the sudoku logic game) in function setStartPostion(), starting from line 1250 to 1254:
var _loc3 = $who;
if (_selectedPiece == _pieces[_loc3] && Math.abs(_startPoint.x - _selectedPiece._x) < 4.000000E-001 * _pieceLength[_plIndex])
big.utils.Out.info(this, "user is idiot clicking. Tell user to stop it.");
Apparently there is a human function called 'idiot clicking'.

In Sprite 255 again, in function checkAnswer() from line 796 to 806:
function checkAnswer()
if (_gamePositionObj.toString() == _solutionObj.toString())
} // end else if
} // End of the function
If you search for the onYouSuck() function, you'll find on lines 459 to 463:
function onYouSuck()
_board.loseAlert._visible = true;
_board.winAlert._visible = false;
} // End of the function
Again, the same reference from Sprite 248 was used in function onYouWin() from lines 464 to 469:
function onYouWin()
big.utils.Out.info(this, "a winner is you!");
delete _target.onEnterFrame;
} // End of the function
Finally, in function returnSymbol() on lines 710 to 711:
big.utils.Out.warning(this, "RETURN SYMBOL GOT FUX0RED // $mc._name.substr(0,2) = " + $mc._name.substr(0, 2));
I got a kick out of this one because the developers involved did not censor themselves in saying the user idiot clicks, and sucks, Yet the word "Fuck", or in this case "Fucked" is censored.

In Sprite 258 (or __Packages.com.sony.davinci.puzzles.jigsaw.Jigsaw: which seems to be the main code for the Jigsaw game) on line 397 you see all the answers listed in a variable called _LEVELDATA. Apparently these are the answers to all the Jigsaw questions:
Level 1: rows: 4, cols: 4, symbols: 0, City Answer: "newyork", "newyorkcity"

Level 2: rows: 4, cols: 4, symbols: 1, City Answer: "rome", "roma"

Level 3: rows: 4, cols: 4, symbols: 4, City Answer: "london", Trivia Answer: "imperialcollegelondon", "imperial", "imperialcollegeofsciencetechnologyandmedicine", "imperialcollege"

Level 4: rows: 4, cols: 4, symbols: 9, City Answer: "paris", Trivia Answer: "square", "squares", "squarenumbers", "squarenumber", "thesquarenumbers", "thesquares"

In Sprite 259 (or __Packages.com.sony.davinci.puzzles.hang.blobs.BlobsPuzzle: seems to be the code for the Blobs game, where there are globs of crap on the paintings and you need to clean them up) starting with function onPuzzleFailed() on line 255 to 261:
function onPuzzleFailed()
var _loc2 = "Sorry, there are no more valid pairs.
Click OK to reset the puzzle.";
big.utils.Out.debug(this, "you #%%*ed up");
com.sony.davinci.puzzles.Main.showDialog(_loc2, 0, {str: "OK", obj: this, func: resetPuzzle});
} // End of the function
Here we see another censored comment. In function onPuzzleSolved() on lines 262 to 267:
function onPuzzleSolved()
big.utils.Out.debug(this, "you are teh winnar");
} // End of the function
Explanation of above.


In Sprite 257 (or __Packages.com.sony.davinci.puzzles.hang.observation.Observation: which seems to be the code for the Observation game) inside function resetPuzzle() you see a _LEVELDATA variable set with questions and answers and they go as follows:
Level 1
a) In the video, we see Robert Langdon dusting off a classical symbol, one associated with a character we only see a brief glimpse of in the video. What is the name of that oft-gilded symbol?

b) Symbols, and symmetry, can be seen in the most unlikely of places. One such example is the position of the body at the crime scene, which resembles a drawing also depicted on the obverse of the Italian one-euro coin. What is the name of that famous Leonardo Da Vinci drawing?

c) One of the most iconic symbols of the movie is the cryptex, a small cylinder of stacked marble disks, embossed with letters and sealed with brass caps at either end. The twenty-six letters allow for almost twelve million possible password combinations--11,881,376, to be exact. Armed with that knowledge, can you tell us how many dials it has?

a) fleurdelis or fleurdelys
b) vitruvianman or thevitruvianman or canonofproportions or proportionsofman or uomovitruviano or luomovitruviano
c) 5 or five

Level 2
a) A seemingly-important stone object is extracted from the ground by Silas. What is its shape?

b) An interesting viewpoint is the vantage point from which we last see Silas. What is the last thing we see him touch?

c) During the action in the video, we see many things shattered and destroyed, but what is it that will ultimately be broken?

a) octagon or octagonal
b) holywater or font or "baptismalfont
c) silence or thesilence

Level 3
a) Speaking of fascinating characters, there's only one letter in the entire video that is clearly written in lower-case. What is that letter?

b) In just one word, the noble Sir Leigh describes the pursuit that both he and you are on. What is that word?

c) And to bring this back to the topic of movie spectacles, how many times is Sir Leigh shown wearing his? His spectacles, that is.

a) f
b) quest
c) 7 or seven

Level 4
a) Cryptography is all about noticing numbers and patterns. Here's a simple one to start with: how many glass panes are visible on each of the doors to Sir Teabing\'s mansion?

b) Although it refers to words not spoken, we hear it spoken three times. What is that word?

c) This final question will really test your powers of observation. What is the name of the character shown holding a votive candle holder?

a) 9 or nine
b) secret or secrets
c) silas

That is it for now, as it seems nothing more of interest lies in the comments. Let me just note: though this post doesn't discuss any specific vulnerabilities, it was fun regardless to sift through this marketing project and see what kind of stuff Google is willing to plaster on their site.

It also should be noted that you can easily use the decompiled code to create a "crack" for all the logic games. all the answers and puzzles can be solved before you even have to put a thought into it.
post the whole uncompiled source.
Hah, good work with the false questions. :D
Actually, it seems Google went ahead and changed the answers (with a new game flash file). I was surprized by the new questions too! :)
any chance u can post the entire source? or the NEW source?
Indeed, in my next post I'll throw an archive with the code.
Post a Comment

Links to this post:

Create a Link

<< Home
This public blog will be a place for me to output any Security findings, both technological and physical, that I have come about. I will post Security advisories I was apart of, and also other interesting bits of knowledge. email: xavier [at] tigerteam.se

Rocks Clusters <=4.1 mount-loop local root
Rocks Clusters <=4.1 umount-loop local root
TSEAD-200606-6 - Rocks Clusters <=4.1 local root
xorgmodroot.py - Xorg-server 1.0 / <=X11R6.9.0-7.0 local root
TSEAD-200509-5 - Multiple Netscape.com vulnerabilities.
TSEAD-200512-3 - Multiple vulnerabilities in KISBG <=v5.1.1
fsigk_exp.py - FSIGK for Linux <=2.10-431 local root
TSEAD-200510-4 - FSIGK for Linux <=2.10-431 advisory
ritk.php - remote inclusion pentest tool
owm_exp.py - openwebmail <=2.51+ local root
perliodebug_exp.py - perlIO_debug 5.8.* local root
bankfix.py - bank card number lookup tool
TSEAD-200412-2 - AOL XSS/file read vuln
TSEAD-200412-1 - AOL redir vuln

September 2005 / October 2005 / November 2005 / December 2005 / March 2006 / April 2006 / May 2006 / June 2006 / July 2006 / September 2006 / October 2006 /