If you want to browse the customer service locations of the Hungarian State Treasury on allamkincstar.gov.hu, it is good to have some basic #ReverseEngineering skills. 😉 #UXFail @AdobeFlash in 2022. Thread 1/🧵⬇️

It is relatively easy to navigate to a customer service selector page. At the bottom there should be a county chooser according to the text, but there is nothing below. Let’s see why. 2/🧵⬇️

In the source code we can see that the webpage contains a Flash (SWF) object included. Yes, the county chooser of allamkincstar.gov.hu is a flash object, even though it is 2022 and @AdobeFlash is EOL and support has been removed from the browsers for over >1.5 year. 3/🧵⬇️

Ok, let’s download the SWF file and let’s try to open it with the open source Ruffle.rs Flash Player Emulator (outside the browser). Now we have the county chooser on a map, but unfortunately we still do not know how does it interact with the webpage. 4/🧵⬇️

Let’s add some debugging through Rust logging variables for Ruffle. Now by pushing the various counties on the map, there are trace messages showing different error values for the different counties. For example, we get 13 for the capital Budapest+Pest county. 5/🧵⬇️

Now let’s extract the ActionScript from the SWF file using the Flare tool (nowrap.de/flare.html). The decompiled ActionScript shows that the various button release events call the same JavaScript function with different integer parameters. 6/🧵⬇️

Back to the selector page in the browser. Let’s call the extracted JS function in the console with param 13 (sniffed from tracing the SWF). Success: it opens the page where the required customer service locations are listed.

This is how we browse the web here in 2022. 7/🧵🙃🇭🇺