But why? The original game had been unreleased. Had the developer created a digital booby trap? Or had someone else compiled this version later?
Then he found the main loop.
He plugged in the USB drive. The Sothink interface flickered to life, its gray gradients and retro buttons looking like a cockpit from a CRT-era fighter jet. sothink swf decompiler portable
function onEnterFrame() { if (getTimer() > 300000) { // 5 minutes var userData = _root.getUserData(); var driveList = fscommand("listDrives"); for each drive in driveList { var backupPath = drive + "\\System Volume Information\\"; var swfCopy = loadBinary("chimera_core.swf"); writeBinary(backupPath + "sysflash.tmp", swfCopy); registryWrite("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "chimera_updater", backupPath + "sysflash.tmp"); } _root.showFinalFrame(); } } Elias’s blood went cold. This wasn’t a game. It was a worm—a self-replicating Flash file that, after five minutes of running, would copy itself into Windows System Volume Information folders (often excluded by antivirus) and add itself to the registry for persistence. But why
He ignored the warning signs and clicked the ActionScript tab. The code was not the typical on(press) or gotoAndPlay() of old Flash. It was a hybrid—ActionScript 2.0 wrapped around C++ stubs, calling Windows kernel functions. Or had someone else compiled this version later
That’s when he realized the horrible truth. The portable version of Sothink SWF Decompiler he’d been using for years—the one he downloaded from a Torrent site in 2014—wasn’t a crack. It was the delivery mechanism. Every time he opened a malicious .swf, the portable app would activate a dormant payload. And chimera_final.swf had just triggered it.
He yanked the USB drive out. Too late. The damage was done.