When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder did not refer it in details, it is an interesting target. More importantly, if the business logic depends on Flash object, the whole target could be defeated.
If I have enough time, I will be back, and describe what I have done when dealing with juicy flash object. Well, sometimes it could be difficult if the luck is not on your side.
sothink swf decompiler — reverse engineering its objects and action script
CheatEngine — good for cheating especially on games
any hex editors : 010 Hex editor— is ok, but not free. HxD is not bad
Project SIKULI — Visual technology by MIT, easy to use, very cool ideas, and great for automation. You could write an easy BOT with this tool.
Adobe Flash Investigator — A swiss army knife for smashing swf object released by Adobe. This only tool could somehow substitute all above tools I referred to.
Flash Exploitation Database — by Jason Calvert of WhiteHat Security Inc.
Assessing, testing and validating Flash content in OWASP AppSec 2010
See you, then!