Does anyone mind giving an explanation of the various techniques employed with SWF Encrypt? It would be great if you could also give information from an abstract perspective i.e. the limited amount of techniques they can use in general.

My impression is that their are only a set number of methods they can use to prevent decompilation without running into blatant problems with the ASVM. Do I have the wrong impression? What I'm trying to do is gather together topics of interest for further research. I plan on making a tool, in Java, to get rid of all the unnecessary code. This may already exist publicly/privately, but I really want to go through the learning process myself for future updates, etc.

If you could also send some nice looking virgin prostitutes to my home, it would be great...

Please search the board (there is some interesting info indeed) and the Internet in general, and tell us what you've found so far. Then you might get some help.

What???
Already finished the two dozen I sent you last week?
You need to take it easy man, you may go blind or something. . .

And instead of virgin "prostitutes," why not at least virgin "nymphomaniacs"??

Of do the virgin prostitutes need some specialized training which you were intending to provide???



Regards,

Well, the main reason why I posted on these forums is because of the fact that it seems to be the only one to have any real information regarding reversing the effects of SWF Encrypt. In light of that, I've read the following threads: http://www.woodmann.com/forum/showthread.php?t=10300, http://www.woodmann.com/forum/showthread.php?t=9572&highlight=flash+swf, as well as links mentioned in those threads. I've also browsed through the recently released swf file format specifications to get a general idea of what a well formed swf file should look like. In one of the links I came to, it basically described a couple of ways it could work (taking a sentence and then jumping to different places in that sentence effectively confusing a decompiler being one of them.)

I found some very valuable information, but none that revealed the mangling methodologies they could employ from a general perspective. So yes, I've tried desperately to search for an answer to my question, and I found some half answers, but not really what I was looking for. There's always the possibility that an swf I have is not using SWF Encrypt, but something else, and I just wanted to know what that something else could use.

I realized I should have posted information regarding how much effort I've put into it thus far soon after I made the first post, but I didn't think it would come back and bite me in the butt so soon =p

Great, that's much better.

Now, one very efficient method, I would imagine, is to make a brief summary here of the methods that you have already found and already know about (in addition to the URL of threads discussing them, which is a good start though). That way, you both start off by "offering" something to the community yourself, and also attract much more attention from people interested in Flash reversing. Also, people (rightfully) normally find it much more simple and tempting to "fill in the blanks" than "tell the entire story from A to Z", see what I mean?

So, makes any sense? I'm sure there are a bunch of people around here who would be interested in some Flash reversing exercises, if you just start them off the right way.

Right, so I'll start off with an application that seems to use SWF Encrypt or a similar technology (Link to download provided at the end). I've confirmed this by decompiling using popular software such as Eltima's flash decompiler as well as flare. Both programs come up with the tell tale signs of useless decompilation i.e. random eval() and addition, etc.

So, the first thing that I have to do is set up a simple environment for getting rid of any foreign bytecode inserted by SWF Encrypt. For this, I'll be using Java. The basic idea is to have a library that makes it simple to edit an swf on the bytecode level (similar to Java's Bytecode Engineering Library, ObjectWeb ASM, etc.) This isn't meant to be pretty or anything right now, so I'll just make it a hack.



I read some of the swf file format specifications, and it states that the first 3 unsigned 8 bit bytes are signature bytes. The first determines whether the file is compressed or uncompressed. The second is a "W", and the third is an "S" presumably to determine whether the file is corrupted or not. Following this paradigm, I should be able to manipulate a SWF file soon enough by creating methods to insert, edit, and delete individual bytecodes.

Now that I have my basic environment set up for manipulating various bytecodes within the SWF, I now need to review what it is I could possibly be needing to change. So far, my knowledge of what they could do to confuse decompilers is limited to what I read in http://www.gotoandplay.it/_articles/2004/04/swfProtection.php, and information I've gleaned from the 2 threads dealing with this subject on this forum. I'm disregarding the articles I've read on identifier scrambling, keeping things on the serverside, etc because they basically have no association with this type of security, and are fairly intuitive to begin with.

The SWF seems to be incorporating the non-displayable characters technique, and I'm also assuming it performs the jumping sentence technique, but I don't know of any other techniques aside from that.

SWF I'm using to practice on:
http://rapidshare.com/files/112575482/jetman_base.swf.html

If I were you, I'd study the following small tool, released by a former forum member, for unprotecting SWF Encrypt protected files:

http://www.woodmann.com/forum/showthread.php?p=67428

It's a small exe, so studying by disassembly should be relatively easy.

And it seems that you need to first develop your tool and study Flash bytecode and SWF format specs further, before you can start worrying about using it to defeat the protection methods? Maybe you can even make use of existing Flash disassemblers and their code, in order not to have to "invent the wheel again"? Once you've done that, I think the information in the threads you already mentioned would take you pretty far.

The best recommendation now to get further help would probably be: Continue your work, present your progress, and ask more detailed questions along the way.

I'm no expert on SWF reversing. In fact, I have next to no experience with it whatsoever. That being said, hear me out:

A lot of video games these days are just flash SWF files wrapped into an exe. From what I understand, the SWF is appended as an overlay to the exe. The exe is responsible for initializing the Macromedia Projector, and then letting the SWF execute in it. This has led to an interesting protection technology from the side of "Activemark" (a video game protection). Since it would be bad form to leave the SWF overlay unencrypted (all the hacker would have to do is append the overlay to an unprotected Flash exe), they encrypt the overlay. However, they also need decrypt the data in order for it to be used by the Flash VM. They achieve this through simple CreateFile/ReadFile/WriteFile hooks. What they do is they check whether a file you are opening a handle to with CreateFile is encrypted. If it is, then it memorizes that handle of the encrypted file for later use. Say then, Macromedia reads the protected overlay with ReadFile. Activemark intercepts the read request, and looks at the handle being provided. If it is the handle of an encrypted file, it decrypts the file in a buffer, before returning that buffer's contents as the output.

So, I guess you could adopt their approach, just in a more sophisticated manner. You could completely erase the headers from an encrypted flash file, and store them someplace else. Then, once the Flash player is initialized, the first thing it will ask for is the header, right? Just feed the header to it, without ever accessing the encrypted flash file. That way, if the hackers decrypts the flash file, the header will still be missing, and he will have to look harder for it. I mean, that's just one simple idea. You really have so many options... its up to you to implement them. I just hope you Activemark's CreateFile/ReadFile/WriteFile hooks give you some ideas to mull over in your spare time...

That's a very enlightening post rendari, but in this particular case, I'm on the side of the hacker. Rather than protecting a SWF, I am trying to reverse the protection on it. It's interesting to see techniques on both sides of the spectrum though.

Hi,

I wrote a deprotector for SWF Encrypt 4.0 some time ago, in order to decompile and consequently cheat at the games on club.live.com . I never really released it, but I'm attaching its current source here for your convenience. The obfuscation tricks it reverses (which are surprisingly lame) are outlined in the comments.

I was able to completely unprotect a fair number of games from ClubLive with it (all the ones that were available at the time of coding). Other games were added later, but I didn't bother checking if they contained new tricks.

Cool, thanks for sharing.

CRCETL:
http://www.woodmann.com/collaborative/tools/Swfdecrypt

And for the sake of searchability, here is some info copy/pasted from this source code:

Thank you so much arc_, you made my day =)

thank you

thx arc_! excellent job!

i encounter a tough file. in swf encrypt 4, the swf file is showed protected, just like what you can see in 1.jpg, and i also find tag 253 and 0x96 at the end of this tag.

but after using swfdecrypt, i didn't get the original code.
maybe there'are some other tricks, so i put it here for you.

btw, this file will jump to a black frame when it's not loaded in its specifically domain.

I'm working on a SWF deprotector on my spare time, based on arc_ work, although written in .NET and with support for other obfuscators in mind. It's progressing slowly (and by this I mean real slow) because of my job, moving of house, gf, etc.

I was wondering if anyone here could provide me with some packet of SWFs obfuscated by different programs (and of course, a note telling which programs were used so I can later recognise them).

Sounds great with the deprotector. I don't have any samples myself, but please keep in mind that many of the protectors provide trial versions that you can use to create samples, and in the worst case, there are always the less legal "samples" of the protectors that can be used for this. Creating your own samples are usually the most efficient way, not having to be confused by other unknown custom protections when analyzing a certain other protector etc.

Please keep us updated on your progress.

I'm asking since I'm not aware of every obfuscator out there, plus as far as I know Amayeta doesn't provide trials for older SWF Encrypt versions, so I guess I'd have to rely on that reseller called eMule.

I fully agree that creating my own samples is more efficient, but due to my lack of time that will slow down more the project.

The tool is being made using VB and only managed code, in order to make it more easy to understand and modify in case of problem. I know a lot of people prefer C# against VB, although most rants I've seen are mainly because of its syntax or past versions (and before anyone posts regarding this subject, I'm fully aware of the advantages and disadvantages of each one)... I was considering to use C# at first, but I use VB in a near daily basis, so I feel more comfortable this way. I don't use any feature not available on C# (XML Literals, My or Microsoft.VisualBasic namespaces, etc), so anyone could port the code with no problem.

Also, I must admit that I don't know what to do with all of this yet... I make a lot of work using Flash, and while I know obfuscators offer a trivial protection at least they keep away kiddies or other developers with less knowledge. I sometimes encrypt the SWF files themselves, but that's not fully secure either, nor possible on all scenarios. I may release it on request, or give away without caring.

I'll post some screenshots later today or tomorrow.

Sounds great, looking forward to seeing more of it.

It still needs a lot of work, and right now is just single-threaded, although I don't know if I'll change it anyway, I'm trying to focus more on usability than speed.

I've added every tag into the code (I guess it would be nicer to have it on some sort of DB file, but I don't find it to be of priority), that way I can debug SWF protections a bit better and find out the different tags used by obfuscators.

Fren and Swfdecrypt deal with Amayeta versions less than 4.04. (Not to say they are bad, as they set the foundation for everything. I personally use them both all the time and love them...good work guys.) There are a few tools out for Amayeta 4.04 that work quite well if you know how to manage them back into flash. Meaning that one tool I use, which is phenomenal, is written in Polish, but it reads out the mangled actionscript back into a separate swf file. You then have to copy/paste/massage it back into the original file and recompile, but it works just fine.

Its called SWF_Unprotector.

There is a second tool, called SWF Reader, currently at V0.8.7 and this sucker can read almost anything.

All of these wonderful toys can be found at:

http://www.konkursy-hack.pl/

The guys do all their programming in Java, so you might have to brush up on that a bit to use it, but its some nice stuff they got goin on.

I hope this helps....

Interesting. I wasn't aware of those tools nor that site, which seems to have some nice info as well.

I sometimes program with J2SE as well, so that's not a problem at all, now if you ask me about Polish... heh.

Well, I don't know what to do with my program now, I may continue working on it, although dedicating less time, just for the satisfaction of finishing it.

Hi Hector,

I used Google Translator to be able to understand their page. Please, by all means, finish your swf tool. From there we can incorporate and add to it as needed.

As it stands now, it takes 3 iterations using 3 different pieces of decrypting software to find the proper one.

By the way, have you seen this?

http://segfaultlabs.com/projects/swfdb

Some similar software you may be able to utilize. I believe they have a class you can download.

Would you mind sending me the code of your project? PM...

Thanks
Darin

Looking if Google Translator had Polish support was one of the first things I did heh. I've registered on the site and am waiting for the account activation.

I didn't know of swfdb either, I just recently found out about this board, Fren and SwfDecrypt, and then decided to look into the SWF file format specs (I thought SWF bytecode would be harder to understand...) and making my own deprotector. Sadly swfdb seems to be indefinitely halted, and I haven't seen any file for download, maybe I missed it.

All these tools gave me some ideas to improve my program, although some will need some time. Once I add some features and fully integrate SwfDecrypt code I'll post the program .

I have the latest and greatest from Konkursky if you want them. I can send them to you while your waiting. They make you answer a simple loop question to be able to become registered. I got a nice laugh from it.

SWFdb has some utils you can download now. Not much else. A copy of their SWFdb would be nice.....

I don't mind waiting, although it seems to take some time... I even double-checked my reply using Java just in case heh.

EDIT: My account has been activated :P.



You are right, I decided to look at the projects section and found there are some AS3 classes, although couldn't check their code... was busy yesterday and couldn't touch the program at all, and I'm at work right now.

Do you, or anyone here, happen to know if CodePlex, Google Code, Sourceforge or FishEye policy would allow to add a project like this? Since I may release the source code of the program it would be nice to have some repository where anyone can share their ideas, improvements, etc (and which I bet will be better than mines' in some cases heh). Or I could look at making my own repository.

You should just post the source here. Im sure about 90% of the guys here could help to improve upon your code. I would be very willing to give it a shot myself as well.

Looking forward to see more of that tool Hector.

Hi, sorry but my english isn't well. I am the owner of www.konkursy-hack.pl and i wrote SWF reader. This tool can help You to break obfuscators. It shows a lot of things about swf. I can translate this tool to english as You wish.
Swf reader can:
-remove methods
-change names of vars etc.
-disable some piece
-show a lot of interesting things

Amayeta and Kindisoft for flash 9 AVM2 aren't good obuscator a lot of swf encrypt this tool can decompile.
I understend bytecode and I read most of documentation of flash.
If You have problem with decompile some swf, just send me this file to konkursy.hack@gmail.com and I try to break this secure swf.

Hey schizoM, and welcome to the board!

Your tool seems very nice, and it would be great if you could translate it to English, as you offer!

Also thanks for the offer to help analyzing new Flash protections, your input will always be welcome in our discussions here on the board.

Sorry for my lack of replies, but since I haven't got no mail regarding this thread I thought there were no more messages.

I didn't advance much with the program due to moving of house, and haven't plugged in my PC yet. I've taken some UI ideas from SWF Reader and Swfdb and adapted them into my program, but nothing more regarding encryption. I'll try to post something else as soon as possible.

Nice to read from you schizoM, it will be interesting to see some more articles from you, there are a couple of interesting ones on your site, you sure know a lot about Flash bytecode and have more spare time than I currently do heh.

EDIT: Forgot to reply this:



I'm sure of that, but having a proper repository would make downloading and uploading changes, keeping track of them, have a bug list, etc a lot easier and would be more maintainable.

As I promise I make international version SWF Reader 0.8.7.2 (for flash 9 AS3)
I also correct some mistake in method structure.

In future i want to add manipulation all SWF structures mayby in month.

Now You can see this tool in attachment.

I hope that You understand my English

What a wonderful tool you have created for us! Thanks, thanks and even more thanks....

Thanks for the contribution schizoM.

CRCETL:
http://www.woodmann.com/collaborative/tools/SWF_Reader

If someone could please write a better explanation for it, that would be great, since I cannot understand/translate the Polish in the readme file.

I prepare new SWF Reader 0.8.8 it will be very very nice tool.
You will see
It takes me some time but it is worth wait.

I will add:
+ view in tree all structures doABC tag.
+ modify all structure !



I ask You to help me to improve my translation. I will be glad if You correct my Language_EN.properties

When I done my project I will publish program as open source.

Thank's for add my program to project in site.

We are all looking forward to version 0.8.8 then, please let us know when it is released.

Also, here attached is a fixed up English language file for you then. I hope that I did not misunderstand some of your original meanings of the texts, please double check them all before including the language file in the program.

Here is a converted polish to english translation. Im sure its not perfect, but it works... Thanks Schizo!

SWF Reader 0.8.8 beta screen shots
http://www.konkursy-hack.pl/photogallery.php?album_id=5 ("http://www.konkursy-hack.pl/photogallery.php?album_id=5")
SWF Reader 0.8.8 progress is about 65%

Schizo,

That is truly a piece of wonderful work. Nice job.

Darin

Some man(Andre ) asked me for help to decrypt some swf.
I explain encryption in this swf so if You interested in this encryption I attached it to this post

So get this one...

Im wandering around some Chinese forum, and I run into a tool which Decrypts SWF Encrypt. I had an SWF which I had saved that was SWF Encrypted, and it WORKED! Post in the RCE Tools area?

Its ASProtect Packed and I havent been able to unpack it. Can you do it Delta?




Darin

Here is the same file, but unpacked now. I modified the title and about boxes so its a bit more cleaned up.

Darin

Thanks for the tip, done:
http://www.woodmann.com/collaborative/tools/UnSWFEncrypt

You do know that you (and everyone else) can add their own tools to the CRECTL though, right?

Nice tool but it doesn't unprotect swf which i post
There is a lot of encryptors which use different encryption...

btw.
I am close to finish SWF Reader I have some problems with SI32 signed 32 in cpool :/ but i think done this soon :] program is 95% complete

SWF Reader 0.8.8 beta 1
I release new version this is only test version so there are bugs i think.
Please test new version and send me bugs which You find out.

You can send my too, some new idea about SWF Reader.

Thanks schizoM, nice work.

I've updated the CRCETL entry for it too.

Schizo,

Well done is right!! Good job. A very nice tool.

A suggestion you ask? Maybe incorporate the swf unprotector v2.3 into this tool?

Darin

Hi !
There is new version of SWF Reader 0.8.8 beta 2 SwfReader_0.8.8_beta_2.zip ("http://www.konkursy-hack.pl/download/swfReader/SwfReader_0.8.8_beta_2.zip")
I correct some bugs


darin I thought exactly what You write. But SWF unprotector have some fault. Swf Unprotector produce only AS. I must rewrite Swf unprotector it take me some times....
Maybe in next version of Swf Reader I add new good working unprotector, which unprotect all elements of swf file
But if someone want to write unprotector in java code I can add this module to Swf Reader only condition: tool should use ByteBuffer.

All You can do if You have enough time...

I used SWF Reader 0.8.4 the newest version for unprotecting AS2, but it failed to unencrypt. schizoM is it possible that i send you a pm and you check whether you can unencrypt the file i am trying to unencrypt?

SWF Reader can't unprotect encrypted swf. SWF Reader can help analyse swf file. You can change bytecode very easy, you can add class, method etc. to swf file. This is tool for revers engineering.

But in my site You can find SWF unprotector 2.3 which can decrypt, encrypted files by Swf Encrypt amayeta 4.0.4.
So if You have file which is encrypted Amayeta You can use my SWF unprotector 2.3

Oh... So can I analyse encrypted swf with SWF Reader? I can't seem to download anything from your site... Whenever I click a link in your site, I just get redirected to the downloads section. I have to find other places for download.

Yes You can analyse decrypted swf by SWF Reader...
You can't download anything becouse You are not registered...
I send invitation to my site... so You can't register on my site.

If You want unprotect swf... go to:
http://swfunprotector.blogspot.com/ ("http://swfunprotector.blogspot.com/")

Hello,
I'm writing unprotector to Secure SWF 3.1.
When I finished I will publish SWF Reader with unprotector.

I have some request to You. Can someone crack action script viewer 6 pre relase?
I have exe file...
rar is password protected. If someone want crack it and want password should write to me private message.

[Attachments Deleted]

Did you NOT read the FAQ???

Which part of "DO NOT ASK FOR CRACKS" do YOU NOT UNDERSTAND???

This is NOT the place to ask someone to "crack" ANYTHING FOR YOU!



Regards,

Chill out men...
and turn of caps lock... I'm not blind.
Ok if someone can help me break asv6 please contact with me on private message.
I don't ask for crack ! I ask for help to understand security in this file

I need this tool to break secure swf encryption.

and.. if someone ask me for unprotect swf file admin doesn't write anything. Please me explain difference between swf unprotect and crack other application ?
ehh...

[Attachments deleted]

I'm already chilled.

Apparently you feel that what "YOU WANT" is more important than our Rules.

If you ignore them again, you will force me to delete your account.

Let me make it as clear as possible...

You may NOT attach something here and ask someone else to "crack it" for you, even if it would help you advance your own project!!

How do you conclude: "Can someone crack action script viewer 6 pre relase" is not a crack request?

You might discuss such things in Private Messages, but you may NOT post the target here and ask someone to do the work for you.

If this is not clear to you, then there is the "alternative" which I mentioned!

Regards,

I add my SWF Reader to http://realswfreader.sourceforge.net/ ("http://realswfreader.sourceforge.net/")

it is open source now... I add Secure SWF decryptor and tag editor

http://saber.kawaii-shoujo.net/Various/a.swf

Amusingly this one crashes almost all decompilers around...
Could anyone that knows well the swf structure parsing be kind enough to check it and tell me where/what this file is doing to anger them?

Very nice with going open source schizoM! (and sorry for the late reply )