Packing / unpacking of Flash SWF files (yes, really!) [Archive]

dELTA

October 11th, 2006, 11:10

[This post and the one below was moved from the following thread, since the subject changed: http://www.woodmann.com/forum/showthread.php?t=9531]

LLXX, "unpacking of SWF"? Have you ever seen a packed SWF, is that even possible? The program "SWF Quicker" (strange name, I know) should cover all your decompilation/patching/recompilation needs for flash files normally.

LLXX

October 11th, 2006, 23:24

Indeed curious things, these packed/obfuscated/protected SWFs... SWFs, besides being a simple animation/graphics format, have a scripting language 'ActionScript' which is implemented in the form of a simple stack machine and very nearly a Turing-complete language. The packed SWF I encountered had all its resources - images, sounds, animations etc. complete, but the AS was unintelligible when viewed in SWF Decompiler (also made by Sothink, same as the Quicker). A more detailed inspection revealed that whatever packer was used had encrypted most of the AS and the decompression/decryption portion utilised tricks normally found in 'real' software protections - self-modifying bytecode, overlapping opcodes, and even a debugger check

. The decrypted portion consisted of the actual code itself, run inside a little VM that closely paralleled the actual AS one - one layer of virtualisation on top of another

That was a very interesting experience.

dELTA

October 13th, 2006, 17:31

Cool!

I've now read up some more on the subject, and thought I'd post some interesting findings for everyone else who's being curious. I encourage you all to look into the subject and post your own interesting findings and resources in this thread too! Flash is a popular technology, and more so by the day, so being able to reverse it is probably both fun, interesting and, well, handy.

A nice article for overview of Flash protection:
http://uk.builder.com/manage/ip/0,39030143,20281905,00.htm

The article above contains (among other things) a link to the complete Flash file (SWF) specification (requires some messing-around before being able to download):
http://download.macromedia.com/pub/flash/flash_file_format_specification.pdf

A nice overview/introduction to Flash file protection/reversing (much more technical than the other overview article listed above):
http://www.gotoandplay.it/_articles/2004/04/swfProtection.php

And finally, one of the seemingly more advanced Flash protector/packer programs:
http://www.flashincrypt.com / http://www.amayeta.com

Again, anyone interested, please look into the subject yourself and post any interesting findings in this thread. Especially links the the most advanced SWF protectors/packers you can find (in order to analyze their protected output) and tutorials/technical documents about flash protection/packing and reversing.

Have fun!

PS.
LLXX, did you see any sign/clue regarding which protector was used on your target? Sounds interesting!

LLXX

October 13th, 2006, 22:56

I've read the http://www.gotoandplay.it/_articles/2004/04/swfProtection.php
article before. It seems that most of the information on SWF reversing seems to be in Chinese, as they're apparently more interested in it.

Unfortunately I can't identify the packer as there are literally hundreds of them out there, not to mention there is no equivalent to PEiD (SWFiD would be an appropriate name if one *is* made in the future...).

Probably one of the only good things about reversing SWFs is that there are plenty of targets out there (mostly games), easily obtained, and worth playing with (both from a reversing standpoint and because Flash games are fun too

). Getting your name in highscore lists of various games with a rediculously high score shoud probably be the first thing to try.

More info:
http://webdesign.meetup.com/25/boards/view/viewthread?thread=1244820
http://fravia.com/cinix_fla.htm <- Fravia has some info too.

Me thinks either IDA needs to start supporting SWFs (finally a reason to upgrade

) or Flash Disassembler (open-source) needs some heavy modding to enable pseudo-analysis and correct disassembly of overlapping opcodes.

dELTA

October 14th, 2006, 06:49

Some nice little tools on the Fravia page, thanks for the tip!

Also, one of the tools (which I assume you are referring to when you say "Flash Disassembler", and which I forgot to mention above) which deserves to be mentioned by URL is FLASM, very nice:
http://flasm.sourceforge.net

Too bad that it chokes on overlapping opcodes though, as you say.

What would be greatly needed I think, is a generic deobfuscator (or at least remover of overlapping opcodes), which should be relatively straight forward to create, seeing that we're dealing with a pure stack machine without any absolute adressing etc. Don't you agree? All that would be needed is one tracing sweep through all branches, to analyze where all the "real opcodes" are, and then a separation of them into non-overlapping ones. After this, FLASM should be able to do a pretty good job I think.

Then we do of course have the "virtual machine inside a virtual machine" problem for the most advanced protections, but these could be dealt with as usually, as soon as the obfuscation is gone. Probably even much more easily, since the language is much less powerful than e.g. x86 assembler.

Does anyone else have any good resources/tutorials, experiences or tools covering this subject? Please share!

LLXX

October 14th, 2006, 19:11

I don't think there are many 'SWF crackers/reversers' out there, and even less them lurk here. The discipline is still in its infancy (much less than Java), and I doubt it will advance very far either as there isn't much in a SWF as compared to a normal binary code PE program.

Regarding the overlapping opcodes, I know of only one diassembler that had such a feature, as well as being able to support self-modifying code - disCOM from the mid 80s, which only handled DOS COM files up to ~64Kb. The output looked somewhat like this (fictitious example, illustrating the famous 'skip-over' trick):

Code:

0000 test ax, d001

    0001 add ax, dx <<0023 0071

0003 mov bx, ax

dELTA

October 16th, 2006, 12:10

Quote:

I don't think there are many 'SWF crackers/reversers' out there, and even less them lurk here.

Au contraire (however that is spelled

), what's so great with this forum is that there's a lot of potential great <insert whatever here> crackers here, because they are clever, interested, and in it for the wisdom and thrill, not just plain script kiddies.

Many people reading this thread right now might as well be the next God of Flash Unpacking. All it takes is just a little something to awaken the interest, which is what I'm trying to accomplish here.

So, anyone feel like steeping forward and taking the job, there are worse jobs that being a god you know?

Anyway, about the overlapping opcodes. A disassembler that does what you demonstrate would sure be good to spot these places, but a rebuild of the flash bytecode into separate code areas for all overlapping "execution trails" would probably be much more efficient and useful, both for analysis and for patching, and also not super hard to to!

fr33ke

October 16th, 2006, 13:35

Quote:

[Originally Posted by dELTA]Eau contraire (however that is spelled ),

Unless you mean opposite water

it's "au contraire".

Quote:

[Originally Posted by dELTA]All it takes is just a little something to awaken the interest, which is what I'm trying to accomplish here.

Mission Accomplished here.

Quote:

[Originally Posted by dELTA]So, anyone feel like steeping forward and taking the job, there are worse jobs that being a god you know?

Anyway, about the overlapping opcodes. A disassembler that does what you demonstrate would sure be good to spot these places, but a rebuild of the flash bytecode into separate code areas for all overlapping "execution trails" would probably be much more efficient and useful, both for analysis and for patching, and also not super hard to to!

I'm studying the flasm sources, so *maybe* I'll come up with something. Does anyone have suggestions concerning the output format? Plain text doesn't really cut it, maybe HTML or something like that.

dELTA

October 16th, 2006, 14:10

Thanks for the French lesson fr33ke, I've corrected my post.

Nice to see you interested in the topic anyway! When you are asking for suggestions regarding the output form of your potential tool, are you referring to a disassembler that will mark up all possibly overlapping opcodes, like the one LLXX is talking about, or a code analyzer/rebuilder/deobfuscator that I'm talking about?

First of all, starting out a project like this with trying to make up a fancy GUI will often run the risk of killing off your interest before you even get really started with the good stuff.

I'd say dive into the theoretical stuff first, and worry about presenting it later, it's the program logic of such an operation that we all want, and in the worst case we'll live with any crappy GUI to get it.

But actually, my main idea does not even require a GUI at all!

What I'm picturing is a deobfuscator that analyzes code, and then produces deobfuscated/non-overlapping code as output. This code (a new version of the inputted SWF file) could then be viewed in any Flash disassembler of people's choice, thus leaving the GUI question to themselves, and the fun stuff to you!

The tool would basically be a generic cleaner of overlapping-opcode protections (and possible also other such easily identifyable/cleanable tricks, I'm sure some of the other "anti debug" tricks have this property too). Such a tool would quickly become a must-have for all Flash reversers, something that they'd always apply as a first layer of deprotection, before proceeding with their other tools!

If you don't understand my simple thought-out design for the deobfuscation process from my brief explanation above, please ask more and I'll explain further!

Also, come on people, there's still room for a few more names in the history of Flash reversing glory, join in!

Woodmann

October 16th, 2006, 18:19

Hi,

I thought Kayakers comment was clever

Woodmann

As a side note, I beleive I am the only person to give out
such titles as "king".

LLXX

October 16th, 2006, 20:46

Quote:

[Originally Posted by fr33ke]I'm studying the flasm sources, so *maybe* I'll come up with something. Does anyone have suggestions concerning the output format? Plain text doesn't really cut it, maybe HTML or something like that.

Plain text is perfectly fine. See how in my example I was able to represent even overlapped opcodes in such a fashion.

I think what you should do first is separate flasm into two portions - flasm the assembler, and fldasm the disassembler. You can set the assembler aside (maybe add some much-needed directives like org later) but concentrate on improving the disassembler.

...and dELTA, what I meant was the fact that there is very little in the way of reversing Flash at the current moment, as the following Google queries show; overlapping opcodes hasn't even been discussed - we must be the first ones here

http://www.google.com/search?hl=en&ie=ISO-8859-1&q=flasm+%2B+%22overlapping+opcodes%22&meta=
http://www.google.com/search?q=flash+%2B+%22overlapping+opcodes%22&hl=en&lr=&ie=UTF-8&filter=0

dELTA

October 17th, 2006, 03:38

Quote:

[Originally Posted by LLXX]...and dELTA, what I meant was the fact that there is very little in the way of reversing Flash at the current moment, as the following Google queries show; overlapping opcodes hasn't even been discussed - we must be the first ones here

http://www.google.com/search?hl=en&ie=ISO-8859-1&q=flasm+%2B+%22overlapping+opcodes%22&meta=
http://www.google.com/search?q=flash+%2B+%22overlapping+opcodes%22&hl=en&lr=&ie=UTF-8&filter=0

Yep, and doesn't that just make it all the more interesting!

And about the Flasm/Fldasm issue, I'm thinking more of using the Fldasm disasm engine to assist in the tracing/analysis of the code in a completely separate tool, like an intial parsing/tracing sweep (just like many other standalone tools have made use of OllyDbg's disasm engine). Once the instructions are parsed out and categorized, the stage is set for some much more fun analysis/processing, out of which the deobfuscation method I'm talking about is just one!

fr33ke

October 17th, 2006, 11:05

It's not done but now my modded FLASM has these features:
- Optional HTML output

- Overlapping opcodes disassembly.

Check nfo for more information.

http://z28.zupload.com/download.php?file=getfile&filepath=37138
http://rapidshare.de/files/37317237/flasmmod.rar

dELTA

October 17th, 2006, 15:40

Cool!

See, it's as simple as that, a board full of great reversers, a spark of interest, and wham, a couple of days later you'll have a tool whose (<--- which word should really be here, english speakers?) likes has never been seen before!

Please keep us updated on this tool's progress fr33ke!

Btw LLXX, ready to take Flash reversing/unpacking to the next level now that you've got your dream tool?

LLXX

October 17th, 2006, 23:18

"It's not done" - Definitely.

Code:

FLASMMOD caused an invalid page fault in

module MSVCRT.DLL at 016f:78001c9d.

Registers:

EAX=00d64000 CS=016f EIP=78001c9d EFLGS=00010246

EBX=00004000 SS=0177 ESP=00d4fd1c EBP=00d4fd48

ECX=00d64000 DS=0177 ESI=81940874 FS=2c3f

EDX=7efefeff ES=0177 EDI=00000000 GS=0000

Bytes at CS:EIP:

8b 01 ba ff fe fe 7e 03 d0 83 f0 ff 33 c2 83 c1 

Stack dump:

00408ab8 00d64000 ffffffff 00d4fd48 0040893d 00000a00 00000327 00d64000 00000001 00000000 00000514 00d4fd68 00408b86 00000748 00000748 00d4fd68

But it's a start...

Code:

000021A9    push ''

000021AF    push 487

000021B7    varEquals

           label1:

000021B8    push ''

           label2: // Branch _into_ previous instruction + 1 bytes

Instructions at label are:

000021B9      swfAction 0x03 // unknown action

000021BA      end

End of instructions at label.

000021BE    getVariable

000021BF    push 487

000021C7    oldEquals

000021C8    not

000021C9    branchIfTrue label3 // offset 33

000021CE    push ''

000021D4    push ''

000021DA    getVariable

000021DB    push 227

000021E3    oldAdd

000021E4    setVariable

000021E5    push TRUE

000021EA    branch label1 // offset -55

           label3:

000021EF    push ''

000021F5    getVariable

000021F6    push 741

000021FE    oldEquals

000021FF    not

00002200    branchIfTrue label4 // offset 33

Unfortunately I'm getting a lot of "branch target not found" which may also explain that IPF. This may be a particularly badly behaved SWF but still, flasm should load the whole SWF and continue the diassembly from there (this must be one of the other obfuscation tricks - regions of 'padding' that are jumped to from an entirely different location). However the "unknown action" line and the "branch target not found" suggest that the diassembler is intermittently losing alignment; that 0x03 might also be some kind of "undocumented opcode"

fr33ke

October 18th, 2006, 06:56

From the looks of it it's an "SWF encrypt"-ed file. Most of those
"branch not found" actually jump out of the file, but the ones IN the file will have to be checked indeed.

The IPF seems to be caused by a piece of code not needed anymore; altough I don't know the exact problem commenting that part out should work.

dELTA

October 18th, 2006, 15:01

Quote:

From the looks of it it's an "SWF encrypt"-ed file

Sounds like we maybe have some SWFiD functionality coming up too...?

Anyway, nice work, looking forward to more stable and feature packed versions!

And fr33ke, are you previously experienced in the field of Flash unpacking/reversing, or did you just enter the area?

PS.
Due to your faithful duties towards the people of Redonda (also sometimes referred to as "the Flash reversing community"

), you were just upgraded to your desired royal status...

fr33ke

October 18th, 2006, 15:16

Hi dELTA, I'm not experienced in flash reversing. Before this tread I didn't even know it was bytecode... but on the other hand, who *is* really experienced?

Thanks for the title, and I promise I will fulfill my duties as king to the best of my abilities

dELTA

October 18th, 2006, 15:44

I didn't mean to imply that any potential inexperience would be something bad, I was just suprised that you learned to identify Flash packers so quick if you didn't have any prior experience.

Rock on.

fr33ke

October 18th, 2006, 16:05

Well, I have to admit that was rather coincidence. I use a test swf packed by SWF Encryptor to test the tool

LLXX

October 18th, 2006, 17:34

At the moment there aren't that many SWF packers, so the probability that two files were packed with the same packer is quite high.

I'm going to be preparing an ActionScript opcode map, as there don't seem to be any out there (not even in Macromedia's own reference) in an attempt to organise the information better and help understand what (if any) effect those "undocumented" instructions do... because there probably are several

fr33ke

October 18th, 2006, 18:00

You might want to take a look in actions.h of the flasm/flasmmod source. void printActionRecord in unflasm.c is also nice altough a bit hard to understand at times.

Some more info: there are two kinds of opcodes
1. with bytecode < 0x80: 1-byte action, no parameters (arguments)
2. with bytecode >= 0x80: 1-byte action + 2-bytes parameter length + n-bytes parameters

PS

Quote:

[Originally Posted by LLXX]Unfortunately I can't identify the packer as there are literally hundreds of them out there

Quote:

[Originally Posted by LLXX]At the moment there aren't that many SWF packers

dELTA

October 19th, 2006, 04:04

Quote:

I'm going to be preparing an ActionScript opcode map, as there don't seem to be any out there (not even in Macromedia's own reference) in an attempt to organise the information better and help understand what (if any) effect those "undocumented" instructions do... because there probably are several

Sounds really great LLXX, please upload it to this thread when it's done!

And btw, regarding the "official specs", Adobe seems to hold on to them a bit harder than before now, I never heard from them after performing the necessary registration procedure that would make them contact me about them. If anyone succeeded with this lately (or have a relatively recent version of them), please PM me.

fr33ke

October 19th, 2006, 04:16

Well this version is from a few days ago: http://z18.zupload.com/download.php?file=getfile&filepath=38433
http://rapidshare.de/files/37317485/flash_fileformat_specification.pdf

Note that I patched 0x884D from 'O' to 'A' to avoid having to download Adobe Reader. If it gives problems patch it back, works fine here with FoxIt reader.

LLXX

October 20th, 2006, 13:39

Now you're into reversing PDFs too?

Nice try, but it didn't work for me with Acrobat 5.x, neither O nor A

Here's the cleaned-up version: http://z04.zupload.com/download.php?file=getfile&filepath=6627

Might as well up SWF7 while I'm at it: http://z04.zupload.com/download.php?file=getfile&filepath=6630

Opcode map and record type map is coming soon... I was thinking of putting all the structures on there too, sort of like a quick SWF reference sheet

dELTA

October 20th, 2006, 15:02

Thanks for the new uploads LLXX, and I'm looking forward to that quick reference sheet, but can isn't there anyone else than me that cannot download a damn thing from those zUpload-links?! I've tried all of them with Firefox, Opera and IE, but all I get is the stupid download stats page, no matter how much I click that "Download file" link, wtf?!? That's why I asked fr33ke to use rapidshare links instead.

So, could anyone please tell me the secret of that zUpload site (I'm sure I'm gonna feel really stupid...), or could we please switch to some other download service, e.g. rapidshare?

LLXX

October 20th, 2006, 15:30

That's interesting, since zupload is one of the many upload sites that doesn't depend on scripting/activex etc. to download/upload files; unlike rapidshare which is inconvenient because it employs scripting and has that countdown (even if you kill the clientside script, the server still waits until its side has counted down to zero before sending you the data).

You probably blocked referer sending. Without a referer, it'll redirect you back to the download page. See my little experimentation with netcat:

Code:

get /dl.php?id=6630 http/1.0 { I type these lines... }

referer: http://z04.zupload.com/download.php?file=getfile&filepath=6630 <- you need this

host: z04.zupload.com



HTTP/1.1 200 OK { response from server }

Date: Fri, 20 Oct 2006 20:21:20 GMT

Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2

mited/1.4 PHP/4.3.11 FrontPage/5.0.2.2635

X-Powered-By: PHP/4.3.11

Content-disposition: attachment; filename="SWF7.zip"

Content-length: 790667

Connection: close

Content-Type: application/x-tar



{ file contents follow }

Now, without referer:

Code:

get /dl.php?id=6630 http/1.0

host: z04.zupload.com



HTTP/1.1 302 Found

Date: Fri, 20 Oct 2006 20:26:59 GMT

Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2

mited/1.4 PHP/4.3.11 FrontPage/5.0.2.2635

X-Powered-By: PHP/4.3.11

Location: http://z04.zupload.com/download.php?file=getfile&filepath=6630

Connection: close

Content-Type: text/html



{ server closes connection }