PDA

View Full Version : SWF Encrypt explanation.

unlimitedorb
05-03-2008, 11:09 AM
Does anyone mind giving an explanation of the various techniques employed with SWF Encrypt? It would be great if you could also give information from an abstract perspective i.e. the limited amount of techniques they can use in general.

My impression is that their are only a set number of methods they can use to prevent decompilation without running into blatant problems with the ASVM. Do I have the wrong impression? What I'm trying to do is gather together topics of interest for further research. I plan on making a tool, in Java, to get rid of all the unnecessary code. This may already exist publicly/privately, but I really want to go through the learning process myself for future updates, etc.
dELTA
05-04-2008, 07:57 AM
If you could also send some nice looking virgin prostitutes to my home, it would be great...

Please search the board (there is some interesting info indeed) and the Internet in general, and tell us what you've found so far. Then you might get some help.
naides
05-04-2008, 10:24 AM
Quote:
[Originally Posted by dELTA;74425]If you could also send some nice looking virgin prostitutes to my home, it would be great...



What???
Already finished the two dozen I sent you last week?
You need to take it easy man, you may go blind or something. . .
JMI
05-04-2008, 11:08 AM
And instead of virgin "prostitutes," why not at least virgin "nymphomaniacs"??

Of do the virgin prostitutes need some specialized training which you were intending to provide???



Regards,
unlimitedorb
05-04-2008, 12:08 PM
Well, the main reason why I posted on these forums is because of the fact that it seems to be the only one to have any real information regarding reversing the effects of SWF Encrypt. In light of that, I've read the following threads: http://www.woodmann.com/forum/showthread.php?t=10300, http://www.woodmann.com/forum/showthread.php?t=9572&highlight=flash+swf, as well as links mentioned in those threads. I've also browsed through the recently released swf file format specifications to get a general idea of what a well formed swf file should look like. In one of the links I came to, it basically described a couple of ways it could work (taking a sentence and then jumping to different places in that sentence effectively confusing a decompiler being one of them.)

I found some very valuable information, but none that revealed the mangling methodologies they could employ from a general perspective. So yes, I've tried desperately to search for an answer to my question, and I found some half answers, but not really what I was looking for. There's always the possibility that an swf I have is not using SWF Encrypt, but something else, and I just wanted to know what that something else could use.

I realized I should have posted information regarding how much effort I've put into it thus far soon after I made the first post, but I didn't think it would come back and bite me in the butt so soon =p
dELTA
05-04-2008, 03:39 PM
Great, that's much better.

Now, one very efficient method, I would imagine, is to make a brief summary here of the methods that you have already found and already know about (in addition to the URL of threads discussing them, which is a good start though). That way, you both start off by "offering" something to the community yourself, and also attract much more attention from people interested in Flash reversing. Also, people (rightfully) normally find it much more simple and tempting to "fill in the blanks" than "tell the entire story from A to Z", see what I mean?

So, makes any sense? I'm sure there are a bunch of people around here who would be interested in some Flash reversing exercises, if you just start them off the right way.
unlimitedorb
05-04-2008, 04:47 PM
Right, so I'll start off with an application that seems to use SWF Encrypt or a similar technology (Link to download provided at the end). I've confirmed this by decompiling using popular software such as Eltima's flash decompiler as well as flare. Both programs come up with the tell tale signs of useless decompilation i.e. random eval() and addition, etc.

So, the first thing that I have to do is set up a simple environment for getting rid of any foreign bytecode inserted by SWF Encrypt. For this, I'll be using Java. The basic idea is to have a library that makes it simple to edit an swf on the bytecode level (similar to Java's Bytecode Engineering Library, ObjectWeb ASM, etc.) This isn't meant to be pretty or anything right now, so I'll just make it a hack.

Code:


import java.io.BufferedInputStream;

import java.io.FileInputStream;

import java.io.DataInputStream;

import java.io.IOException;



public class SWFel {

	public static void main(String[] args) {

		try {

			DataInputStream stream = new DataInputStream(

					new BufferedInputStream(

							new FileInputStream("jetman_base.swf")));

			int compression = stream.readUnsignedByte();

			int signature1  = stream.readUnsignedByte();

			int signature2  = stream.readUnsignedByte();

			stream.close();

			System.out.println(Integer.toHexString(compression) + " ");

			System.out.print(Integer.toHexString(signature1) + " ");

			System.out.println(Integer.toHexString(signature2));

		} catch(IOException e) {

			e.printStackTrace();

		}

	}

}


I read some of the swf file format specifications, and it states that the first 3 unsigned 8 bit bytes are signature bytes. The first determines whether the file is compressed or uncompressed. The second is a "W", and the third is an "S" presumably to determine whether the file is corrupted or not. Following this paradigm, I should be able to manipulate a SWF file soon enough by creating methods to insert, edit, and delete individual bytecodes.

Now that I have my basic environment set up for manipulating various bytecodes within the SWF, I now need to review what it is I could possibly be needing to change. So far, my knowledge of what they could do to confuse decompilers is limited to what I read in http://www.gotoandplay.it/_articles/2004/04/swfProtection.php, and information I've gleaned from the 2 threads dealing with this subject on this forum. I'm disregarding the articles I've read on identifier scrambling, keeping things on the serverside, etc because they basically have no association with this type of security, and are fairly intuitive to begin with.

The SWF seems to be incorporating the non-displayable characters technique, and I'm also assuming it performs the jumping sentence technique, but I don't know of any other techniques aside from that.

SWF I'm using to practice on:
http://rapidshare.com/files/112575482/jetman_base.swf.html
dELTA
05-05-2008, 03:30 AM
If I were you, I'd study the following small tool, released by a former forum member, for unprotecting SWF Encrypt protected files:

http://www.woodmann.com/forum/showthread.php?p=67428

It's a small exe, so studying by disassembly should be relatively easy.

And it seems that you need to first develop your tool and study Flash bytecode and SWF format specs further, before you can start worrying about using it to defeat the protection methods? Maybe you can even make use of existing Flash disassemblers and their code, in order not to have to "invent the wheel again"? Once you've done that, I think the information in the threads you already mentioned would take you pretty far.

The best recommendation now to get further help would probably be: Continue your work, present your progress, and ask more detailed questions along the way.
rendari
05-07-2008, 08:28 PM
I'm no expert on SWF reversing. In fact, I have next to no experience with it whatsoever. That being said, hear me out:

A lot of video games these days are just flash SWF files wrapped into an exe. From what I understand, the SWF is appended as an overlay to the exe. The exe is responsible for initializing the Macromedia Projector, and then letting the SWF execute in it. This has led to an interesting protection technology from the side of "Activemark" (a video game protection). Since it would be bad form to leave the SWF overlay unencrypted (all the hacker would have to do is append the overlay to an unprotected Flash exe), they encrypt the overlay. However, they also need decrypt the data in order for it to be used by the Flash VM. They achieve this through simple CreateFile/ReadFile/WriteFile hooks. What they do is they check whether a file you are opening a handle to with CreateFile is encrypted. If it is, then it memorizes that handle of the encrypted file for later use. Say then, Macromedia reads the protected overlay with ReadFile. Activemark intercepts the read request, and looks at the handle being provided. If it is the handle of an encrypted file, it decrypts the file in a buffer, before returning that buffer's contents as the output.

So, I guess you could adopt their approach, just in a more sophisticated manner. You could completely erase the headers from an encrypted flash file, and store them someplace else. Then, once the Flash player is initialized, the first thing it will ask for is the header, right? Just feed the header to it, without ever accessing the encrypted flash file. That way, if the hackers decrypts the flash file, the header will still be missing, and he will have to look harder for it. I mean, that's just one simple idea. You really have so many options... its up to you to implement them. I just hope you Activemark's CreateFile/ReadFile/WriteFile hooks give you some ideas to mull over in your spare time...
unlimitedorb
05-07-2008, 09:02 PM
That's a very enlightening post rendari, but in this particular case, I'm on the side of the hacker. Rather than protecting a SWF, I am trying to reverse the protection on it. It's interesting to see techniques on both sides of the spectrum though.
arc_
05-14-2008, 12:45 PM
Hi,

I wrote a deprotector for SWF Encrypt 4.0 some time ago, in order to decompile and consequently cheat at the games on club.live.com . I never really released it, but I'm attaching its current source here for your convenience. The obfuscation tricks it reverses (which are surprisingly lame) are outlined in the comments.

I was able to completely unprotect a fair number of games from ClubLive with it (all the ones that were available at the time of coding). Other games were added later, but I didn't bother checking if they contained new tricks.
dELTA
05-15-2008, 04:22 AM
Cool, thanks for sharing.

CRCETL:
http://www.woodmann.com/collaborative/tools/index.php/Swfdecrypt

And for the sake of searchability, here is some info copy/pasted from this source code:

Quote:
The fun thing is their "protector" doesn't actually *encrypt* anything (not that that would be possible with ActionScript in the first place). Merely two obfuscation tricks are used:
- An .swf file consists of a series of tags: blocks that can contain shapes, sounds, movies... and code. the first obfuscation trick moves the code of a code tag into a new tag just before it; this new tag gets a type number (253) that doesn't correspond to an existing type, thereby making decompilers ignore it. The original code tag is kept but filled with junk code.
The only useful things in this garbage are the constants declaration and a jump instruction to the 253 tag.
This trick is used with little variation on pretty much all tags that contain code.
- A second obfuscation trick just places the code to be hidden in an instruction with an invalid opcode (0xFC) in the middle of the junk code.
- For some code tags a different technique is used: a bit of junk code followed by the old jump-into-middle-of-instruction trick to confuse decompilers. Just removing this code (first 0x2A bytes) fixes it.



General working procedure:

- iterate over tags
- when we encounter a tag containing code:
- if it contains special meta information (f.e. DefineButton2), copy it over
- make sure the code starts with 9B 07 00 01 02 00 00 00
- scan the tag for a constants definition where the constant names only have readable names.
if found, copy it over
- follow the backward branch at the end of the 253 tag preceding the tag to get to the actual code
- if the tag code on the other hand starts with
96 03 00 00 09 00 96 05 00 07 02 00 00 00 3C 96
03 00 00 09 00 88 09 00 03 00 20 00 01 01 00 02
00 1C 9D 02 00 03 00
it's the splice jump trick. just drop the first 0x2A bytes from the code.
(this code contains a constants declaration with some junk entries. one might think that the "real" constants declaration will be appended to this, and that therefore the constants references in the code need to be adjusted when the junk constants are dropped. luckily, a constants declaration *replaces* any previous ones, so there's no problem.)


tags that contain code are:
- 12: DoAction -> contains just raw code
- 26: PlaceObject2 -> skip a whole lot of structures that may or may not be there depending on flags
- 34: DefineButton2 -> cond blocks start at tag_data + 3 + word ptr [tag_data+3].
- 39: DefineSprite -> skip four bytes and read tags until End tag is encountered
- 59: DoInitAction -> skip first two bytes (sprite ID)

- 253: move the code over to the code tag that follows and drop this one


may contain code but are apparently not used:
too old:
- 7: DefineButton

too new:
- 70: PlaceObject3
- 72: DoABC
- 82: DoABCDefine


When there are multiple code blocks in one tag (for example multiple conditions on DefineButton2), the code is arranged as follows in the 253 tag:

enter2_cond1:

jmp ret1_cond1
enter1_cond1:
jmp enter2_cond1

enter_cond2:

jmp ret_cond2 -> return to junk code
jmp enter_cond2 <- junk code jumps here
ret1_cond1:
jmp ret2_cond1 -> return to junk code
jmp enter1_cond1 <- junk code jumps here
unlimitedorb
05-24-2008, 11:47 AM
Thank you so much arc_, you made my day =)
aboarwa
06-16-2008, 06:56 AM
thank you