Page 1 of 4 1234 LastLast
Results 1 to 15 of 60

Thread: SWF Encrypt explanation.

  1. #1
    unlimitedorb
    Guest

    SWF Encrypt explanation.

    Does anyone mind giving an explanation of the various techniques employed with SWF Encrypt? It would be great if you could also give information from an abstract perspective i.e. the limited amount of techniques they can use in general.

    My impression is that their are only a set number of methods they can use to prevent decompilation without running into blatant problems with the ASVM. Do I have the wrong impression? What I'm trying to do is gather together topics of interest for further research. I plan on making a tool, in Java, to get rid of all the unnecessary code. This may already exist publicly/privately, but I really want to go through the learning process myself for future updates, etc.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    If you could also send some nice looking virgin prostitutes to my home, it would be great...

    Please search the board (there is some interesting info indeed) and the Internet in general, and tell us what you've found so far. Then you might get some help.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #3
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by dELTA View Post
    If you could also send some nice looking virgin prostitutes to my home, it would be great...
    What???
    Already finished the two dozen I sent you last week?
    You need to take it easy man, you may go blind or something. . .

  4. #4
    And instead of virgin "prostitutes," why not at least virgin "nymphomaniacs"??

    Of do the virgin prostitutes need some specialized training which you were intending to provide???



    Regards,
    JMI

  5. #5
    unlimitedorb
    Guest
    Well, the main reason why I posted on these forums is because of the fact that it seems to be the only one to have any real information regarding reversing the effects of SWF Encrypt. In light of that, I've read the following threads: http://www.woodmann.com/forum/showthread.php?t=10300, http://www.woodmann.com/forum/showthread.php?t=9572&highlight=flash+swf, as well as links mentioned in those threads. I've also browsed through the recently released swf file format specifications to get a general idea of what a well formed swf file should look like. In one of the links I came to, it basically described a couple of ways it could work (taking a sentence and then jumping to different places in that sentence effectively confusing a decompiler being one of them.)

    I found some very valuable information, but none that revealed the mangling methodologies they could employ from a general perspective. So yes, I've tried desperately to search for an answer to my question, and I found some half answers, but not really what I was looking for. There's always the possibility that an swf I have is not using SWF Encrypt, but something else, and I just wanted to know what that something else could use.

    I realized I should have posted information regarding how much effort I've put into it thus far soon after I made the first post, but I didn't think it would come back and bite me in the butt so soon =p
    Last edited by unlimitedorb; May 4th, 2008 at 12:27.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Great, that's much better.

    Now, one very efficient method, I would imagine, is to make a brief summary here of the methods that you have already found and already know about (in addition to the URL of threads discussing them, which is a good start though). That way, you both start off by "offering" something to the community yourself, and also attract much more attention from people interested in Flash reversing. Also, people (rightfully) normally find it much more simple and tempting to "fill in the blanks" than "tell the entire story from A to Z", see what I mean?

    So, makes any sense? I'm sure there are a bunch of people around here who would be interested in some Flash reversing exercises, if you just start them off the right way.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    unlimitedorb
    Guest
    Right, so I'll start off with an application that seems to use SWF Encrypt or a similar technology (Link to download provided at the end). I've confirmed this by decompiling using popular software such as Eltima's flash decompiler as well as flare. Both programs come up with the tell tale signs of useless decompilation i.e. random eval() and addition, etc.

    So, the first thing that I have to do is set up a simple environment for getting rid of any foreign bytecode inserted by SWF Encrypt. For this, I'll be using Java. The basic idea is to have a library that makes it simple to edit an swf on the bytecode level (similar to Java's Bytecode Engineering Library, ObjectWeb ASM, etc.) This isn't meant to be pretty or anything right now, so I'll just make it a hack.

    Code:
    import java.io.BufferedInputStream;
    import java.io.FileInputStream;
    import java.io.DataInputStream;
    import java.io.IOException;
    
    public class SWFel {
    	public static void main(String[] args) {
    		try {
    			DataInputStream stream = new DataInputStream(
    					new BufferedInputStream(
    							new FileInputStream("jetman_base.swf")));
    			int compression = stream.readUnsignedByte();
    			int signature1  = stream.readUnsignedByte();
    			int signature2  = stream.readUnsignedByte();
    			stream.close();
    			System.out.println(Integer.toHexString(compression) + " ");
    			System.out.print(Integer.toHexString(signature1) + " ");
    			System.out.println(Integer.toHexString(signature2));
    		} catch(IOException e) {
    			e.printStackTrace();
    		}
    	}
    }
    I read some of the swf file format specifications, and it states that the first 3 unsigned 8 bit bytes are signature bytes. The first determines whether the file is compressed or uncompressed. The second is a "W", and the third is an "S" presumably to determine whether the file is corrupted or not. Following this paradigm, I should be able to manipulate a SWF file soon enough by creating methods to insert, edit, and delete individual bytecodes.

    Now that I have my basic environment set up for manipulating various bytecodes within the SWF, I now need to review what it is I could possibly be needing to change. So far, my knowledge of what they could do to confuse decompilers is limited to what I read in http://www.gotoandplay.it/_articles/2004/04/swfProtection.php, and information I've gleaned from the 2 threads dealing with this subject on this forum. I'm disregarding the articles I've read on identifier scrambling, keeping things on the serverside, etc because they basically have no association with this type of security, and are fairly intuitive to begin with.

    The SWF seems to be incorporating the non-displayable characters technique, and I'm also assuming it performs the jumping sentence technique, but I don't know of any other techniques aside from that.

    SWF I'm using to practice on:
    http://rapidshare.com/files/112575482/jetman_base.swf.html
    Last edited by unlimitedorb; May 4th, 2008 at 18:19.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    If I were you, I'd study the following small tool, released by a former forum member, for unprotecting SWF Encrypt protected files:

    http://www.woodmann.com/forum/showthread.php?p=67428

    It's a small exe, so studying by disassembly should be relatively easy.

    And it seems that you need to first develop your tool and study Flash bytecode and SWF format specs further, before you can start worrying about using it to defeat the protection methods? Maybe you can even make use of existing Flash disassemblers and their code, in order not to have to "invent the wheel again"? Once you've done that, I think the information in the threads you already mentioned would take you pretty far.

    The best recommendation now to get further help would probably be: Continue your work, present your progress, and ask more detailed questions along the way.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  9. #9
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    I'm no expert on SWF reversing. In fact, I have next to no experience with it whatsoever. That being said, hear me out:

    A lot of video games these days are just flash SWF files wrapped into an exe. From what I understand, the SWF is appended as an overlay to the exe. The exe is responsible for initializing the Macromedia Projector, and then letting the SWF execute in it. This has led to an interesting protection technology from the side of "Activemark" (a video game protection). Since it would be bad form to leave the SWF overlay unencrypted (all the hacker would have to do is append the overlay to an unprotected Flash exe), they encrypt the overlay. However, they also need decrypt the data in order for it to be used by the Flash VM. They achieve this through simple CreateFile/ReadFile/WriteFile hooks. What they do is they check whether a file you are opening a handle to with CreateFile is encrypted. If it is, then it memorizes that handle of the encrypted file for later use. Say then, Macromedia reads the protected overlay with ReadFile. Activemark intercepts the read request, and looks at the handle being provided. If it is the handle of an encrypted file, it decrypts the file in a buffer, before returning that buffer's contents as the output.

    So, I guess you could adopt their approach, just in a more sophisticated manner. You could completely erase the headers from an encrypted flash file, and store them someplace else. Then, once the Flash player is initialized, the first thing it will ask for is the header, right? Just feed the header to it, without ever accessing the encrypted flash file. That way, if the hackers decrypts the flash file, the header will still be missing, and he will have to look harder for it. I mean, that's just one simple idea. You really have so many options... its up to you to implement them. I just hope you Activemark's CreateFile/ReadFile/WriteFile hooks give you some ideas to mull over in your spare time...

  10. #10
    unlimitedorb
    Guest
    That's a very enlightening post rendari, but in this particular case, I'm on the side of the hacker. Rather than protecting a SWF, I am trying to reverse the protection on it. It's interesting to see techniques on both sides of the spectrum though.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Hi,

    I wrote a deprotector for SWF Encrypt 4.0 some time ago, in order to decompile and consequently cheat at the games on club.live.com . I never really released it, but I'm attaching its current source here for your convenience. The obfuscation tricks it reverses (which are surprisingly lame) are outlined in the comments.

    I was able to completely unprotect a fair number of games from ClubLive with it (all the ones that were available at the time of coding). Other games were added later, but I didn't bother checking if they contained new tricks.
    Attached Files Attached Files
    Last edited by arc_; May 14th, 2008 at 12:48.

  12. #12
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Cool, thanks for sharing.

    CRCETL:
    http://www.woodmann.com/collaborative/tools/index.php/Swfdecrypt

    And for the sake of searchability, here is some info copy/pasted from this source code:

    The fun thing is their "protector" doesn't actually *encrypt* anything (not that that would be possible with ActionScript in the first place). Merely two obfuscation tricks are used:
    - An .swf file consists of a series of tags: blocks that can contain shapes, sounds, movies... and code. the first obfuscation trick moves the code of a code tag into a new tag just before it; this new tag gets a type number (253) that doesn't correspond to an existing type, thereby making decompilers ignore it. The original code tag is kept but filled with junk code.
    The only useful things in this garbage are the constants declaration and a jump instruction to the 253 tag.
    This trick is used with little variation on pretty much all tags that contain code.
    - A second obfuscation trick just places the code to be hidden in an instruction with an invalid opcode (0xFC) in the middle of the junk code.
    - For some code tags a different technique is used: a bit of junk code followed by the old jump-into-middle-of-instruction trick to confuse decompilers. Just removing this code (first 0x2A bytes) fixes it.



    General working procedure:

    - iterate over tags
    - when we encounter a tag containing code:
    - if it contains special meta information (f.e. DefineButton2), copy it over
    - make sure the code starts with 9B 07 00 01 02 00 00 00
    - scan the tag for a constants definition where the constant names only have readable names.
    if found, copy it over
    - follow the backward branch at the end of the 253 tag preceding the tag to get to the actual code
    - if the tag code on the other hand starts with
    96 03 00 00 09 00 96 05 00 07 02 00 00 00 3C 96
    03 00 00 09 00 88 09 00 03 00 20 00 01 01 00 02
    00 1C 9D 02 00 03 00
    it's the splice jump trick. just drop the first 0x2A bytes from the code.
    (this code contains a constants declaration with some junk entries. one might think that the "real" constants declaration will be appended to this, and that therefore the constants references in the code need to be adjusted when the junk constants are dropped. luckily, a constants declaration *replaces* any previous ones, so there's no problem.)


    tags that contain code are:
    - 12: DoAction -> contains just raw code
    - 26: PlaceObject2 -> skip a whole lot of structures that may or may not be there depending on flags
    - 34: DefineButton2 -> cond blocks start at tag_data + 3 + word ptr [tag_data+3].
    - 39: DefineSprite -> skip four bytes and read tags until End tag is encountered
    - 59: DoInitAction -> skip first two bytes (sprite ID)

    - 253: move the code over to the code tag that follows and drop this one


    may contain code but are apparently not used:
    too old:
    - 7: DefineButton

    too new:
    - 70: PlaceObject3
    - 72: DoABC
    - 82: DoABCDefine


    When there are multiple code blocks in one tag (for example multiple conditions on DefineButton2), the code is arranged as follows in the 253 tag:

    enter2_cond1:
    <code cond1>
    jmp ret1_cond1
    enter1_cond1:
    jmp enter2_cond1

    enter_cond2:
    <code cond2>
    jmp ret_cond2 -> return to junk code
    jmp enter_cond2 <- junk code jumps here
    ret1_cond1:
    jmp ret2_cond1 -> return to junk code
    jmp enter1_cond1 <- junk code jumps here
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  13. #13
    unlimitedorb
    Guest
    Thank you so much arc_, you made my day =)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    aboarwa
    Guest
    thank you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    war360
    Guest
    Quote Originally Posted by arc_ View Post
    Hi,

    I wrote a deprotector for SWF Encrypt 4.0 some time ago, in order to decompile and consequently cheat at the games on club.live.com . I never really released it, but I'm attaching its current source here for your convenience. The obfuscation tricks it reverses (which are surprisingly lame) are outlined in the comments.

    I was able to completely unprotect a fair number of games from ClubLive with it (all the ones that were available at the time of coding). Other games were added later, but I didn't bother checking if they contained new tricks.
    thx arc_! excellent job!

    i encounter a tough file. in swf encrypt 4, the swf file is showed protected, just like what you can see in 1.jpg, and i also find tag 253 and 0x96 at the end of this tag.

    but after using swfdecrypt, i didn't get the original code.
    maybe there'are some other tricks, so i put it here for you.

    btw, this file will jump to a black frame when it's not loaded in its specifically domain.
    Attached Images Attached Images  
    Attached Files Attached Files
    • File Type: rar 1.rar (271.8 KB, 319 views)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. SWF Encrypt (Flash 'obfuscator') hacking
    By Inopia in forum Malware Analysis and Unpacking Forum
    Replies: 30
    Last Post: March 22nd, 2010, 06:57
  2. [Flash] SWF Encrypt "unprotector"
    By LLXX in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: August 25th, 2007, 22:32
  3. ollydbg - explanation of short piece of assebly
    By jamiemac2005 in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: June 5th, 2007, 03:44
  4. CrackZ explanation of hiding dongle response codes
    By corus-corvax in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: August 11th, 2005, 18:22

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •