Page 2 of 2 FirstFirst 12
Results 16 to 30 of 30

Thread: Packing / unpacking of Flash SWF files (yes, really!)

  1. #16
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    From the looks of it it's an "SWF encrypt"-ed file. Most of those
    "branch not found" actually jump out of the file, but the ones IN the file will have to be checked indeed.

    The IPF seems to be caused by a piece of code not needed anymore; altough I don't know the exact problem commenting that part out should work.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  2. #17
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    From the looks of it it's an "SWF encrypt"-ed file
    Sounds like we maybe have some SWFiD functionality coming up too...?

    Anyway, nice work, looking forward to more stable and feature packed versions!

    And fr33ke, are you previously experienced in the field of Flash unpacking/reversing, or did you just enter the area?

    PS.
    Due to your faithful duties towards the people of Redonda (also sometimes referred to as "the Flash reversing community" ), you were just upgraded to your desired royal status...
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  3. #18
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Hi dELTA, I'm not experienced in flash reversing. Before this tread I didn't even know it was bytecode... but on the other hand, who *is* really experienced?

    Thanks for the title, and I promise I will fulfill my duties as king to the best of my abilities
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  4. #19
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I didn't mean to imply that any potential inexperience would be something bad, I was just suprised that you learned to identify Flash packers so quick if you didn't have any prior experience. Rock on.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #20
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Well, I have to admit that was rather coincidence. I use a test swf packed by SWF Encryptor to test the tool
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  6. #21
    At the moment there aren't that many SWF packers, so the probability that two files were packed with the same packer is quite high.

    I'm going to be preparing an ActionScript opcode map, as there don't seem to be any out there (not even in Macromedia's own reference) in an attempt to organise the information better and help understand what (if any) effect those "undocumented" instructions do... because there probably are several

  7. #22
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    You might want to take a look in actions.h of the flasm/flasmmod source. void printActionRecord in unflasm.c is also nice altough a bit hard to understand at times.

    Some more info: there are two kinds of opcodes
    1. with bytecode < 0x80: 1-byte action, no parameters (arguments)
    2. with bytecode >= 0x80: 1-byte action + 2-bytes parameter length + n-bytes parameters

    PS
    Quote Originally Posted by LLXX
    Unfortunately I can't identify the packer as there are literally hundreds of them out there
    Quote Originally Posted by LLXX
    At the moment there aren't that many SWF packers
    ?
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  8. #23
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I'm going to be preparing an ActionScript opcode map, as there don't seem to be any out there (not even in Macromedia's own reference) in an attempt to organise the information better and help understand what (if any) effect those "undocumented" instructions do... because there probably are several
    Sounds really great LLXX, please upload it to this thread when it's done!

    And btw, regarding the "official specs", Adobe seems to hold on to them a bit harder than before now, I never heard from them after performing the necessary registration procedure that would make them contact me about them. If anyone succeeded with this lately (or have a relatively recent version of them), please PM me.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  9. #24
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Well this version is from a few days ago: http://z18.zupload.com/download.php?file=getfile&filepath=38433
    http://rapidshare.de/files/37317485/flash_fileformat_specification.pdf

    Note that I patched 0x884D from 'O' to 'A' to avoid having to download Adobe Reader. If it gives problems patch it back, works fine here with FoxIt reader.
    Last edited by fr33ke; October 19th, 2006 at 05:45.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  10. #25
    Now you're into reversing PDFs too?

    Nice try, but it didn't work for me with Acrobat 5.x, neither O nor A

    Here's the cleaned-up version: http://z04.zupload.com/download.php?file=getfile&filepath=6627

    Might as well up SWF7 while I'm at it: http://z04.zupload.com/download.php?file=getfile&filepath=6630

    Opcode map and record type map is coming soon... I was thinking of putting all the structures on there too, sort of like a quick SWF reference sheet

  11. #26
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Thanks for the new uploads LLXX, and I'm looking forward to that quick reference sheet, but can isn't there anyone else than me that cannot download a damn thing from those zUpload-links?! I've tried all of them with Firefox, Opera and IE, but all I get is the stupid download stats page, no matter how much I click that "Download file" link, wtf?!? That's why I asked fr33ke to use rapidshare links instead.

    So, could anyone please tell me the secret of that zUpload site (I'm sure I'm gonna feel really stupid...), or could we please switch to some other download service, e.g. rapidshare?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #27
    That's interesting, since zupload is one of the many upload sites that doesn't depend on scripting/activex etc. to download/upload files; unlike rapidshare which is inconvenient because it employs scripting and has that countdown (even if you kill the clientside script, the server still waits until its side has counted down to zero before sending you the data).

    You probably blocked referer sending. Without a referer, it'll redirect you back to the download page. See my little experimentation with netcat:
    Code:
    get /dl.php?id=6630 http/1.0 { I type these lines... }
    referer: http://z04.zupload.com/download.php?file=getfile&filepath=6630 <- you need this
    host: z04.zupload.com
    
    HTTP/1.1 200 OK { response from server }
    Date: Fri, 20 Oct 2006 20:21:20 GMT
    Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
    mited/1.4 PHP/4.3.11 FrontPage/5.0.2.2635
    X-Powered-By: PHP/4.3.11
    Content-disposition: attachment; filename="SWF7.zip"
    Content-length: 790667
    Connection: close
    Content-Type: application/x-tar
    
    { file contents follow }
    Now, without referer:
    Code:
    get /dl.php?id=6630 http/1.0
    host: z04.zupload.com
    
    HTTP/1.1 302 Found
    Date: Fri, 20 Oct 2006 20:26:59 GMT
    Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
    mited/1.4 PHP/4.3.11 FrontPage/5.0.2.2635
    X-Powered-By: PHP/4.3.11
    Location: http://z04.zupload.com/download.php?file=getfile&filepath=6630
    Connection: close
    Content-Type: text/html
    
    { server closes connection }
    Last edited by LLXX; October 20th, 2006 at 15:33.

  13. #28
    I just thought of this: It would be the ultimate irony to put the SWF reference sheet in... a SWF.

    Or would PDF be better?

  14. #29
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Ah, thanks for the tip LLXX, as I said, I was gonna feel stupid when I found out. For some reason my stupid firewall had decided to enable its "referer blocking" feature, although I've told it not to...

    And I'm still looking forward to the reference sheet, in PDF.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  15. #30
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Further info on the subject, for reference:

    http://www.woodmann.com/forum/showthread.php?t=10300
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Similar Threads

  1. Flash favorite v1.31
    By derek olsen in forum OllyDbg Support Forums
    Replies: 3
    Last Post: December 18th, 2004, 22:20
  2. unpacking pebundled files
    By fr1sk3y in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 2nd, 2004, 13:45
  3. vbov 6.4 (Flash mx)
    By bytexus in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: July 6th, 2002, 17:11
  4. unpacking protected cab files??
    By sadsack in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 18th, 2002, 18:35
  5. unpacking nonexecutable files
    By qferret in forum Advanced Reversing and Programming
    Replies: 14
    Last Post: June 6th, 2001, 11:10

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •