Malware Domain List

Malware Related => Malware Analysis => Topic started by: julevine on March 18, 2008, 08:45:40 pm

Title: how to decode .swf files
Post by: julevine on March 18, 2008, 08:45:40 pm
I need some tools to help me decode some .swf files to find out if there is any malicious advertisement urls in them.

Title: Re: how to decode .swf files
Post by: sowhat-x on March 18, 2008, 10:22:18 pm
...do you need to decompile these .swf files,or simply a generic 'ripper'?
With what you described,as a really quick thought,
swfstrings and swfextract were the first things to come to mind...
http://www.swftools.org/

I also have a few older swf 'rippers' lying somewhere around here...
haven't kept track of what's been going on with newer Flash versions though,
meaning that I can't guarantee they will work properly...
I'll upload them as soon as I will dig them out...

...for more decompiling/deobfuscation tools,ie.like flasm/flare etc,
have a look at these two threads over at woodmann's forum...
They've pretty much covered most of the current stuff/tricks of the trade:
http://www.woodmann.com/forum/showthread.php?t=9572
http://www.woodmann.com/forum/showthread.php?t=10300
Title: Re: how to decode .swf files
Post by: sowhat-x on March 19, 2008, 03:01:04 pm
Few stuff I've found here,for assisting in ripping-related tasks,added them below as an attachment...
Some older tools of similar functionality are here,quite obsolete...
http://www.buraks.com/swifty/
A few newer freeware apps are currently available here:
http://www.dcomsoft.com/download.html
Regarding open source 'rippers',except from swftools mentioned above,
the only one I've ever used is swf_dump from:
http://sswf.sourceforge.net/

Note though that most of this stuff I've used as preprocessors in video/image manipulation tasks,
haven't ever personally been in the actual need of restoring code out of Flash apps.
Ie.as a best guess,and highly depending on the version/features etc. of the .swf file in question,
you'd first have to run one or more of the de-protector tools mentioned/linked to in this thread,
then feed the result to flasm/flare and the like...or go with a commercial solution disassembler.

There also exists an open source decompiler for newer ActionScript 3 called 'AbcDump',
it's included in the attachment below...or even better,have a look here:
http://www.5etdemi.com/blog/archives/2007/01/as3-decompiler/
Title: Re: how to decode .swf files
Post by: XzifT on March 26, 2008, 08:36:42 pm
Flasm

http://www.nowrap.de/flasm.html
Title: Re: how to decode .swf files
Post by: tjs on March 26, 2008, 09:21:28 pm
Sothink SWF Decompiler is a commercial product for win32 that works really well. I think they have a 30-day demo that you can play with... http://www.sothink.com/product/flashdecompiler/

I've used it with lots of success in the past.

If you're concerned with flash based malware (downloaders and such) you'll notice that many of them are obfuscated and thus all the programmatically generated actionscript will be difficult to understand. I've not seen any tools that help to simplify this.

Good luck.

TJS
Title: Re: how to decode .swf files
Post by: tjs on June 02, 2008, 01:15:35 am
WARNING! Sothink SWF Decompiler will 'play' the swf with the default player upon starting, so it's not a good application for decompiling those new 0day flash files that are floating around the web these days.

You're much better off using flasm for analysis of malicious (or potentially malicious) swf files.

Be careful out there..
TJS
Title: Re: how to decode .swf files
Post by: binjo on June 02, 2008, 08:33:11 am
WARNING! Sothink SWF Decompiler will 'play' the swf with the default player upon starting, so it's not a good application for decompiling those new 0day flash files that are floating around the web these days.

You're much better off using flasm for analysis of malicious (or potentially malicious) swf files.

Be careful out there..
TJS

Thanks for you info...
Title: Re: how to decode .swf files
Post by: sowhat-x on June 02, 2008, 12:56:43 pm
In the very few times I've ever been in the need of using flare/flasm,
I never really had much of success...
most probably because the samples were heavily obfuscated.
Not mentioning also that the above don't work with newer versions of Flash...

For basic info and/or statistics gathering related tasks,
either swfdump (from the swftools package) or swf_dump (from the sswf package),
both already mentioned above...do the job fine in most of the cases.
There also appear to be a few other open source "solutions" out there lately,
when it comes to Flash debugging/disassembling...if anyone really interested can search here:
http://osflash.org/projects
Most probably the most interesting one is the ActionScript 3 "AbcDump" decompiler,
which also has been already mentioned above...

To keep it short,a sum up of the above...
Current open source solutions at the moment,
are lacking way too many features to be usable in a "fire-up-and-go" way.
And that's exactly the "gap" that gets filled from the various commercial decompilers (ie.Sothink)...
Unless of course someone is really willing to spend his/her time,
both for reading Adobe's specs for the various versions,
and to also study/exercise manually the various Flash protectors which are sold out there...
(again,check Woodmann's threads above to get a basic idea...
it's certainly not an easy task for inexperienced people).

tjs's warning though is more than important...
Pretty much as with Olly etc...only under a spare test machine/virtualized enviroment etc.
Title: Re: how to decode .swf files
Post by: DiFor on February 22, 2009, 09:47:30 pm
Help please parse swf file and extract it from a link from where malware is downloaded
Title: Re: how to decode .swf files
Post by: WIEx on February 24, 2009, 07:15:45 am
Uncompressed
Title: Re: how to decode .swf files
Post by: SysAdMini on February 24, 2009, 07:32:51 am
Uncompressed

Thanks. How did you uncompress the file ?

It redirects to

Code: [Select]
hxxp://www.rmk-lgs.com/images/m/
http://wepawet.cs.ucsb.edu/view.php?hash=00b4bdccdbcfe164e962f96df31177d2&t=1235380189&type=js
Title: Re: how to decode .swf files
Post by: WIEx on February 24, 2009, 07:54:49 am
Quote
Thanks. How did you uncompress the file ?

I coded php script to uncompress:

Code: [Select]
<?php
$input 
file_get_contents("input.swf");
$header substr($input08);
$data substr($input8);
$header[0] = "F";
$data gzuncompress($data);
$output fopen("1.swf""w");
fwrite($output$header $data);
fclose($output);
?>
Title: Re: how to decode .swf files
Post by: DiFor on February 24, 2009, 02:21:29 pm
yes, yes, i write script to uncompress all swf files in dir
Code: [Select]
  $dir = opendir (".");
  while ( $file = readdir ($dir))
  {
    if (( $file != ".") && ($file != "..") && (substr($file,strlen($file)-3)=="swf"))
    {
        $swf_file_data = file_get_contents($file);
        $swf_header = substr($swf_file_data, 0, 8);
        $swf_data = substr($swf_file_data, 8);
        $swf_header[0] = 'F';
        $swf_data = gzuncompress($swf_data);
        file_put_contents(substr($file,0,strlen($file)-4).'-decode.txt', $swf_header.$swf_data);
    }
  }
  closedir ($dir);
can anybody write about sctruct of swf files and which js or as scripts-funcs can use in swf
Title: Re: how to decode .swf files
Post by: sowhat-x on February 24, 2009, 04:57:27 pm
Quote
Thanks. How did you uncompress the file ?
flasm -x flash.swf   ::)
Title: Re: how to decode .swf files
Post by: sowhat-x on February 24, 2009, 05:08:38 pm
Probably of interest to some people...
http://www.adobe.com/devnet/swf/pdf/swf_file_format_spec_v9.pdf
http://www.adobe.com/devnet/swf/pdf/swf_file_format_spec_v10.pdf

Plus:
http://www.woodmann.com/collaborative/tools/index.php/SWF_Reader
Title: Re: how to decode .swf files
Post by: ocean on February 26, 2009, 08:24:12 am
How did you uncompress the file ?
Code: [Select]
import sys, zlib
from struct import *
 
header = "3sBL"
 
s = sys.stdin.read()
signature,version, filelength = unpack(header,s[0:calcsize(header)])
 
if signature != "CWS":
sys.stderr.write("not a compressed swf!\n");
exit();
 
d = zlib.decompress(s[calcsize(header):])
 
hd = pack(header,"FWS",version,filelength)
 
sys.stdout.write(hd+d)
 
sys.stderr.write("swf decompressed!\n" % len(d))
;D
Title: Re: how to decode .swf files
Post by: dlipman on August 04, 2012, 01:46:14 pm
SWF Investigator (http://sourceforge.net/adobe/swfinvestigator/wiki/Home/)

Quote
Adobe SWF Investigator is a cross-platform, GUI-based, comprehensive set of tools, which enables quality engineers, developers and security researchers to quickly analyze SWF files to improve the quality and security of their applications.

From a static perspective, you can disassemble ActionScript 2 (AS2) and ActionScript 3 (AS3) SWFs, view SWF tags and make binary changes to SWF files. SWF Investigator also lets you view associated information, including local shared objects (LSOs) and per site settings.

From a dynamic perspective, you can call functions within the SWF, load the SWF in various contexts, communicate via local connections and send messages to Action Message Format (AMF) endpoints.

SWF Investigator contains an extensible fuzzer for SWF applications and AMF services, so you can search for common Web application attacks. This toolset also provides a variety of utilities including encoders and decoders for SWF data, as well as a basic AS3 compiler.

http://labs.adobe.com/downloads/swfinvestigator.html