Author Topic: how to decode .swf files  (Read 37734 times)

0 Members and 1 Guest are viewing this topic.

March 18, 2008, 08:45:40 pm
Read 37734 times

julevine

  • Special Access
  • Jr. Member

  • Offline
  • *

  • 14
I need some tools to help me decode some .swf files to find out if there is any malicious advertisement urls in them.


March 18, 2008, 10:22:18 pm
Reply #1

sowhat-x

  • Guest
...do you need to decompile these .swf files,or simply a generic 'ripper'?
With what you described,as a really quick thought,
swfstrings and swfextract were the first things to come to mind...
http://www.swftools.org/

I also have a few older swf 'rippers' lying somewhere around here...
haven't kept track of what's been going on with newer Flash versions though,
meaning that I can't guarantee they will work properly...
I'll upload them as soon as I will dig them out...

...for more decompiling/deobfuscation tools,ie.like flasm/flare etc,
have a look at these two threads over at woodmann's forum...
They've pretty much covered most of the current stuff/tricks of the trade:
http://www.woodmann.com/forum/showthread.php?t=9572
http://www.woodmann.com/forum/showthread.php?t=10300

March 19, 2008, 03:01:04 pm
Reply #2

sowhat-x

  • Guest
Few stuff I've found here,for assisting in ripping-related tasks,added them below as an attachment...
Some older tools of similar functionality are here,quite obsolete...
http://www.buraks.com/swifty/
A few newer freeware apps are currently available here:
http://www.dcomsoft.com/download.html
Regarding open source 'rippers',except from swftools mentioned above,
the only one I've ever used is swf_dump from:
http://sswf.sourceforge.net/

Note though that most of this stuff I've used as preprocessors in video/image manipulation tasks,
haven't ever personally been in the actual need of restoring code out of Flash apps.
Ie.as a best guess,and highly depending on the version/features etc. of the .swf file in question,
you'd first have to run one or more of the de-protector tools mentioned/linked to in this thread,
then feed the result to flasm/flare and the like...or go with a commercial solution disassembler.

There also exists an open source decompiler for newer ActionScript 3 called 'AbcDump',
it's included in the attachment below...or even better,have a look here:
http://www.5etdemi.com/blog/archives/2007/01/as3-decompiler/

March 26, 2008, 08:36:42 pm
Reply #3

XzifT

  • Newbie

  • Offline
  • *

  • 4

March 26, 2008, 09:21:28 pm
Reply #4

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Sothink SWF Decompiler is a commercial product for win32 that works really well. I think they have a 30-day demo that you can play with... http://www.sothink.com/product/flashdecompiler/

I've used it with lots of success in the past.

If you're concerned with flash based malware (downloaders and such) you'll notice that many of them are obfuscated and thus all the programmatically generated actionscript will be difficult to understand. I've not seen any tools that help to simplify this.

Good luck.

TJS

June 02, 2008, 01:15:35 am
Reply #5

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
WARNING! Sothink SWF Decompiler will 'play' the swf with the default player upon starting, so it's not a good application for decompiling those new 0day flash files that are floating around the web these days.

You're much better off using flasm for analysis of malicious (or potentially malicious) swf files.

Be careful out there..
TJS

June 02, 2008, 08:33:11 am
Reply #6

binjo

  • Newbie

  • Offline
  • *

  • 1
WARNING! Sothink SWF Decompiler will 'play' the swf with the default player upon starting, so it's not a good application for decompiling those new 0day flash files that are floating around the web these days.

You're much better off using flasm for analysis of malicious (or potentially malicious) swf files.

Be careful out there..
TJS

Thanks for you info...

June 02, 2008, 12:56:43 pm
Reply #7

sowhat-x

  • Guest
In the very few times I've ever been in the need of using flare/flasm,
I never really had much of success...
most probably because the samples were heavily obfuscated.
Not mentioning also that the above don't work with newer versions of Flash...

For basic info and/or statistics gathering related tasks,
either swfdump (from the swftools package) or swf_dump (from the sswf package),
both already mentioned above...do the job fine in most of the cases.
There also appear to be a few other open source "solutions" out there lately,
when it comes to Flash debugging/disassembling...if anyone really interested can search here:
http://osflash.org/projects
Most probably the most interesting one is the ActionScript 3 "AbcDump" decompiler,
which also has been already mentioned above...

To keep it short,a sum up of the above...
Current open source solutions at the moment,
are lacking way too many features to be usable in a "fire-up-and-go" way.
And that's exactly the "gap" that gets filled from the various commercial decompilers (ie.Sothink)...
Unless of course someone is really willing to spend his/her time,
both for reading Adobe's specs for the various versions,
and to also study/exercise manually the various Flash protectors which are sold out there...
(again,check Woodmann's threads above to get a basic idea...
it's certainly not an easy task for inexperienced people).

tjs's warning though is more than important...
Pretty much as with Olly etc...only under a spare test machine/virtualized enviroment etc.

February 22, 2009, 09:47:30 pm
Reply #8

DiFor

  • Jr. Member

  • Offline
  • **

  • 19
Help please parse swf file and extract it from a link from where malware is downloaded

February 24, 2009, 07:15:45 am
Reply #9

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security
Uncompressed

February 24, 2009, 07:32:51 am
Reply #10

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

February 24, 2009, 07:54:49 am
Reply #11

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security
Quote
Thanks. How did you uncompress the file ?

I coded php script to uncompress:

Code: [Select]
<?php
$input 
file_get_contents("input.swf");
$header substr($input08);
$data substr($input8);
$header[0] = "F";
$data gzuncompress($data);
$output fopen("1.swf""w");
fwrite($output$header $data);
fclose($output);
?>

February 24, 2009, 02:21:29 pm
Reply #12

DiFor

  • Jr. Member

  • Offline
  • **

  • 19
yes, yes, i write script to uncompress all swf files in dir
Code: [Select]
  $dir = opendir (".");
  while ( $file = readdir ($dir))
  {
    if (( $file != ".") && ($file != "..") && (substr($file,strlen($file)-3)=="swf"))
    {
        $swf_file_data = file_get_contents($file);
        $swf_header = substr($swf_file_data, 0, 8);
        $swf_data = substr($swf_file_data, 8);
        $swf_header[0] = 'F';
        $swf_data = gzuncompress($swf_data);
        file_put_contents(substr($file,0,strlen($file)-4).'-decode.txt', $swf_header.$swf_data);
    }
  }
  closedir ($dir);
can anybody write about sctruct of swf files and which js or as scripts-funcs can use in swf

February 24, 2009, 04:57:27 pm
Reply #13

sowhat-x

  • Guest
Quote
Thanks. How did you uncompress the file ?
flasm -x flash.swf   ::)