Reverse-Engineering Flash Files with SWFRETools

Sebastian Porst (sp@porst.tv) – SOURCE Boston 2011

About Me

2

Current Work

Look at crash

Root cause analysis

Minimal repro file

Detection logic

3

What this talk is about

4

Ship it!

What this talk is not about

5

Why is this relevant?

6

SWF Files: An Overview

Header

Tag 1

Tag 2

Tag 3

Tag 4

…

Tag n

7

SWF Files: Interesting Aspects

SWF Parser

ActionScript 2

ActionScript 3

Embedded Media (Fonts, …)

8

Existing Tools

9

Flash Dump DecompilerSWFTools

swfmill Sothink SWF Decompiler

Problems with existing tools

10

Flash Dump DecompilerSWFTools

swfmill Sothink SWF Decompiler

Introducing SWFRETools

11

Tools for working with SWF files

Open source (GPL 2.0)

Specifically made for RE

Goals

12

Ship Enable Standardize

Architecture

13

SWFRETools

Parser

Flash Dissector

Minimizer

Scripts

Debugger

Tool I: The Parser

14

Backbone

Reusable

Made for RE

Parser Goals

15

Complete Improve Share

Workflow Intermezzo I

16

Look at crash

Root cause analysis

Minimal repro file

Detection logic

Tool 2: Flash Dissector

17

Flash Dissector Goals

18

Visualize Popularize Standardize

Flash Dissector Demo

19

Weaknesses of Flash Dissector

20

Incomplete

ActionScript handling

Editability

Flash Dissector Future

21

Plugins

Code Analysis

Debugging GUI

Workflow Intermezzo II

22

Look at crash

Root cause analysis

Minimal repro file

Detection logic

Static analysis vs Dynamic analysis

23

Flash Player trips up

Static tools become useless

Dynamic analysis required

Detour: Flash Player Debugger

24

Download: FP Project Content Debugger

Google: mmcfg treasure

Use: Process Monitor to find file location

Enjoy: Verbose ActionScript 3 log

Detour: Flash Player Debugger

25

Tool III: Tracer/Debugger

26

Tracer Implementation

27

Console Application

Uses Buggery by grugq

Strategic placement of breakpoints

Last week in China

28

Last week in China

29

Remember x86 lessons

ActionScript Instrumentation

Auto-generate clean code

Tracer Plans

30

Extend ImproveKeep

updated

Workflow Intermezzo III

31

Look at crash

Root cause analysis

Minimal repro file

Detection logic

Minimizing sample files

32

With template

Compare crash file to template

Binary search until crash disappears

Without template

Remove tags

NOP ActionScriptcode

Minimizing files without templates

33

Remove tags

•Simple due to linked list structure

NOP ActionScript code

•Do not forget RETURN instructions

Do not forget RETURN

34

Function A

Function B

Crash here

Tool IV: Minimizer

35

Automated minimization

Console program

Remove section, check for crash

Automated minimizing

36

Remove tags

Make sure crash still

occurs

NOP ActionScript

code

Make sure crash still

occurs

Repeat process until

done

Minimizer Goals

37

Minimize ??? Profit

Off to GitHub we go!

38

Shipped!

https://github.com/sporst

Call for participation

39

Summary

40

There is a new tool in town

You can submit ideas!

You can participate!

You can build upon it!

Thank you!

41

Let me help …

42

Where can I get the slides?

Why did you use Java?

What about Foxit Reader?

How about offensive tools?

Image Credits

• http://www.flickr.com/photos/markchadwick/4592186576/

43