Reverse-Engineering Flash Files with SWFRETools
Sebastian Porst ([email protected]) – SOURCE Boston 2011
Current Work
Look at crash
Root cause analysis
Minimal repro file
Detection logic
3
What this talk is about
4
Ship it!
What this talk is not about
5
Why is this relevant?
6
SWF Files: An Overview
Header
Tag 1
Tag 2
Tag 3
Tag 4
…
Tag n
7
SWF Files: Interesting Aspects
SWF Parser
ActionScript 2
ActionScript 3
Embedded Media (Fonts, …)
8
Existing Tools
9
Flash Dump DecompilerSWFTools
swfmill Sothink SWF Decompiler
Problems with existing tools
10
Flash Dump DecompilerSWFTools
swfmill Sothink SWF Decompiler
Introducing SWFRETools
11
Tools for working with SWF files
Open source (GPL 2.0)
Specifically made for RE
Goals
12
Ship Enable Standardize
Architecture
13
SWFRETools
Parser
Flash Dissector
Minimizer
Scripts
Debugger
Tool I: The Parser
14
Backbone
Reusable
Made for RE
Parser Goals
15
Complete Improve Share
Workflow Intermezzo I
16
Look at crash
Root cause analysis
Minimal repro file
Detection logic
Tool 2: Flash Dissector
17
Flash Dissector Goals
18
Visualize Popularize Standardize
Flash Dissector Demo
19
Weaknesses of Flash Dissector
20
Incomplete
ActionScript handling
Editability
Flash Dissector Future
21
Plugins
Code Analysis
Debugging GUI
Workflow Intermezzo II
22
Look at crash
Root cause analysis
Minimal repro file
Detection logic
Static analysis vs Dynamic analysis
23
Flash Player trips up
Static tools become useless
Dynamic analysis required
Detour: Flash Player Debugger
24
Download: FP Project Content Debugger
Google: mmcfg treasure
Use: Process Monitor to find file location
Enjoy: Verbose ActionScript 3 log
Detour: Flash Player Debugger
25
Tool III: Tracer/Debugger
26
Tracer Implementation
27
Console Application
Uses Buggery by grugq
Strategic placement of breakpoints
Last week in China
28
Last week in China
29
Remember x86 lessons
ActionScript Instrumentation
Auto-generate clean code
Tracer Plans
30
Extend ImproveKeep
updated
Workflow Intermezzo III
31
Look at crash
Root cause analysis
Minimal repro file
Detection logic
Minimizing sample files
32
With template
Compare crash file to template
Binary search until crash disappears
Without template
Remove tags
NOP ActionScriptcode
Minimizing files without templates
33
Remove tags
•Simple due to linked list structure
NOP ActionScript code
•Do not forget RETURN instructions
Do not forget RETURN
34
Function A
Function B
Crash here
Tool IV: Minimizer
35
Automated minimization
Console program
Remove section, check for crash
Automated minimizing
36
Remove tags
Make sure crash still
occurs
NOP ActionScript
code
Make sure crash still
occurs
Repeat process until
done
Minimizer Goals
37
Minimize ??? Profit
Off to GitHub we go!
38
Shipped!
https://github.com/sporst
Call for participation
39
Summary
40
There is a new tool in town
You can submit ideas!
You can participate!
You can build upon it!
Let me help …
42
Where can I get the slides?
Why did you use Java?
What about Foxit Reader?
How about offensive tools?
Image Credits
• http://www.flickr.com/photos/markchadwick/4592186576/
43