[Gnash-dev] Re: AVM2/AS3 status, SWF10 movies, *how to hack AS3*

gnash-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-dev] Re: AVM2/AS3 status, SWF10 movies, how to hack AS3

From:	Marcin Cieslak
Subject:	[Gnash-dev] Re: AVM2/AS3 status, SWF10 movies, how to hack AS3
Date:	Tue, 27 Oct 2009 03:10:45 +0000 (UTC)
User-agent:	slrn/0.9.9p1 (FreeBSD)

Far from being an expert, but I will try to tackle this one.

You need:

* Alexis' SWF reference (http://www.m2osw.com/swf_alexref.html)
* swfmill tool (http://swfmill.org)
* python interpreter installed
* some AS3 decompiler (there are some)

On 27.10.2009 John Gilmore <address@hidden> napisał:

> So can our gnash initialization start running an AS3 "ABC file"?  Is
> that what Youtube is offering from its web site, e.g. from:
>
>   http://s.ytimg.com/yt/swf/watch_as3-vfl128620.swf
>
> "file" calls it "Macromedia Flash data (compressed), version 10",
> not an "ABC file" (which is what the AVM2 spec calls its input file).

SWF is just a container for several objects, called "tags".

swfmill swf2xml watch_as3-vfl128620.swf watch_as3-vfl128620.xml

will convert this file for you. Just search for UnknownTag 
(tags that swfmill does not directly support) and you will find:

12 0x57 tags (dec - 87)
 1 0x29 tag (dec - 41)
 1 0x4c tag (dec - 76)
 1 0x52 tag (dec - 82)

Alexis refence says that tag 87 means DefineBinaryData (arbitrary
bytes), tag 41 is ProductInfo, tag 76 is SymbolClass means
"Instantiate objects from a set of classes." and tag 82
is DoABCDefine is the ActionScript 3 container. Tags 76 and 82
have been introduced in SWF9 together with AS3/AVM2.

What one needs to do is to take contents of interesting tags (76 and
82) and analyze that further. swfmill stores their contents as 
a series of base64-encoded bytes. I have used a text editor to leave
only one line of base64-encoded text for each tag.

In this case, file watch_as3-vfl128620_52 contains base64-encoded text of tag
82 (one line of text that starts with "AQAAAGZyYW1....").
File watch_as3-vfl128620_4c contains base64-encoded text of
the tag 76 (starts with "FwABAGNvbS5....").

I use following python one-liners in python to get binary contents:

python -c 'import base64; 
        base64.decode(open("watch_as3-vfl128620_52", "r"), 
        open("52.bin", "w"))' 

python -c 'import base64; 
        base64.decode(open("watch_as3-vfl128620_4c", "r"), 
        open("4c.bin", "w"))'

Above are really one liners for the UNIX shell. If you are using windows,
you might be better off putting "a one-liner" in the file and running 
"python filename". 

The resulting 4c.bin is 1330 bytes long, the 52.bin has 185714 bytes.
The following C program will decode "4c.bin" for us, according
to the Alexis' SWF reference:

#include <stdio.h>
#include <sys/types.h>
int
main() {
    uint8_t buf[1000];
    int f_symbol_count, f_symbol_id;
    int i;
    char x;

    if (read(0, &buf, 2) < 2) {
      perror("read: f_symbol_count");
      return 1;
    }
    f_symbol_count = buf[0] | (buf[1] << 8);
    printf("f_symbol_count = %d\n", f_symbol_count);
    for (i = 0; i < f_symbol_count; i ++) {
        if (read(0, &buf, 2) == 2)  {
          f_symbol_id = buf[0] | (buf[1] << 8);
          do {
            if (read(0, &x, 1) != 1) {
              perror("read: f_symbol_name");
              return 1;
            }
            if (x != 0)
              printf("%c", x);
          } while (x != 0);
          printf("\t%d\n", f_symbol_id);
        } else {
          perror("read: f_symbol_id");
          return 1;
        }

    }
}

The result is:

f_symbol_count = 23
com.google.youtube.ui.QualityButton_HqOffIcon_dataClass 1
com.google.youtube.ui.WatchEndScreen_replayIcon_dataClass       2
com.google.youtube.ui.QualityButton_HqOffIcon   3
com.google.youtube.players.threed.Http3dVideoPlayer_RowInterleaveFilter 4
(... and so on...)

The next file, 52.bin, contains the actual ActionScript code.
Let's have a look (I am using hd(1) utility):

00000000  01 00 00 00 66 72 61 6d  65 31 00 10 00 2e 00 66  |....frame1.....f|
00000010  00 0a 01 ff ff ff ff 0f  64 05 65 90 03 03 80 80  |........d.e.....|
00000020  40 02 c0 02 f0 01 e8 02  e0 03 80 05 f0 2e a0 1f  |@...............|

According to the reference, 01 00 00 00 are f_action_flags, 
usually one, and "frame1" is the f_action_name. The actual bytecode
starts with byte number 11 ("10 00 2e 00 .... ").

This UNIX command:

dd if=52.bin bs=1 skip=11 of=52code.bin

creates "52code.bin" bytecode file that you can probably feed
the disassembler with. You might want to try one from Tamarin VM:

https://www.flashsec.org/wiki/Simple_AS3_Decompiler_Using_Tamarin

Not easy to get it working, as the instructions
are not perfect,  but probably the most complete one.

> I'm sure that all this info exists in somebody's head.  If it's
> written down anywhere, please just point me at that place.

Hope the above helps a bit!

-- 
              << Marcin Cieslak // address@hidden >>

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-dev] AVM2/AS3 status, SWF10 movies, etc, John Gilmore, 2009/10/24
- Re: [Gnash-dev] AVM2/AS3 status, SWF10 movies, etc, Benjamin Wolsey, 2009/10/25
  - Re: [Gnash-dev] AVM2/AS3 status, SWF10 movies, etc, John Gilmore, 2009/10/26
    - [Gnash-dev] Re: AVM2/AS3 status, SWF10 movies, *how to hack AS3*, Marcin Cieslak <=
    - Re: [Gnash-dev] AVM2/AS3 status, SWF10 movies, etc, Benjamin Wolsey, 2009/10/27

Prev by Date: Re: [Gnash-dev] AVM2/AS3 status, SWF10 movies, etc
Next by Date: Re: [Gnash-dev] AVM2/AS3 status, SWF10 movies, etc
Previous by thread: Re: [Gnash-dev] AVM2/AS3 status, SWF10 movies, etc
Next by thread: Re: [Gnash-dev] AVM2/AS3 status, SWF10 movies, etc
Index(es):
- Date
- Thread