beta.blog

ReverseEngineering

Modify SWF Files (Disassemble ActionScript 3)

by on May.11, 2014, under ReverseEngineering

I didn’t really do much reverse engineering lately but last night I attempted to unlock the trial version of a language course. I did some brief analysis on the target executable and quickly figured out it actually only was a wrapper containing a .swf file. The first thing that came on my mind when I played with the flash based application was to decompile, modify and recompile it. So I fired up a quick Google search and tried two decompilers compatible with Mac OS X:

The first one actually crashed while loading my target executable, so I switched to JPEXS right away. It decompiled my target successfully and I was able to apply my modifications as well as to recompile the application. Unfortunately, the recompiled version wouldn’t start anymore, so both tools failed for that purpose.


So what are we supposed to do if fancy decompiling fails? We disassemble it.


For this purpose I used the Robust ActionScript Bytecode [Dis-]Assembler (RABCDAsm) tool chain which is written in D and open source. Pre-compiled binaries are being provided on the author’s website. Since they were compiled for Windows only, I simply used Wine in order to run the executables (alternatively, you could also compile the source code of course).

So our first step would be to decompress the target executable file. This can be done with the tool swfdecompress.

swfdecompress.exe target.swf

The next step is to export the ABC-Bytecode from the swf file.

abcexport.exe target.swf

So afterwards we’ll get one or more .abc files which we can disassemble. Repeat this step for all the abc files you were able to export in the previous step.

rabcdasm.exe target-0.abc

This command will create a subfolder for your target-0.abc called target-0. This folder contains asasm files containing assembler code which you can edit with a text editor of your choice (I used Sublime). This is where I did some magic in order to bypass the licensing algorithm (in fact I only had to change 1 byte in my case).

After applying your changes, save the file and recompile the main module of each subfolder. The good thing is, that a main module’s file name is always equal to its parent folder name, as such it’s easy to spot. In my case it would be called target-0.main.asasm

rabcasm.exe target-0/target-0.main.asasm

After compiling it you can inject your modifed module into the .swf file in order to apply your changes.

abcreplace.exe target.swf 0 target-0/target-0.main.abc

That’s it – the target has been unlocked successfully!

3 Comments : more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!