Modify SWF Files (Disassemble ActionScript 3)
by admin on May.11, 2014, under ReverseEngineering
I didn’t really do much reverse engineering lately but last night I attempted to unlock the trial version of a language course. I did some brief analysis on the target executable and quickly figured out it actually only was a wrapper containing a .swf file. The first thing that came on my mind when I played with the flash based application was to decompile, modify and recompile it. So I fired up a quick Google search and tried two decompilers compatible with Mac OS X:
The first one actually crashed while loading my target executable, so I switched to JPEXS right away. It decompiled my target successfully and I was able to apply my modifications as well as to recompile the application. Unfortunately, the recompiled version wouldn’t start anymore, so both tools failed for that purpose.
So what are we supposed to do if fancy decompiling fails? We disassemble it.
For this purpose I used the Robust ActionScript Bytecode [Dis-]Assembler (RABCDAsm) tool chain which is written in D and open source. Pre-compiled binaries are being provided on the author’s website. Since they were compiled for Windows only, I simply used Wine in order to run the executables (alternatively, you could also compile the source code of course).
So our first step would be to decompress the target executable file. This can be done with the tool swfdecompress.
swfdecompress.exe target.swf
The next step is to export the ABC-Bytecode from the swf file.
abcexport.exe target.swf
So afterwards we’ll get one or more .abc files which we can disassemble. Repeat this step for all the abc files you were able to export in the previous step.
rabcdasm.exe target-0.abc
This command will create a subfolder for your target-0.abc called target-0. This folder contains asasm files containing assembler code which you can edit with a text editor of your choice (I used Sublime). This is where I did some magic in order to bypass the licensing algorithm (in fact I only had to change 1 byte in my case).
After applying your changes, save the file and recompile the main module of each subfolder. The good thing is, that a main module’s file name is always equal to its parent folder name, as such it’s easy to spot. In my case it would be called target-0.main.asasm
rabcasm.exe target-0/target-0.main.asasm
After compiling it you can inject your modifed module into the .swf file in order to apply your changes.
abcreplace.exe target.swf 0 target-0/target-0.main.abc
That’s it – the target has been unlocked successfully!
August 29th, 2014 on 03:31
This is great stuff i always wanted to learn how to
decompress and recompile a SWF file, if you get time can you please write an article on how to reverse a java app i ask coz there are lots of useless articles, tuts on the net but all you articles are very easy to follow anyway thank you so very much
March 30th, 2016 on 05:54
Sothink SWF Decompiler (commercial product)
It can decompile to FLA or FLEX with MXML file.
JPEXS Free Flash Decompiler (free, open source)
It can decompile to FLA or FLEX without MXML file,so when u try to recompile it won’t work at all.
My Question –
How do u Recompile a Flex into SWF?
May 30th, 2017 on 10:28
Hi Dear BetaMaster
Thanks for your nice RCE tutorials keep it up !
Rip Vdown memories … 😉
BR