[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-dev] Re: AVM2/AS3 status, SWF10 movies, *how to hack AS3*
From: |
Marcin Cieslak |
Subject: |
[Gnash-dev] Re: AVM2/AS3 status, SWF10 movies, *how to hack AS3* |
Date: |
Tue, 27 Oct 2009 03:10:45 +0000 (UTC) |
User-agent: |
slrn/0.9.9p1 (FreeBSD) |
Far from being an expert, but I will try to tackle this one.
You need:
* Alexis' SWF reference (http://www.m2osw.com/swf_alexref.html)
* swfmill tool (http://swfmill.org)
* python interpreter installed
* some AS3 decompiler (there are some)
On 27.10.2009 John Gilmore <address@hidden> napisaĆ:
> So can our gnash initialization start running an AS3 "ABC file"? Is
> that what Youtube is offering from its web site, e.g. from:
>
> http://s.ytimg.com/yt/swf/watch_as3-vfl128620.swf
>
> "file" calls it "Macromedia Flash data (compressed), version 10",
> not an "ABC file" (which is what the AVM2 spec calls its input file).
SWF is just a container for several objects, called "tags".
swfmill swf2xml watch_as3-vfl128620.swf watch_as3-vfl128620.xml
will convert this file for you. Just search for UnknownTag
(tags that swfmill does not directly support) and you will find:
12 0x57 tags (dec - 87)
1 0x29 tag (dec - 41)
1 0x4c tag (dec - 76)
1 0x52 tag (dec - 82)
Alexis refence says that tag 87 means DefineBinaryData (arbitrary
bytes), tag 41 is ProductInfo, tag 76 is SymbolClass means
"Instantiate objects from a set of classes." and tag 82
is DoABCDefine is the ActionScript 3 container. Tags 76 and 82
have been introduced in SWF9 together with AS3/AVM2.
What one needs to do is to take contents of interesting tags (76 and
82) and analyze that further. swfmill stores their contents as
a series of base64-encoded bytes. I have used a text editor to leave
only one line of base64-encoded text for each tag.
In this case, file watch_as3-vfl128620_52 contains base64-encoded text of tag
82 (one line of text that starts with "AQAAAGZyYW1....").
File watch_as3-vfl128620_4c contains base64-encoded text of
the tag 76 (starts with "FwABAGNvbS5....").
I use following python one-liners in python to get binary contents:
python -c 'import base64;
base64.decode(open("watch_as3-vfl128620_52", "r"),
open("52.bin", "w"))'
python -c 'import base64;
base64.decode(open("watch_as3-vfl128620_4c", "r"),
open("4c.bin", "w"))'
Above are really one liners for the UNIX shell. If you are using windows,
you might be better off putting "a one-liner" in the file and running
"python filename".
The resulting 4c.bin is 1330 bytes long, the 52.bin has 185714 bytes.
The following C program will decode "4c.bin" for us, according
to the Alexis' SWF reference:
#include <stdio.h>
#include <sys/types.h>
int
main() {
uint8_t buf[1000];
int f_symbol_count, f_symbol_id;
int i;
char x;
if (read(0, &buf, 2) < 2) {
perror("read: f_symbol_count");
return 1;
}
f_symbol_count = buf[0] | (buf[1] << 8);
printf("f_symbol_count = %d\n", f_symbol_count);
for (i = 0; i < f_symbol_count; i ++) {
if (read(0, &buf, 2) == 2) {
f_symbol_id = buf[0] | (buf[1] << 8);
do {
if (read(0, &x, 1) != 1) {
perror("read: f_symbol_name");
return 1;
}
if (x != 0)
printf("%c", x);
} while (x != 0);
printf("\t%d\n", f_symbol_id);
} else {
perror("read: f_symbol_id");
return 1;
}
}
}
The result is:
f_symbol_count = 23
com.google.youtube.ui.QualityButton_HqOffIcon_dataClass 1
com.google.youtube.ui.WatchEndScreen_replayIcon_dataClass 2
com.google.youtube.ui.QualityButton_HqOffIcon 3
com.google.youtube.players.threed.Http3dVideoPlayer_RowInterleaveFilter 4
(... and so on...)
The next file, 52.bin, contains the actual ActionScript code.
Let's have a look (I am using hd(1) utility):
00000000 01 00 00 00 66 72 61 6d 65 31 00 10 00 2e 00 66 |....frame1.....f|
00000010 00 0a 01 ff ff ff ff 0f 64 05 65 90 03 03 80 80 |........d.e.....|
00000020 40 02 c0 02 f0 01 e8 02 e0 03 80 05 f0 2e a0 1f |@...............|
According to the reference, 01 00 00 00 are f_action_flags,
usually one, and "frame1" is the f_action_name. The actual bytecode
starts with byte number 11 ("10 00 2e 00 .... ").
This UNIX command:
dd if=52.bin bs=1 skip=11 of=52code.bin
creates "52code.bin" bytecode file that you can probably feed
the disassembler with. You might want to try one from Tamarin VM:
https://www.flashsec.org/wiki/Simple_AS3_Decompiler_Using_Tamarin
Not easy to get it working, as the instructions
are not perfect, but probably the most complete one.
> I'm sure that all this info exists in somebody's head. If it's
> written down anywhere, please just point me at that place.
Hope the above helps a bit!
--
<< Marcin Cieslak // address@hidden >>