Forums » Blitzableiter-Forum »

using blitzableiter for flash disassembly

Added by Nathan 855 days ago

Just quickly, if you want to see the disassembly from the target swf here are some changes to Program.cs that will print the Action* codes to the console. I'm currently using this to look at a popular video player. If anyone else has suggestions than please, spit them out. I've also attached a script which will parse/modify the console output to show the ConstantPool references as they are used. By default the ToString() method prints the index of the value being referenced. Scripting the global ConstantPool was just the quickest way to get the results but when I have a chance perhaps I (or anyone else) can modify blitzableiter to maintain its own global ConstantPool. (currently ActionConstantPool class defines this as a private "_arguments" list.) But mostly I'm curious if anyone else is using blitzableiter for analysis.

$ diff Program.cs Program_original.cs 
174,178c174,178
<                 //if ( !swf.Verify() )
<                 //{
<                 //    Console.WriteLine( original.Name + " not verified");
<                 //    continue;
<                 //}
---
>                 if ( !swf.Verify() )
>                 {
>                     Console.WriteLine( original.Name + " not verified");
>                     continue;
>                 }
255,259c255,259
<                 //if ( !swf.Verify() )
<                 //{
<                 //   Console.WriteLine( testcase.Name + " not verified");
<                 //    continue;
<                 //}
---
>                 if ( !swf.Verify() )
>                 {
>                     Console.WriteLine( testcase.Name + " not verified");
>                     continue;
>                 }
402,403c402
<                 //verified = s.Verify();
<                 verified = true;
---
>                 verified = s.Verify();
446,452d441
<                         for (int l = 0; l < s[j].Code[k].Count; l++)
<                         {
<                             log.Info(s[j].Code[k][l].ToString());
<                         }

parse_const.pl (1.2 KB)


Replies

RE: using blitzableiter for flash disassembly - Added by FX 852 days ago

I checked the possibility to show the constants themselves with ActionPush.ToString(), but the global constant pool isn't a good idea IMHO.
Basically, as I understand it, successive calls to ActionConstantPool override the previous pool, so the constant pool is actually code flow dependent. So in code like the following, a global constant pool per AVM1 code block would be wrong:


   +------------+
   | [..code..] |
   | ActionIf   |------------------+
   +------------+                  |
     |                             |
     v                             v
+------------------------+ +------------------------+
| ActionConstantPool ... | | ActionConstantPool ... |
+------------------------+ +------------------------+
     |                              |
     |       +----------------------+
     |       |
     v       v
+----------------------+
| ActionPush Const8:0  |
+----------------------+

As we are dealing with potentially obfuscated code, it's not so unlikely that this is used. Additionally, Functions use their own constant pool and are often defined inline with other AVM1 code. I'm not sure yet how function constant pools vs. global constant pools actually work in detail.

To sum it up, I think we will need code flow analysis first, before we can beautify the instruction output.