-
Originally Posted by Musicman
Basic action format - inside an actions tag - is either one byte (values in the 1-127 range), or one byte (values in the 128-255 range), followed by two length bytes, followed by data. Looking at simple example, you would need to handle at least geturl, loadvariables, push, and constants.
Musicman
I don't understand exactly how is this, I tryed to take the data direct on your function:
PHP Code:
function readtag()
{ $this->bufbits=1;
$this->buffer=0;
$res=new object();
$buf=fread($this->fp, 2);
$res->tag=$buf;
$tmp=unpack("vx", $buf);
$val=$tmp["x"];
$res->type=$val >> 6;
$res->nbytes=$val & 63;
if($res->nbytes == 63)
{ $buf=fread($this->fp, 4);
$res->tag.=$buf;
$tmp=unpack("Vx", $buf);
$res->nbytes=$tmp["x"];
}
if ($res->type==12) {
while ($res->nbytes>$this->bufbits) {
$data['tag']=fread($this->fp, 1);
$this->bufbits+=1;
$buf=fread($this->fp, 2);
$this->bufbits+=2;
$data['tag'].=$buf;
$tmp=unpack("v", $buf);
$data['bytes']=$tmp[1];
if ($data['bytes']) $data['data']=fread($this->fp, $data['bytes']);
$this->bufbits+=$data['bytes'];
$data['end']=fread($this->fp, 1);
$this->bufbits+=1;
$res->data[]=$data;
}
$res->end=fread($this->fp, 1);
}
elseif ($res->nbytes)
$res->data=fread($this->fp, $res->nbytes);
return $res;
}
But don't work allways, have problems to read lengths inside an actions tag for each action.
I need to replace the name of variables and functions to obfuscate the swf files, have many swf files cannot use Flash program for this becouse is very hard.
-
Please, do you want to help Musicman? I am sure for you is very easy what I need.
Thanks
Finally I find a solution to obfuscate the swf file and I will put here when wil be made.
Last edited by saschart; 06-03-2009 at 10:20 AM.
-
Hi,
obfuscation is a different beast, because you can keep the length of variable names; so nothing but those names would change.
Note that strings (variable names) are always terminated by a 0 byte - in many (but not all) cases they are also preceded by a 0 byte. It might help to ensure that varnames that could be trailing substrings of others are replaced by new names with the same property. Do you plan to build / provide a list of names that should be replaced?
Musicman
-
I need replacing from a variables/functions names list, here is the a part of the code which I write:
PHP Code:
$out=$res=$tag=$tags=array();
$arr_act=array(12,59);
while($swfdata) {
unset($res);
$buf=readData(2);
$res['tag']=$buf;
$tmp=unpack("v", $buf);
$val=$tmp[1];
$res['type']=$val >> 6;
$res['bytes']=$val & 63;
if($res['bytes'] == 63) {
$buf=readData(4);
$res['tag'].=$buf;
$tmp=unpack("V", $buf);
$res['bytes']=$tmp[1];
}
if (in_array($res['type'],$arr_act)) {
$pos=1;
unset($tags);
$bsize=0;
if ($res['type']==59) {
$res['sprite']=readData(2);
$pos+=2;
}
while ($res['bytes']>$pos) {
unset($tag);
$buf=readData(1);
$tag['tag']=$buf;
$pos+=1;
$tag['id']=bin2hex($buf);
if ($buf >= chr(0x80)) {
$buf=readData(2);
$pos+=2;
$tmp=unpack("v", $buf);
$tag['bytes']=$tmp[1];
if ($tag['bytes']) {
$tag['data']=readData($tag['bytes']);
$tmp=str_replace($arr_find,$arr_repl,$tag['data']);
$csize=strlen($tmp)-strlen($tag['data']);
if ($tag['data']<>$tmp) {
$tag['bytes']+=$csize;
$bsize+=$csize;
$tag['data']=$tmp;
echo "change data in tag ".$res['type']." subtag ".$tag['id']."<br>";
}
}
$pos+=$tag['bytes'];
$rettag.=$tag['tag'].pack("v", $tag['bytes']).$tag['data'];
}
else
$rettag.=$tag['tag'];
$tags[]=$tag;
}
$res['data']=$tags;
$res['end']=readData(1);
$outswf.=putTag($res['type'], ($res['bytes']+$bsize), strlen($res['tag'])).$res['sprite'].$rettag.$res['end'];
$asize+=$bsize;
}
elseif ($res['bytes']) {
$res['data']=readData($res['bytes']);
$tmp=str_replace($arr_find,$arr_repl,$res['data']);
$bsize=strlen($tmp)-strlen($res['data']);
if ($bsize) {
echo "warning: you cannot change the length of {".$res['type']."} tag type<br>";
return;
}
if ($res['data']<>$tmp) {
$res['data']=$tmp;
echo "change data in tag ".$res['type']."<br>";
}
$outswf.=putTag($res['type'], ($res['bytes']+$bsize), strlen($res['tag'])).$res['data'];
$asize+=$bsize;
}
else {
$outswf.=$res['tag'];
}
$out[]=$res;
}
print_r($out);
For who need I upload one example of swf obfuscator with variables/functions names replacing is to http://soft.saschart.com/#SWF%20Obfuscator
Thanks
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|