Thursday, April 4, 2013

Manatee SWF Decrypter V3

Funny story, I was gonna release this a week ago, but my laptop charger broke as I was typing this out. I was hoping to get a release out before the end of the month, but nonetheless here's V3 of my decryptor!Those of you who were paying attention will probably be wondering why there's no V2.
Here's a little explanation:
The V1 method simply loaded the SWF and scanned it for loaders.
The V2 method (which I didn't finish because I discovered the superior V3 method while working on it) functioned by overriding the Loader class in a loaded SWF. some of you may have realized by now that Adobe classes cannot normally be overrided, but with a little black magic, you can do the equivalent.
The V3 method works by using the debug version of flash player and editing mm.cfg to load the SWF alongside the target SWF, and a little black magic.
The V3 method is much harder to detect and defend against than the V1 and V2 methods and less buggy since it doesn't utilize the Loader class to load the game.

Installation
Download and install the flash content debug player on this page
Download this SWF (it's also on the downloads page) and move it to:

C:/ManateeUniversalDecryptorV3.swf

open (or create and open if it doesn't exist):

%userprofile%/mm.cfg

in notepad or equivalent and add the line:

 PreloadSwf=C:/ManateeUniversalDecryptorV3.swf  

to your mm.cfg file.
A helpful hint if you start getting annoyed with all the errors is to add the following line to your mm.cfg

 SuppressDebuggerExceptionDialogs=1  

and then use  the "silent" mode (which I will mention later).

Usage
Once Manatee SWF Decrypter has been installed, it will be automatically injected into any game running in the debug player. So, to use it you just open the game in the debug player you installed. (eg, if you install the Firefox debug plugin, open the game in Firefox to inject the decrypter into it)
Manatee SWF Decrypter V3 is controlled entirely with the numpad.
There are two output modes: normal mode and the slightly ironically named silent mode.
Normal mode outputs messages by throwing errors, and silent mode outputs messages by beeping.
Numpad 1 enters silent mode, and numpad 2 enters normal mode.
Numpad 5 is a kind of "hello world" button that in normal mode simply tells you that the decryptor is connected. In silent mode, a single "beep" shows that the decryptor is connected.
Numpad 3 tells you if there's remaining SWFs to be dumped. in normal mode it throws an error telling you exactly how many SWFs are left for dumping. in silent mode, 3 beeps means 1 or more SWFs remaining, and 9 beeps means there are no SWFs remaining.
Numpad 0 dumps remaining SWFs. In normal mode, it tells you how many SWFs are remaining when the SWF finishes saving. In silent mode when the SWF has finished dumping you get 3 beeps if one or more SWF is remaining to be dumped or 9 beeps if no SWFs remain to be dumped.

Rule of thumb for silent mode:
1 beep = the decryptor is connected
3 beeps = 1+ SWFs remaining
9 beeps = 0 SWFs remaining

Currently, the only major bug is sometimes the AVM2 garbage collector destroys the ByteArray the SWF is held in before you get a chance to dump it.
It doesn't usually happen to "important" SWFs though, so fixing that bug is pretty low priority for me.

41 comments:

Josh Wichman said...
This comment has been removed by the author.
Josh Wichman said...

When I open the decrypter it opens fine and all the keys on the numpad work, but when I put the swf file I want to decrypt in the C:/ folder and click Numpad 0 it just dumps itself (the decrypter).

Josh Wichman said...

I figured it out, thanks a lot :D

bmanatee said...

Just realized I skipped over that part a little.
I made the instructions a little clearer to get rid of any future confusion.

Josh Wichman said...

Do you know much about finding AoB codes in games like BTD5?

bmanatee said...

Yeah.
I don't usually use AoBs, but I've got quite a bit of experience with them.
Anything in particular you wanted to know?

Josh Wichman said...

I was looking at the decrypted BTD5 swf for codes but I couldn't work out any codes as the code looked very wierd..how would you go about finding AoB codes in BTD5?

bmanatee said...

BTD5 is obfuscated at the bytecode level, which means the code is effectively un-decompilable.
Unless you're good with AVM2 bytecode, modifying it is difficult.
If you're determined, I recommend Yogda as a tool for bytecode modification.
Alternatively, most decompilers have a "raw data" mode for viewing AVM2 bytecode.

Josh Wichman said...

In "raw data" the code is hard for me to understand. Could you direct me to any tutorials for learning about this kind of code?

"_as3_getproperty profile
//2c be 01
_as3_pushstring "GrilledPineapples"
//46 15 01
_as3_callproperty addPremium(param count:1)
//29
_as3_pop
//10 d8 ff ff
_as3_jump offset: -40"

Anonymous said...

Hey Manatee,
thanks for your really useful trick, but I can't find the mm.cfg anywhere.
The flash debugger are working correctly, but I can't find that mm.cfg to edit, and more than all to add the silent mode.
I work on a winxp sp3 and browse with mozilla 20.
Thanks in advance.

Anonymous said...
This comment has been removed by a blog administrator.
bmanatee said...

@josh
Unfortunately, as far as I know there aren't any really good tutorials on understanding AVM2 ABC bytecode. Certainly none that cover everything.
However, you can find a helpful list of ABC tags here:
http://www.anotherbigidea.com/javaswf/avm2/AVM2Instructions.html
And if you're really determined, you can skim through some of Adobe's documentation of the AVM2 format here:
http://www.adobe.com/content/dam/Adobe/en/devnet/actionscript/articles/avm2overview.pdf

One of the problems of trying to write a tutorial on AVM2 bytecode manipulation is that the subject is so incredibly broad, it would be incredibly difficult to create a tutorial that covered everything.
Most people I've known learn through comparing decompiled code to ABC tags, and a lot of experimentation.

And even for someone with a lot of experience, trying to reverse-engineer raw obfuscated bytecode is pretty difficult.

@Ricky
My bad. I thought mm.cfg was created when you installed the debug player, but apparently it isn't.
Just create a file at that location called mm.cfg and put the stuff in it.
I'll update the instructions with that.

Anonymous said...

hello, i'm new to your blog. would it be possible for you to deobfuscate a flash video player swf file? i know you can hack swf games, I was just curious if you could decode obfuscated code e.g.(evt.info.secureToken, _StrPool2659._StrPool2660(0)))

please let me know if its possible.

Anonymous said...
This comment has been removed by a blog administrator.
bmanatee said...

Removing obfuscation is complicated and difficult. Generally, you have to purpose build a program for removing the individual type of obfuscation.
It requires vast amounts of time and effort.

I can't really help much, I've only ever successfully deobfuscated a SWF once, and I'm not willing to invest the time needed to create a deobfuscator.

Anonymous said...

@bmanatee
Thanks, now works like a charm, not only to decrypt the SWFs but also you let me know the debug version of flash player that allow you to draw area and perfomance stats (fps and so) very useful.
About the mm.cfg to configure the option of the debugger, like you said you've to create, the intllation doesn't:

Here the path where the mm.cfg must be located for each OS

Mac OS X
/Library/Application Support/Macromedia

Windows 95/98/ME
%HOMEDRIVE%\%HOMEPATH%

Windows 2000/XP
C:\Documents and Settings\username

Windows Vista
C:\Users\username

Linux
/home/username

Anonymous said...

Another useful link with more debug option:

http://helpx.adobe.com/flash-player/kb/configure-debugger-version-flash-player.html

Jazy Zooyork said...

What are these tools for bmanatee my friend?

bmanatee said...

@jazy
SWF encryption is used as a defense against decompilation and modification of a SWF.
If you try to decompile/disassemble an encrypted SWF, you will only be able to access the code for loading/decrypting the game, not the game itself.

This utility waits for the game to decrypt and load SWFs and then dumps the unencrypted SWFs. this is generally the simplest and most effective way of decrypting SWFs.

Jazy Zooyork said...

When you say decrypting SWF meaning you will be able to edit e.g weapons and items?

bmanatee said...

All the decryptor does is get past a certain type of common anti-hack code (SWF encryption).
Actually hacking a game requires other tools.

kokol martoot said...
This comment has been removed by the author.
kokol martoot said...

Hey bro
Thanks for your great efforts but I'm having a problem with the decrypter. I haven't figured out how to install it.
I downloaded and installed Windows Flash Player 10.3 Plugin content debugger then I downloaded the decrypter swf and placed it in the C:\ drive. After that I created the mm.cfg file and pasted: "PreloadSwf=C:/ManateeUniversalDecryptorV3.swf"
(without the "")
I dunno what to do next I tried opening it but it says protected by secure swf.
I hope you reply soon and thanks mate

bmanatee said...

It's automatically loaded into any game running in the debug player. So, you go to the website with the encrypted SWF in the browser you installed the debug player for, and enter the key presses in the game.

kokol martoot said...

ok man thanks for your help I've figured it out.
but there is another problem when I dumped a certain game swf and used so think swf decompiler half of the action scripts ( the important ones) were completely encrypted they have names like: _a_---.class. However, the other AS files, all the images and the other components weren't encrypted.

I used rabcasm to decompile it only extracts few ( like 4 or 5 ) encrypted AS ONLY .
I don't know whether the problem is in the decompiler or the dumper
I really need to hack this game bro and thanks for your help man.
Bro here's the links for the game and the swf, if you'd like to take a look.
Game:
apps.facebook.com/backyardmonsters

swf:
http://www.mediafire.com/?ti1o4f24n4mt84g


and thanks again for your help man.

Curtis. said...
This comment has been removed by the author.
bmanatee said...

@kokol
That's obfuscation.
It's an anti-decompiler defense that's pretty common nowadays.
I don't see why rabcdasm would have problems disassembling it, but if it doesn't work I would recommend trying the AVM2 workbench Yogda. It's impossible to get the class names back, but Yogda will certainly allow you to read and edit the disassembled AVM2 bytecode in the SWF.

@curtis
Pressing numpad 5 in the game should tell you whether you installed it correctly, and if it's running or not (assuming you haven't suppressed exceptions)

Curtis. said...

I'm having a new issue, I'm trying to hack the exact same game, the swf i get exactly from the website is 56 kb and contains nothing similar to what he has, is this due to him "dumping" the file that increased it over 4950 kb? --- I added someone with the skype name Bmanatee is that you?

Curtis. said...

ok so, it seems to me im Only loading the SWF file which loads the game, there are a total of 2 swf files for the game itself, I don't know how to load the game one as the only one i have the option to load it seems is the loader, is there a way to fix this? somehow the guy above me hacking BackYardMonsters did not have this issue.

Curtis. said...

omg i feel like a morn, I found out what my problem was XD I ended up not realising more files were ready to download so all i did was download the first one XD

kokol martoot said...

Thanks man but there's a problem here:
yogda.com expired on 05/18/2013 and is pending renewal or deletion.
and i can't find the software anywhere..
If anybody has the software, please share it!
Thanks in advance!

bmanatee said...

@kokol
http://code.google.com/p/opengg-clean-player/downloads/detail?name=Yogda.1.0.564.zip&can=2&q=

kokol martoot said...

Thanks man again for your help.
I'm now working on the swf but every thing seems very complicated and I haven't find any values from those I used to change. I think I'll just keep searching. Thanks for your time manatee.

Curtis. said...

hello manatee, just thought i'd mention some websites don't allow the swf to be injected like kongregate for example, and im wondering if there is a way to decrypt the swf manually after taking it from the website.

Curtis. said...

also, when it doesn't work it comes up a box asking "where is the debugger application or host running" is this an error on my part, or a way they are preventing it from working

bmanatee said...

It works on Kong games. Any game in particular you're having trouble with?
The V3 is definitely the least buggy of my decrypters, but you are welcome to try the V1 on my downloads page. It uses a different method for decryption, so if V3 doesn't work, V1 might. V1 has a shitload of problems, though.
No idea what that error is.

Curtis. said...

the game is kings and legends, their other game i've also been having issues with, if you could get the swf for me it would be awesome,

Taigame haynhat said...

Would you please check this swf:
http://www.y8.com/games/dragon_ball_z_goku_jump

I installed the ManateeUniversalDecryptorV3 version and it works but the decrypt file does not contain any image file?

freiza said...

Keys are not working. I hear no beep sound.
I am using latest adobe debugger plugin for firefox and I also set mm.cfg (windows 7 x64)
Kindly help

freiza said...

Also, on right click show redraw regions is visible. but debugger option is grayed out.

Lucas Logan said...

Nice post, found your blog the other day on Being you seem to talk a lot of sense!
Lenovo N Series Charger