Friday, July 5, 2013

An Introduction to SWF Obfuscation

I keep running into people who need a good explanation of obfuscation. Since it's a pretty difficult subject to go into any detail in, I thought I should do a post about it so I don't have to spend half an hour explaining it to people every time someone wants to learn more about it.

So, what is obfuscation in general?
Obfuscation is the art of making code, compiled or otherwise, unreadable. In programming, it's generally used to make code harder to decompile, disassemble and reverse-engineer.

There are two main forms of obfuscation used on SWFs. Name obfuscation, and Bytecode obfuscation. Normally, the two are used together, and SWFs that only use one are quite rare.

Name obfuscation is simple. Take the names of every class, variable and function and change it to some randomly generated junk.
For example, if you had a class named "player", it might be renamed to "d+.{8]R0%9r".
This makes it difficult to easily identify what classes/functions/properties do what.
Name obfuscation is impossible to reverse. The best you can do is change it to something like class1, class2, class3... function1, function2, function3... ect. Or alternatively, you can reverse engineer the classes and manually re-name them as you figure out what they do, but that is incredibly time consuming, impossible to automate and you still won't end up "reversing" the obfuscation as such, just giving useful labels to the obfuscated classes.

Two lines of  AS3 with compiled AVM2 Actionscript Bytecode
Bytecode obfuscation is a much more complicated subject.
There are many forms of bytecode obfuscation. Some add junk code, some add extra code branches, some restructure the code. There's a crapload of different ways to do bytecode obfuscation.
In order to understand bytecode obfuscation, you have to understand the difference between AS3 and AVM2 Actionscript bytecode. A SWF does not contain any AS3 code in it, but rather a compiled lower-level language. Comparing the code in a SWF to AS3 is like comparing Assembly to C++ (google them if you want).
This difference in languages means that you could in theory have AVM2 Bytecode that has no equivalent in AS3. Bytecode obfuscators use principals like this to their advantage.
They can crash decompilers by adding invalid code to the SWF that in practice, will never be run, and the decompiler will be unable to decompile the code, since the obfuscated AVM2 code in the SWF has no AS equivalent.
Over the years, bytecode obfuscation has gotten more and more advanced. Back in the day, you could remove it with a hex editor if you knew what to search and replace for. Nowadays, it takes complex programs purpose-written to take out specific obfuscation algorithms to remove such defenses.

Apart from completely thwarting the use of decompilers, bytecode obfuscation has another use. By adding lots of junk bytecode and restructuring the bytecode, it makes it much harder to reverse-engineer the disassembled code. This, coupled with name obfuscation can make it near impossible for most hackers to make hacks and reverse engineer the SWF in general. As you can see above, two lines of AS came out to be about 15 lines of AVM2 ABC  Bytecode. It is not uncommon for an obfuscated class to contain well over a thousand lines of such code, barely readable even without obfuscation.

However, most if not all bytecode obfuscation is theoretically removable. That being said, it's almost always impractically difficult to do so.

So, how do we actually deal with obfuscated SWFs, you ask?
The Free and open-source decompiler JPEXS FFDec has some very good deobfuscation routines in it. If that doesn't work:
My biggest piece of advice would be to look for useful unobfuscated strings. Name obfuscation does not obfuscate all strings. names and packages of Adobe classes tend to stay unobfuscated. So do events a lot of the time. you can always go through the strings constant pool (using Yogda or another bytecode editor). Finding unobfuscated strings can quite often allow you to figure out what's what, and a lot of the time it's pretty much the only option you have.
Another piece of advice is don't tackle obfuscated SWFs until you are very confidant with working in bytecode. It's not easy. Even the best hackers tend to dread dealing with obfuscated games.

I would also recommend using a variable scanner if you can, however there are not many (if any?) good AS3 var scanners (there's my shitty one, and AS3Watson), since they really only started being publicly released a year ago, and I don't think there's a single tutorial on the internet on AS3 var scanning. I'll probably make one some time, but not for a while.

I could have written more. Maybe I'll do another post, or a series of posts on obfuscation in the future. There's heaps to write about, and I only scratched the surface on most of the things I mentioned.

Hopefully this is readable and makes sense. I'm pretty exhausted right now.

12 comments:

Abdullah Jadoon said...

Hi dude,

Can you make something new for BBH. A hack? Is is possible to remove someones verified email and exchange it with your own? If you have a wallet is it possible to increase the percent that flows in ( from 10% to maybe 40%)? Is it possible to find someones password? Is it possible to remove a account which is perma banned? Is it possible to tell if someone is online (so you wont duplicate them if you share accounts)

I know that those are a lot of questions! But it would be greatly appreciated if you could answer them. Any other hacks that are possible please tell me. BBH is kind of getting boring and I am awaiting something new like a hack. Please reply as soon as possible and tell me if any other thing is possible that no one has yet. Maybe change your name? Change the colour of text you talk it?
If you are worried about releasing such hack please email me any hacker and instruction. And yes , i would love the turret hack and please email me any hacks and tricks at : n3rd12@live.com. Also i worked out a good way to earn bp super fast. By opening up bbh release and attaching the aob code for cash hack i kept pressing suicide when i am in first place. When i died i collected my own cash and retrieved 3 bp. By using cheat engine to make my spawn time occur faster i was able to die 150 times in a game and get like 400+ plus bp. And this was without any wanted. Also as you can run lots of bbh releases at a time i was able to run 11 whiteout lag. I got my brother to get 2nd on my wanted account and keep suciding like me. He didnt have cash hack so he gave me 3 bp (wanted plus 2nd) and i was worth 2 bp (11 player game plus first). I did this this consecutively for 2 hours and I managed to retrieve 5,000 bp. But as a result of this I had to sacrifice my K/d. This is a good trick for getting wanted but email be any more stuff like this.

Anywaya you know what I mean.

Thanks, Please email me as soon as possibe.

BBHWANTED

focus said...

Good read. I'd like to add most of currently existing obfuscations can be automatically removed using different software - like latest ASV, SWF Reader, FFDec, etc.

focus said...
This comment has been removed by the author.
bmanatee said...

@Abdullah Jadoon
I answered most of your questions in my comment on my The Future #3 post.
The turret hack will come out on CEF soon. I don't plan on adding any other new hacks to my BBH release, though.
I already have a tool that can generate over 50kBP a day. I'm not releasing it, though. Don't even bother asking.

@focus
I thought about mentioning them, but in my experience obfuscation removers tend to have varied results. Plus, I find they tend to become outdated quite quickly.

focus said...

I have pretty stable bytecode deobfuscation results with ASV - it have nice settings for AS importing allowing to deal with almost every obfuscation I ever met (I met a lot of different obfuscations) both of the AS2 and AS3 bytecode.
For sure sometimes we can face rare or very buggy obfuscations created by some chinese developers for personal use, but in most cases tools like ASV worked fine for me. Now I see FFDec reached very high level of automatic deobfuscation quality as well. And I see most popular protections updated very infrequently nowadays allowing such deobfuscation tools stay actual for a long time...

bmanatee said...

I haven't used ASV and it's commercial software.
I haven't used FFDec either, I'll check it out and maybe update the post if need be.
Thanks for your input.

Abdullah Jadoon said...

Hi Bmanatee,

Thanks for the reply and I cant wait for turret hack. And yes , 50k lol wow. Shame you cant tell me though. If you have tried this hack on an account please tell me name so I can see the stats. So , as I explained earlier about how i can gather bp fast. I can make this method supposedly effiecient if : my respawn time is 0 or shorter ( speed hack is laggy and sometimes connection lost occur) or a peice of script that can make me die automatically every 1 or 2 seconds. Basically what I am asking is to die and much time possible in a game so I can gather as much bp.

Thanks,
Abdullah
Dont hesitate to contact me here : n3rd12@live.com

bmanatee said...

I only used it for a few hours as a proof-of-concept, plus the account I used had heaps of other tests done on it so the stats are skewed.
I believe there's a serverside restriction on respawn time, but it's a little under 5 seconds.

Jazy Zooyork said...

My Friend,

I have finally give up the hacking thing. May I ask if you know on how to create YouTube Comment Rater Bot?

Kindly, JayZ

bmanatee said...

@Jazy
I haven't done much in the way of automation involving web pages, but I might be able to put you in the right direction.

In order of likelihood of being useful:

Sikuli Script is a (relatively) simple, yet powerful scripting language for making bots in.

Greasemonkey is an extension for Firefox. I haven't used it a great deal, but I believe such a bot could be made with it.

You could always write your own program that downloads and sends data to youtube using whatever APIs they use (you could even do it over HTTP). This would probably be quite difficult, though.

KAVKAZEC kavkaz said...

Help me I beg you, my friend , my skaype. (tjtjtj_89) I really need your help I ask you to help .. facebook https://www.facebook.com/Guserynov

KAVKAZEC kavkaz said...

I really need your help I ask you to help , my skype tjtjtj_89 my www.facebook.com/Guserynov I ask you to help me friend