Flash Decompiler Blog

Obfuscators comparison

This post contains list of obfuscators with a description of some tricks they use and how FFDec handles it.

Method of testing

We tried to generate “secure” versions of our AS1/2 and AS3 testing SWFs (as2.swf and as3.swf) in demo versions of various tools using most aggressive options. For purpose of AS decompilation check, we did not enable identifiers renaming and also did not enable loader (when not required). Also we did not consider domain locking or such features that prevent loader open SWF.

FFDec features used

The main used feature was the so-called “Automatic deobfuscation” (A) settings. For easy results checking, we decompiled code first without automatic deobfuscation and then with, and compared results. If the code still contains §§ instructions, it means deobfuscation needs to be improved.

Deobfuscation pill button, also available in Settings / Automatic deobfuscation

When secured SWF contained a loader, FFDecs feature “Open loaded SWFs while playing” (B) was used to get the SWF inside.

Setting panel

For AS1/2, when there were some obfuscated assignments left, we used “Remove single assigned obfuscated declarations” feature (C).

Remove single assigned obfuscated declaration feature

Tested software

(in alphabetical order)

  • Amayeta SWF Encrypt 7.0 Trial
  • BIS Guard Flash Antidecompiler 7.3 Trial
  • DComSoft SWF Protector 4.0.265.0 Demo
  • DoSWF 5.5.0 Professional Unregistered
  • Eramsoft Flash Secure Optimizer 2.4.11 Demo
  • Eramsoft SWF Defender 1.3.19 Demo
  • Kindi Software secureSWF 4.6 Demo
  • Leawo SWF Encrypt 1.2.0.0 Unregistered
  • Magic Hills SWF Protection 2.6 Trial

Tested decompiler

  • JPEXS Free Flash Decompiler version 17.0.4 nightly 2332 (2022-12-18)
    and version 18.3.6 (2023-02-25)

Results

Amayeta SWF Encrypt 7.0 Trial

AS1/2

  • Uses “state machine” initial section which modifies an obfuscated variable in a loop.
  • Jumps to code in other SWF tags (id = 253).
  • Has multiple constant pools to hide real variable names.
  • No modifications to the real code.

FFDec result: Code displayed.

Needed features: A – deobfuscation, C – remove unassigned obfuscated variables

AS3

  • Modifies code with if simple conditions – if(true)if (false), simple number comparison.
  • For some reasons, the obfuscator crashes when attempting to secure AS3 SWFs with higher SWF version. Thus we modified the as3.swf to have version 11.

FFDec result: Code displayed

Needed features: A – deobfuscation

BIS Guard Flash Antidecompiler 7.3 Trial

AS1/2

  • Only uses AS3 loader.
  • Loaded SWF is not modified in any way.

FFDec result: Code displayed

Needed features:  B – open loaded

AS3

  • Only uses loader.
  • Loaded SWF is not modified in any way.

FFDec result: Code displayed

Needed features:  B – open loaded

DComSoft SWF Protector 4.0.265.0 Demo

AS1/2

  • Adds obfuscated variable declaration on the beginning.
  • Modifies code with if (true), if (false) conditions.

FFDec result: Code displayed

Needed features: A – deobfuscation, C – remove unassigned obfuscated variables

AS3

  • Only uses loader.
  • Loaded SWF is not modified in any way.

Needed features:  B – open loaded

DoSWF 5.5.0 Professional Unregistered

AS1/2

  • This software does not handle AS1/2 files

AS3

  • Uses loader
  • Loaded SWF is modified with checks for DoSWF definitions inside MovieClip and base SWF via ApplicationDomain.currentDomain.hasDefinition.

FFDec result: Checks for DoSWF definitions are not removed and thus creating various problems including §§push§§pop instructions. Also few try..finally clauses not properly handled

Needed features:  B – open loaded,

Needed work: Manually removing the DoSWF checks using P-code editor. Fix try..finally clauses.

Eramsoft Flash Secure Optimizer 2.4.11 Demo

AS1/2

  • Modifies code with various if conditions, uses many different operations like &, ord, getTimer or number comparison.
  • Has multiple constant pools to hide real variable names.

FFDec result: Code displayed

Needed features:  A – deobfuscation

AS3

  • Modifies code with conditions if(false) return;

FFDec result: Code displayed

Needed features:  A – deobfuscation

Eramsoft SWF Defender 1.3.19 Demo

  • same as Eramsoft Flash Secure Optimizer

Kindi Software secureSWF 4.6 Demo

AS1/2

  • Modifies code with if conditions based on operations like &, ^ or comparison on numbers.

FFDec result: Code displayed. some pushed values like true/false is left in the code.

Needed features:  A – deobfuscation

Needed work: Removing pushed true/false left.

AS3

  • Modifies code with checks for undefined registers.
  • Adds some dead code.

FFDec result: Code displayed, try..finally clause can be damaged. Also some nested while(true) loops added where they should not be. I also think that the while(true) loops adding is a bug in the secureSWF as debug flash player shows stack unbalanced error for this method.

Needed features:  A – deobfuscation

Needed work: Fix try..finally clauses. Fix nested loops, but how?

Leawo SWF Encrypt 1.2.0.0 Unregistered

AS1/2

  • Uses initial section with function call assigned to an obfuscated variable then comparing the variable.
  • Has multiple constant pools to hide real variable names.
  • No modifications to the real code.

FFDec result: Code displayed

Needed features:  A – deobfuscation, C – remove unassigned obfuscated variables

AS3

  • Modifies code with if simple conditions – if(true)if (false), simple number comparison.

Needed features:  A – deobfuscation

FFDec result: Code displayed

Magic Hills SWF Protection 2.6 Trial

AS1/2/3

  • Only uses multilevel AS3 loader.
  • Loaded SWF is not modified in any way.

Needed features:  B – open loaded

FFDec result: Code displayed

Notes

Note that “Open loaded SWFs while playing” (B) feature to get through loader is not always possible as FFDec uses this while running the SWF file inside Flash projector and it will fail when there are for example checks for current domain (sitelocks) etc., because current version of FFDec cannot run the SWF inside the browser. The test was done on SWF file with no sitelock.

Also you should be careful with “Remove single assigned obfuscated declarations” feature (C) as it might inappropriately remove obfuscated declarations you need. But if the SWF file does not use other obfuscated variable names at all (like in our examples), then the feature is pretty useful.

Conclusion

I should be careful to say any conclusions, but I think FFDec handles these obfuscations pretty well. Some of them still require some manual work (see “Needed work” clauses).
There are still certainly some obfuscators in the wild, which cannot be properly processed by FFDec, but our decompiler does the best it can to show all the code in all cases.

Edit 2023-03-19: Updated to current stable version 18.3.6 and its “remove unassigned obfuscated variables” feature, added Features description, Needed features, Notes and conclusion.

Posted

in

by

Jindra Petřík

Tags:

, ,

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *