This post contains list of obfuscators with a description of some tricks they use and how FFDec handles it.
Method of testing
We tried to generate “secure” versions of our AS1/2 and AS3 testing SWFs (as2.swf and as3.swf) in demo versions of various tools using most aggressive options. For purpose of AS decompilation check, we did not enable identifiers renaming and also did not enable loader (when not required). Also we did not consider domain locking or such features that prevent loader open SWF.
FFDec features used
The main used feature was the so-called “Automatic deobfuscation” (A) settings. For easy results checking, we decompiled code first without automatic deobfuscation and then with, and compared results. If the code still contains §§ instructions, it means deobfuscation needs to be improved.
When secured SWF contained a loader, FFDecs feature “Open loaded SWFs while playing” (B) was used to get the SWF inside.
For AS1/2, when there were some obfuscated assignments left, we used “Remove single assigned obfuscated declarations” feature (C).
Tested software
(in alphabetical order)
- Amayeta SWF Encrypt 7.0 Trial
- BIS Guard Flash Antidecompiler 7.3 Trial
- DComSoft SWF Protector 4.0.265.0 Demo
- DoSWF 5.5.0 Professional Unregistered
- Eramsoft Flash Secure Optimizer 2.4.11 Demo
- Eramsoft SWF Defender 1.3.19 Demo
- Kindi Software secureSWF 4.6 Demo
- Leawo SWF Encrypt 1.2.0.0 Unregistered
- Magic Hills SWF Protection 2.6 Trial
Tested decompiler
- JPEXS Free Flash Decompiler version 17.0.4 nightly 2332 (2022-12-18)
and version 18.3.6 (2023-02-25)
Results
Amayeta SWF Encrypt 7.0 Trial
AS1/2
- Uses “state machine” initial section which modifies an obfuscated variable in a loop.
- Jumps to code in other SWF tags (id = 253).
- Has multiple constant pools to hide real variable names.
- No modifications to the real code.
FFDec result: Code displayed.
Needed features: A – deobfuscation, C – remove unassigned obfuscated variables
AS3
- Modifies code with if simple conditions –
if(true)
,if (false)
, simple number comparison. - For some reasons, the obfuscator crashes when attempting to secure AS3 SWFs with higher SWF version. Thus we modified the as3.swf to have version 11.
FFDec result: Code displayed
Needed features: A – deobfuscation
BIS Guard Flash Antidecompiler 7.3 Trial
AS1/2
- Only uses AS3 loader.
- Loaded SWF is not modified in any way.
FFDec result: Code displayed
Needed features: B – open loaded
AS3
- Only uses loader.
- Loaded SWF is not modified in any way.
FFDec result: Code displayed
Needed features: B – open loaded
DComSoft SWF Protector 4.0.265.0 Demo
AS1/2
- Adds obfuscated variable declaration on the beginning.
- Modifies code with if (true), if (false) conditions.
FFDec result: Code displayed
Needed features: A – deobfuscation, C – remove unassigned obfuscated variables
AS3
- Only uses loader.
- Loaded SWF is not modified in any way.
Needed features: B – open loaded
DoSWF 5.5.0 Professional Unregistered
AS1/2
- This software does not handle AS1/2 files
AS3
- Uses loader
- Loaded SWF is modified with checks for DoSWF definitions inside
MovieClip
and base SWF viaApplicationDomain.currentDomain.hasDefinition
.
FFDec result: Checks for DoSWF definitions are not removed and thus creating various problems including §§push
, §§pop
instructions. Also few try..finally
clauses not properly handled
Needed features: B – open loaded,
Needed work: Manually removing the DoSWF checks using P-code editor. Fix try..finally
clauses.
Eramsoft Flash Secure Optimizer 2.4.11 Demo
AS1/2
- Modifies code with various if conditions, uses many different operations like &, ord, getTimer or number comparison.
- Has multiple constant pools to hide real variable names.
FFDec result: Code displayed
Needed features: A – deobfuscation
AS3
- Modifies code with conditions
if(false) return;
FFDec result: Code displayed
Needed features: A – deobfuscation
Eramsoft SWF Defender 1.3.19 Demo
- same as Eramsoft Flash Secure Optimizer
Kindi Software secureSWF 4.6 Demo
AS1/2
- Modifies code with if conditions based on operations like &, ^ or comparison on numbers.
FFDec result: Code displayed. some pushed values like true/false is left in the code.
Needed features: A – deobfuscation
Needed work: Removing pushed true/false left.
AS3
- Modifies code with checks for undefined registers.
- Adds some dead code.
FFDec result: Code displayed, try..finally
clause can be damaged. Also some nested while(true) loops added where they should not be. I also think that the while(true) loops adding is a bug in the secureSWF as debug flash player shows stack unbalanced error for this method.
Needed features: A – deobfuscation
Needed work: Fix try..finally
clauses. Fix nested loops, but how?
Leawo SWF Encrypt 1.2.0.0 Unregistered
AS1/2
- Uses initial section with function call assigned to an obfuscated variable then comparing the variable.
- Has multiple constant pools to hide real variable names.
- No modifications to the real code.
FFDec result: Code displayed
Needed features: A – deobfuscation, C – remove unassigned obfuscated variables
AS3
- Modifies code with if simple conditions –
if(true)
,if (false)
, simple number comparison.
Needed features: A – deobfuscation
FFDec result: Code displayed
Magic Hills SWF Protection 2.6 Trial
AS1/2/3
- Only uses multilevel AS3 loader.
- Loaded SWF is not modified in any way.
Needed features: B – open loaded
FFDec result: Code displayed
Notes
Note that “Open loaded SWFs while playing” (B) feature to get through loader is not always possible as FFDec uses this while running the SWF file inside Flash projector and it will fail when there are for example checks for current domain (sitelocks) etc., because current version of FFDec cannot run the SWF inside the browser. The test was done on SWF file with no sitelock.
Also you should be careful with “Remove single assigned obfuscated declarations” feature (C) as it might inappropriately remove obfuscated declarations you need. But if the SWF file does not use other obfuscated variable names at all (like in our examples), then the feature is pretty useful.
Conclusion
I should be careful to say any conclusions, but I think FFDec handles these obfuscations pretty well. Some of them still require some manual work (see “Needed work” clauses).
There are still certainly some obfuscators in the wild, which cannot be properly processed by FFDec, but our decompiler does the best it can to show all the code in all cases.
Edit 2023-03-19: Updated to current stable version 18.3.6 and its “remove unassigned obfuscated variables” feature, added Features description, Needed features, Notes and conclusion.
Leave a Reply