今天把 AS3 做的Flash反编译成功.

Quite a while ago Adobe released a ActionScript as OSS, and together with the Mozilla Foundation they introduced a project called Tamarin. Tamarin aims to implement a high-performance, open source implementation of ES4 language specification. Basically it’s ActionScript 3, used by Flex and newer version of Flash.

During my preparations of my talks at the Camp, FrOSCon and DevHouse Cologne as well as the prep of the FlashSec project wiki I stumbled upon one big problem: There are quite some possibilities to decompile AS2 based SWF movies, but there is nothing really for AS3. A few weeks ago I read about Tamarin as one way of getting a cheapo AS3 decompiler, but it simply didn’t work the way expected on Mac OS (and Linux). Today I found out why it didn’t work.

Here is a very quick-and-dirty overview over the necessary steps:

• First of all obtain Mercurial, the SCM used by the Tamarin project (under OSX it’s avail in Macports)
• After that get the Tamarin source by filing:

  hg clone http://hg.mozilla.org/tamarin-central tamarin-central

• If you are running an OS != Win32 you have to change shell/DataIO.h
• Line 124 – 131 reads as the following:

Endian GetNativeEndian() const{   #ifdef WIN32   return kLittleEndian;   #else   return kBigEndian;   #endif}

• Since I’m lazy I only commented out everything inside the brackets but line which says “return kLittleEndian”.
• Build Tamarin. On MacOS X:

$ cd tamarin-central/core$ xcodebuild -project platform/mac/shell/shell.xcodeproj

• Download and install the Adobe Flex 2 SDK in case you didn’t do already
• The ActionScript compiler can be found in lib/asc.jar. Copy lib/asc.jar from the SDK installation to tamarin-central/utils/
• Use asc.jar to compile the Tamarin intrinsics into builtin.abc:

$ cd tamarin-central/core$ java -ea -DAS3 -Xmx200m -DAVMPLUS \    -classpath ../utils/asc.jar macromedia.asc.embedding.ScriptCompiler \    -d -builtin -out builtin builtin.as Math.as Error.as RegExp.as Date.as XML.as

• Now you can use asc.jar and builtin.abc to compile applications. Use the -help options of asc.jar and avmplus for more details. Note: Under MacOS X avmplus is under platform/mac/shell/build/Release/shell
• To compile abcdump.exe these steps:

$ java -jar utils/asc.jar core/builtin.as$ java -jar utils/asc.jar shell/ByteArray.as$ java -jar utils/asc.jar -exe avmplus -import core/builtin.abc -import shell/ByteArray.abc utils/abcdump.as

• Now we are ready to compile and decompile AS3.

Here’s a very basic example to see if it works. First we compile a simple script:

$ echo 'print("hello, world")' > hello.as$ java -jar utils/asc.jar -import core/builtin.abc hello.ashello.abc, 86 bytes written

Now we can decompile the resulting hello.abc (.abc is Actionscript Byte Code). As you can see it’s actually not ActionScript source but some pseudo code. So we cannot use this afterwards to recompile it (like with Flare and AS2), but it’s enough to see what the script is actually doing:

$ utils/abcdump.exe hello.abc magic 2e0010Cpool numbers size 3 3 %Cpool strings count 5 size 32 37 %Cpool namespaces count 3 size 5 5 %Cpool nssets count 2 size 4 4 %Cpool names count 2 size 4 4 %MethodInfo count 1 size 5 5 %InstanceInfo size 1 1 %ClassInfo size 0 0%ScriptInfo size 3 3 %MethodBodies size 24 27 %script0function script0$init():*       /* disp_id 0*/{  // local_count=2 max_scope=1 max_stack=2 code_len=15  0         getlocal0       1         pushscope       2         findpropstrict      print  4         pushstring          "hello, world"  6         callproperty        print (1)  9         coerce_a        10        setlocal1       11        getlocal1       12        returnvalue     13        kill                1}OPCODE  SIZE    % OF 15callproperty    3       20%kill            2       13%pushstring      2       13%findpropstrict  2       13%pushscope       1       6%returnvalue     1       6%coerce_a        1       6%getlocal0       1       6%getlocal1       1       6%setlocal1       1       6%

This also works with SWF using AS3. It’s at least some start to have a chance for auditing modern Flash movies and Flex apps.
========================
以上文章转载自 http://thylmann.net/rss/author/fukami?media=rss
========================

以下是本人编译过程中碰到的问题及解决方法.

1.编译avmplus之前,必须用 {java -ea -DAS3 ….} 命令创建新的builtin文件.否则builtin.h文件内容不匹配.

2.其中avmplus中2个文件包含多种国家语言,编译时不被VS8认可.我的做法是用UEdit将其从UTF-8转换到UniCode.

3.需要下载zlib源码放在项目的同级目录中.否则无法顺利编译avmplus.

4.使用java单独编译ByteArray时候会出错,我的解决方法是将其include到builtin.as文件中,然后编译一次builtin.as文件即可.

=========================