The Turkey Curse
fukamis terror chatroom

How to build a very basic AS3 decompiler using Tamarin on non-Win32 systems

Sweetmorn, 45th Confusion, 3173.

Quite a while ago Adobe released a ActionScript as OSS, and together with the Mozilla Foundation they introduced a project called [Tamarin][Tamarin]. Tamarin aims to implement a high-performance, open source implementation of ES4 language specification. Basically it’s ActionScript 3, used by Flex and newer version of Flash.

During my preparations of my talks at the [Camp][Camp], [FrOSCon][FrOSCon] and [DevHouse Cologne][DevHouse] as well as the prep of the FlashSec project wiki I stumbled upon one big problem: There are quite some possibilities to decompile AS2 based SWF movies, but there is nothing really for AS3. A few weeks ago I [read][AS3 Decompiler] about Tamarin as one way of getting a cheapo AS3 decompiler, but it simply didn’t work the way expected on Mac OS (and Linux). Today I found out why it didn’t work.

Here is a very quick-and-dirty overview over the necessary steps:

* First of all obtain [Mercurial][Mercurial], the SCM used by the Tamarin project (under OSX it’s avail in Macports)
* After that get the Tamarin source by filing:

hg clone http://hg.mozilla.org/tamarin-central tamarin-central

* If you are running an OS != Win32 you have to change shell/DataIO.h
* Line 124 - 131 reads as the following:

Endian GetNativeEndian() const
{
   #ifdef WIN32
   return kLittleEndian;
   #else
   return kBigEndian;
   #endif
}

* Since I’m lazy I only commented out everything inside the brackets but line which says “return kLittleEndian”.
* Build Tamarin. On MacOS X:

$ cd tamarin-central/core
$ xcodebuild -project platform/mac/shell/shell.xcodeproj

* Download and install the [Adobe Flex 2 SDK][Flex SDK] in case you didn’t do already
* The ActionScript compiler can be found in lib/asc.jar. Copy lib/asc.jar from the SDK installation to tamarin-central/utils/
* Use asc.jar to compile the Tamarin intrinsics into builtin.abc:

$ cd tamarin-central/core
$ java -ea -DAS3 -Xmx200m -DAVMPLUS 
    -classpath ../utils/asc.jar macromedia.asc.embedding.ScriptCompiler 
    -d -builtin -out builtin builtin.as Math.as Error.as RegExp.as Date.as XML.as

* Now you can use asc.jar and builtin.abc to compile applications. Use the -help options of asc.jar and avmplus for more details. Note: Under MacOS X avmplus is under platform/mac/shell/build/Release/shell
* To compile abcdump.exe these steps:

$ java -jar utils/asc.jar core/builtin.as
$ java -jar utils/asc.jar shell/ByteArray.as
$ java -jar utils/asc.jar -exe avmplus -import core/builtin.abc -import shell/ByteArray.abc utils/abcdump.as

* Now we are ready to compile and decompile AS3.

Here’s a very basic example to see if it works. First we compile a simple script:

$ echo 'print("hello, world")' > hello.as
$ java -jar utils/asc.jar -import core/builtin.abc hello.as

hello.abc, 86 bytes written

Now we can decompile the resulting hello.abc (.abc is Actionscript Byte Code). As you can see it’s actually not ActionScript source but some pseudo code. So we cannot use this afterwards to recompile it (like with Flare and AS2), but it’s enough to see what the script is actually doing:

$ utils/abcdump.exe hello.abc
magic 2e0010
Cpool numbers size 3 3 %
Cpool strings count 5 size 32 37 %
Cpool namespaces count 3 size 5 5 %
Cpool nssets count 2 size 4 4 %
Cpool names count 2 size 4 4 %
MethodInfo count 1 size 5 5 %
InstanceInfo size 1 1 %
ClassInfo size 0 0%
ScriptInfo size 3 3 %
MethodBodies size 24 27 %
script0

function script0$init():*       /* disp_id 0*/
{
  // local_count=2 max_scope=1 max_stack=2 code_len=15
  0         getlocal0
  1         pushscope
  2         findpropstrict      print
  4         pushstring          "hello, world"
  6         callproperty        print (1)
  9         coerce_a
  10        setlocal1
  11        getlocal1
  12        returnvalue
  13        kill                1
}

OPCODE  SIZE    % OF 15
callproperty    3       20%
kill            2       13%
pushstring      2       13%
findpropstrict  2       13%
pushscope       1       6%
returnvalue     1       6%
coerce_a        1       6%
getlocal0       1       6%
getlocal1       1       6%
setlocal1       1       6%

This also works with SWF using AS3. It’s at least some start to have a chance for auditing modern Flash movies and Flex apps.

[Tamarin]: http://www.mozilla.org/projects/tamarin/
[Mercurial]: http://www.selenic.com/mercurial/wiki/
[Flex SDK]: http://www.adobe.com/products/flex/downloads/
[AS3 Decompiler]: http://www.5etdemi.com/blog/archives/2007/01/as3-decompiler/
[Camp]: http://events.ccc.de/camp/2007/Fahrplan/events/1994.en.html
[FrOSCon]: http://programm.froscon.org/2007/events/21.en.html
[DevHouse]: http://devcologne.pbwiki.com/

---

No Comments »

No comments yet.

RSS feed for comments on this post.

Leave a comment



"If organized religion is the opium of the masses, then disorganized religion is the marijuana of the Lunatic Fringe" - Malaclypse The Younger

The Turkey Curse is powered by WordPress, template idea by Priss

Entries (RSS) and Comments (RSS).
Generated in 0.075 seconds.