• Keep in touch:
  • Linked In
  • Twitter
  • RSS

Covert Actions

One interesting technique for obfuscating Flash files that I came across when using real-world files for testing Transform SWF was hiding actions in the body of a tag earlier in the movie. Here is how it works. The header field in a tag normally contains the type and length of the encoded body in bytes. The length field effectively tells the Flash Player where the next tag starts.

Here is a typical situation where a frame is displayed (ShowFrame) followed by the set of actions (DoAction) that will be executed for the next frame.

If you change the value of the length field in the ShowFrame tag (it should always be zero) you can hide a block of actions inside the body of the tag.

The Flash player has no problem executing this since ShowFrame tags do not contain any data so it happily ignores the hidden actions until they are jumped to by the following DoAction tag. The same technique is used within blocks of actions where the length field of a Table action (which contains the strings used in a script) is increased so allow actions to be appended to the encoded strings and so hide them.

The interesting part is not that the technique is possible but that the movie appears to be loaded into memory as-is, otherwise the actions that jump and return from the code in the hidden block would not work.

This type of obfuscation is not encountered very often, so Transform SWF 3.0, out of the box, is not able to decode the hidden actions. If you do decode a file then the hidden actions will simply get lost when the file is re-encoded. However you can easily add a custom decoder class to Movie that will decode all the tags as MovieObjects. Then step through the list comparing the type against the size of the encoded body. If you find a ShowFrame object (type = 1) where the number of bytes in the body is greater than zero and the next object is a DoAction (type = 12) then it is reasonable to assume the ShowFrame tag contains hidden actions.

This approach is easily defeated however if the actions are hidden in a tag where you would expect binary data, i.e. an image, since there is no discrepancy between the length of the tag and the actual payload. (I have never seen this variation so I am not sure it works). In this situation you would have to step through the decoded actions looking for a JUMP or IF where the offset was outside the block of actions in the tag and follow this to identify which tag contained the hidden actions. This is more complicated to deal with but not overly difficult.

Of course, the simplest way of handling this type of file is not to decode it in the first place. If someone went to the trouble of obfuscating the actions it means that they do not want third-parties looking at their work. So it is best to leave well alone.

Comments are closed.