Skip to content

Tools for static and dynamic analysis of ActionScript3 SWF files.

License

Notifications You must be signed in to change notification settings

KasperskyLab/ActionScript3

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ActionScript3 IDA Pro

Author: Boris Larin

This repository contains the SWF Loader, ActionScript3 processor module, and a debugger assist plugin named KLFDB.

Requirements

IDA Pro 7.1 (Tested with IDA Pro 7.1.180227)

Installation

Copy files into the IDA Pro directory:

  • 'swf.py' to 'loaders' subfolder
  • 'klfdb.py' to 'plugins' subfolder
  • 'as3.py' to 'procs' subfolder

Usage

Drag and drop the SWF file to IDA Pro and select the Shockwave Flash loader.

Use 'File' -> 'Produce file' -> 'Create MAP file...' to generate a map file for use with KLFDB.

KLFDB is written to work with 32-bit versions of Stand Alone Flash and with Flash for Browsers (Internet Explorer is currently supported).

To debug the SWF file with Internet Explorer, load the Adobe Flash module (e.g. c:\Windows\System32\Macromed\Flash\Flash32__**.ocx) into IDA Pro.

Use 'Edit' -> 'Klfdb' -> 'Load new map file' to load the generated map file.

From this point, it is possible to use 'Edit' -> 'Klfdb' -> 'Set breakpoints on ...' to set breakpoints on methods.

After setting breakpoints, attach to the Internet Explorer process that is about to start the SWF file and use 'Edit' -> 'Klfdb' -> 'Run'. After that, allow the Flash file to execute.

The plugin will suspend execution of Adobe Flash after the breakpoint hit and will transparently fill just-in-time compiled native code with useful comments about the original bytecode.

Acknowledgements

About

Tools for static and dynamic analysis of ActionScript3 SWF files.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages