dynamic analysis of adobe flash files

dynamic analysis of adobe flash files
DYNAMIC ANALYSIS OF ADOBE FLASH FILES
Jacob Thompson
DerbyCon 5.0
September 26, 2015
About the Speaker
●
●
●
Jacob Thompson
Senior Security Analyst
at Independent Security Evaluators
–
Reverse Engineering
–
Cryptography
–
System and Application Security
–
Secure System Design
TLS client certificate presentation last year
About ISE
Formed in 2005, ISE is an independent security
firm in Baltimore, Maryland, dedicated to
aggressive defense strategies using advanced
science.
Ultimate Goals
●
●
●
Security assessments involving Flash
–
Static analysis (code review)
–
Dynamic analysis (debugging/tracing)
Given only the release-version, binary SWF
Contribution: Tool to convert a release SWF into
a debuggable one
Really?
Flash Persistence
●
1 in 10 websites
●
Traditional strengths
●
–
Streaming
–
Graphics
–
Cross-browser compatibility
Adobe AIR
W3Techs.com, FastCompany.com
Flash and Security Assessments
●
Authentication
●
API client code
●
Cryptography
●
Client-side blunders
●
Absence/weakness of tools
ActionScript 3
●
Object oriented paradigm
●
Similar to JavaScript
●
Byte code
●
Just-in-time
●
Open source Flex SDK
ActionScript Byte Code
ActionScript Byte Code cont.
Decompiled ActionScript Code
Static Analysis Limitations
●
Complex data flows
●
Sample inputs/outputs
●
Proprietary formats
●
Encryption keys
Flash Debugging
1. Obtain debug-version SWF file
2. Install Flash Debugger Plugin
3. Launch Flash Debugger (fdb)
Debuggable SWF
mxmlc -compiler.debug -default-frame-rate=50 \
-static-link-runtime-shared-libraries=true \
-library-path=. -define=CONFIG::HLS,true \
-output flowplayerhls.swf Flowplayer.as -source-path .
●
Line number information
●
Filename information
●
Local variable information
●
EnableDebugger2 tag
Flash Debugger Plugin
1. Uninstall non-debugger version
2. Debugger version:
http://www.adobe.com/support/flashplayer/debug_downloads.html
●
In-debugger version vs. standalone
●
Linux version frozen at 11.2
Debugger Connection
Debuggable SWF triggers connection to listening
debugger at 127.0.0.1:7935
fdb
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Debuggable Flowplayer
fdb cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb)
fdb Features
●
Stack tracing
●
Breakpoints, watchpoints, exception handling
●
Disassembly, print and set variables
fdb cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
fdb cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
--Flowplayer.as#1
StreamProvider.as#2
...
AES.as#39
DemuxHelper.as#40
...
[SWF] /jake/flowplayer/flowplayerhls.swf - 180,145 bytes after
decompression
(fdb)
fdb cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
--Flowplayer.as#1
StreamProvider.as#2
...
AES.as#39
DemuxHelper.as#40
...
[SWF] /jake/flowplayer/flowplayerhls.swf - 180,145 bytes after
decompression
(fdb) break AES.as:_decryptChunk
fdb cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
--Flowplayer.as#1
StreamProvider.as#2
...
AES.as#39
DemuxHelper.as#40
...
[SWF] /jake/flowplayer/flowplayerhls.swf - 180,145 bytes after
decompression
(fdb) break AES.as:_decryptChunk
Breakpoint 1 at 0x683: file AES.as, line 88
(fdb)
fdb cont.
(fdb) cont
fdb cont.
(fdb) cont
Breakpoint 1, _decryptChunk() at AES.as:88
88
// code goes here
(fdb)
fdb cont.
(fdb) cont
Breakpoint 1, _decryptChunk() at AES.as:88
88
// code goes here
(fdb) where
fdb cont.
(fdb) cont
Breakpoint 1, _decryptChunk() at AES.as:88
88
// code goes here
(fdb) where
#0
this = [Object 205857153,
class='org.mangui.hls.utils::AES'].AES/_decryptChunk() at
AES.as#39:88
#1
this = [Object 205857153,
class='org.mangui.hls.utils::AES'].AES/_decryptTimer(e=[Object
211536801, class='flash.events::Event']) at AES.as#39:81
(fdb)
fdb cont.
(fdb) cont
Breakpoint 1, _decryptChunk() at AES.as:88
88
// code goes here
(fdb) where
#0
this = [Object 205857153,
class='org.mangui.hls.utils::AES'].AES/_decryptChunk() at
AES.as#39:88
#1
this = [Object 205857153,
class='org.mangui.hls.utils::AES'].AES/_decryptTimer(e=[Object
211536801, class='flash.events::Event']) at AES.as#39:81
(fdb) print _key
fdb cont.
(fdb) cont
Breakpoint 1, _decryptChunk() at AES.as:88
88
// code goes here
(fdb) where
#0
this = [Object 205857153,
class='org.mangui.hls.utils::AES'].AES/_decryptChunk() at
AES.as#39:88
#1
this = [Object 205857153,
class='org.mangui.hls.utils::AES'].AES/_decryptTimer(e=[Object
211536801, class='flash.events::Event']) at AES.as#39:81
(fdb) print _key
$1 = [Object 210952305, class='org.mangui.hls.utils::FastAESKey']
(fdb)
fdb cont.
(fdb)
fdb cont.
(fdb) print _key.keySchedule[0]
fdb cont.
(fdb) print _key.keySchedule[0]
$5 = 790428583 (0x2f1cfba7)
(fdb)
fdb cont.
(fdb) print _key.keySchedule[0]
$5 = 790428583 (0x2f1cfba7)
(fdb) print _key.keySchedule[1]
fdb cont.
(fdb) print _key.keySchedule[0]
$5 = 790428583 (0x2f1cfba7)
(fdb) print _key.keySchedule[1]
$6 = 1295894385 (0x4d3dc771)
(fdb)
fdb cont.
(fdb) print _key.keySchedule[0]
$5 = 790428583 (0x2f1cfba7)
(fdb) print _key.keySchedule[1]
$6 = 1295894385 (0x4d3dc771)
(fdb) print _key.keySchedule[2]
fdb cont.
(fdb) print _key.keySchedule[0]
$5 = 790428583 (0x2f1cfba7)
(fdb) print _key.keySchedule[1]
$6 = 1295894385 (0x4d3dc771)
(fdb) print _key.keySchedule[2]
$7 = 3106002306 (0xb921d582)
(fdb)
fdb cont.
(fdb) print _key.keySchedule[0]
$5 = 790428583 (0x2f1cfba7)
(fdb) print _key.keySchedule[1]
$6 = 1295894385 (0x4d3dc771)
(fdb) print _key.keySchedule[2]
$7 = 3106002306 (0xb921d582)
(fdb) print _key.keySchedule[3]
fdb cont.
(fdb) print _key.keySchedule[0]
$5 = 790428583 (0x2f1cfba7)
(fdb) print _key.keySchedule[1]
$6 = 1295894385 (0x4d3dc771)
(fdb) print _key.keySchedule[2]
$7 = 3106002306 (0xb921d582)
(fdb) print _key.keySchedule[3]
$8 = 9923934 (0x976d5e)
(fdb)
2f1cfba74d3dc771b921d58200976d5e
Debug vs. Release SWF
EnableDebugger2 Tag
http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/swf/pdf/swf-file-formatspec.pdf
private static void insertEnableDebugger2Tag(SWF swf)
int i;
{
for (i = 0; i < swf.tags.size(); ++i)
if (swf.tags.get(i).getId() == MetadataTag.ID)
swf.tags.add(i + 1, new EnableDebugger2Tag(swf));
}
public static void main(String args[]) throws Exception {
FileInputStream fis = new FileInputStream("in.swf");
SWF swf = new SWF(fis, false);
fis.close();
insertEnableDebugger2Tag(swf);
}
FileOutputStream fos = new FileOutputStream("out.swf");
swf.saveTo(fos);
fos.close();
Uses JPEXS Free Flash Decompiler Library
Debugging with EnableDebugger2
●
Enables right-click Debugger option
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights
reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,836 bytes after
decompression
Do you want to attempt to halt execution? (y or n) y
Attempting to halt.
To help out, try nudging the Player (e.g. press a button)
Debugging cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,836 bytes after
decompression
(fdb) info files
Debugging cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,836 bytes after
decompression
(fdb) info files
--(fdb)
Debugging cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,836 bytes after
decompression
(fdb) info files
--(fdb) info variables
Debugging cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,836 bytes after
decompression
(fdb) info files
--(fdb) info variables
(fdb) info arguments
Debugging cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,836 bytes after
decompression
(fdb) info files
--(fdb) info variables
(fdb) info arguments
(fdb)
How fdb Breakpoints Work
public Location setBreakpoint(int fileId, int lineNum)
throws NoResponseException, NotConnectedException
{
/* send the message to the player and await a response
*/
Location l = null;
int bp = DLocation.encodeId(fileId, lineNum);
DMessage dm = DMessageCache.alloc(8);
dm.setType(DMessage.OutSetBreakpoints);
dm.putDWord(1);
dm.putDWord(bp);
// ...
flex-sdk modules/debugger/src/java/flash/tools/debugger/concrete/PlayerSession.java
How fdb Breakpoints Work cont.
/* encode /decode */
public static final int encodeId(int fileId, int line)
{
return ( (line << 16) | fileId );
}
flex-sdk modules/debugger/src/java/flash/tools/debugger/concrete/DLocation.java
Debug Information
Manually Add Debug Information
Debugging with Manual Debug Info
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb)
Debugging Manual cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
Debugging Manual cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
--AES.as#1
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,842 bytes after
decompression
(fdb)
Debugging Manual cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
--AES.as#1
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,842 bytes after
decompression
(fdb) info functions
Debugging Manual cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
--AES.as#1
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,842 bytes after
decompression
(fdb) info functions
Functions in AES.as#1
_decryptChunk 1
(fdb)
Debugging Manual cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
--AES.as#1
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,842 bytes after
decompression
(fdb) info functions
Functions in AES.as#1
_decryptChunk 1
(fdb) break AES.as:_decryptChunk
Debugging Manual cont.
Apache fdb (Flash Player Debugger) [build 20150123]
Copyright 2013 The Apache Software Foundation. All rights reserved.
(fdb) run
Waiting for Player to connect
Player connected; session starting.
Set breakpoints and then type 'continue' to resume the session.
(fdb) info files
--AES.as#1
[SWF] /jake/flowplayer/flowplayerhls.swf - 110,842 bytes after
decompression
(fdb) info functions
Functions in AES.as#1
_decryptChunk 1
(fdb) break AES.as:_decryptChunk
Breakpoint 1 at 0x174e4: file AES.as, line 1
(fdb)
What if a tool could automatically:
●
Take a release-version SWF
●
Decompile it
●
Add the filenames and source line numbers
from the decompiled code into the AVM2
bytecode
Challenges
●
Correct absolute & relative branch addresses
●
Try/catch blocks
●
Debug instructions as branch targets
●
Variable name generation
Work in Progress
●
Built on top of JPEXS Free Flash Decompiler
●
Download from:
http://www.securityevaluators.com/knowledge/flash
Further Work
●
AIR on-hands testing
●
AIR Native Extensions
●
iOS AIR AoT
Questions?
http://www.securityevaluators.com/knowledge/flash
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising