search

google-code-export / asdec

Automatically exported from code.google.com/p/asdec
1 stars 0 forks source link

AS1/2 function body deobfuscation bug #50

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
Decompile an obfuscated file that contains AS1/2 (most typical for secureSWF).

What is the expected output? What do you see instead?
In some cases (most typical for branches - if, switch) the source code is 
skewed. Or even an error arise (Try DoInitAction 35 in the attached file).
The inspection has shown that there is a problem while deobfuscating functions 
with a lot of dead code. An internal addressing of the function could exceed 
the address of the next (after the function) instruction.

  Action Push register1 "_tf" is at 2104
  Action GetMember is at 2111
  Action Push "embedFonts" is at 2112
  Action GetMember is at 2117
  Action Return is at 2118
  Action Push "embedFonts" 3 register2 "addProperty" is at 2119
  Action CallMethod is at 2133
  Action Pop is at 2134        <<< last instruction of the function's body
  Action SetMember is at 2091  <<< next address after function
  Action Push 1 null "mx" is at 2092
  Action GetVariable is at 2103
  Action Push "styles" is at 2104
  Action GetMember is at 2109
  Action Push "CSSTextStyles" is at 2110
  Action GetMember is at 2115
  Action Push "prototype" is at 2116
  Action GetMember is at 2121
  Action Push 3 "ASSetPropFlags" is at 2122
  Action CallFunction is at 2132
  Action Pop is at 2133
  Action Push  is at 2134

This often leads to wrong reference definition:

GetMember
Return
}
Push "embedFonts" 3 register2 "addProperty"
loc0855:CallMethod          <<< wrong location, which is actually taken as it 
occurs first
Pop
}
SetMember
Push 1 null "mx"
GetVariable
Push "styles"
GetMember
Push "CSSTextStyles"
GetMember
Push "prototype"
GetMember
Push 3 "ASSetPropFlags"
CallFunction
loc0855:Pop                 <<< right location
Nop

What version of the product are you using? On what operating system?
1.4.1u1
Windows 7 64-bit

Could you provide the SWF file you have problem with?
If the answer is yes, then please attach it here or send me it via email.
Could you at least attach PCode source?

Do you have the original source code which produced the wrong
decompilation? If yes, then please attach it.

Please provide any additional information below.

Original issue reported on code.google.com by plisnich...@gmail.com on 29 Mar 2013 at 2:55

Attachments:

GoogleCodeExporter commented 9 years ago 
Hi, I have moved this issue to new Issue Tracker.
You should have received email info about registering there(with specific link) 
and gaining access to this issue. If you have not received any email, please 
check your SPAM inbox or write to my email.

Original comment by jindra.p...@gmail.com on 31 Mar 2013 at 8:24