m3talstorm / foe-decryption

:unlock: Python tool and tutorial of how to decrypt the Forge of Empires Flash/SWF and generate request signatures
MIT License
50 stars 14 forks source link

what encryption is this? #14

Closed veso266 closed 3 years ago

veso266 commented 6 years ago

Hi this is not specific to Forge of Empires but I realy don't know where to ask anymore so I have a AS3 class: https://pastebin.com/a3hBERhZ which is encrypted somehow and I don't know what tool could create such a mess and of course how could I decrypt it

I think that this could be encrypted with this: http://www.amayeta.com/software/swfencrypt/#00 but I am not realy sure about that

Thanks for Anwsering and Best Regards

diogofacin commented 6 years ago

@veso266 , this is not encrypted, it's obfuscated.

There is no way to "deobfuscate" but some tools can help you analyzing/debugging the code a bit more easily.

Where did you get this piece of code?

veso266 commented 6 years ago

I got it here: http://downloads.dxing.si/speedtest/speedtest-white.swf (realy old version of SpeedTest) I used ffdec to open it (and for some reason its deobfuscation tools didn't work this time)

and after further analysis I found out that infact it is obfuscated with Amayeta SWF Encrypt (if you go to ActionScript Obfuscation: Encrypted Vs Non-Encrypted example you can see it produces same results as they advertise)

So now the question is how can I analyze and reverse this so I at least get partialy readable code because I think that

§\x01§ = 1360 + 658;

for instance probably have some meaning

there are also §§push(67305985); and §§pop() which I saw on other flash files as well (they probably mean something)

BTW: is

var _loc2_ = com["meychi"]["ascrypt"]["MD5"].calculate("something") 

same as

var _loc2_ = com.meychi.ascrypt.MD5.calculate("something")