Hacking a Flash Payload Crypter with 1 line of code

2013 Jul 23 11:08 AM MDT | ActionScript² ActionScript-3¹ Assembly² Flash² Hacks⁹ Security² Web¹³ [2013]³

If the flash file puts everything into a binary section and encrypts it, is there any way to decrypt it? If they cut off the header, you won't be able to memory-dump it, but would you give up there? Of course not!

Somewhere, they have the decrypted data so that they can load it. Just compile some code to intercept it, and inject it:

(new FileReference()).save(_loc_2, "dumped.swf");

In RABCDAsm (AS3), it looks like this:

findpropstrict      QName(PackageNamespace("flash.net"), "FileReference")
constructprop       QName(PackageNamespace("flash.net"), "FileReference"), 0
getlocal2
pushstring          "dumped.swf"
callpropvoid        QName(PackageNamespace(""), "save"), 2

So just put that in the code before it is loaded (call to `loadBytes`) and replace `getlocal2` with whatever will put the decrypted data onto the stack. Once the decrypted data is about to be loaded, you can save it to a file.

In AS2, you'd have to create a server script to echo the file back with FileReference, since it only accepts URL downloads. It’s still feasible though, but writing to a SharedObject and extracting from that might be easier.

In retrospection, I realized that I can also write a fake header if I manage to locate the flash data.