Hacking a Flash Payload Crypter with 1 line of code
2013 Jul 23 11:08 AM MDT | ActionScript2 ActionScript-31 Assembly2 Flash2 Hacks9 Security2 Web13 [2013]3
If the flash file puts everything into a binary section and encrypts it, is there any way to decrypt it? If they cut off the header, you won't be able to memory-dump it, but would you give up there? Of course not!
Somewhere, they have the decrypted data so that they can load it. Just compile some code to intercept it, and inject it:
(new FileReference()).save(_loc_2, "dumped.swf");
In RABCDAsm (AS3), it looks like this:
findpropstrict QName(PackageNamespace("flash.net"), "FileReference")
constructprop QName(PackageNamespace("flash.net"), "FileReference"), 0
getlocal2
pushstring "dumped.swf"
callpropvoid QName(PackageNamespace(""), "save"), 2
So just put that in the code before it is loaded (call to `loadBytes`) and replace `getlocal2` with whatever will put the decrypted data onto the stack. Once the decrypted data is about to be loaded, you can save it to a file.
In AS2, you'd have to create a server script to echo the file back with FileReference, since it only accepts URL downloads. It’s still feasible though, but writing to a SharedObject and extracting from that might be easier.
In retrospection, I realized that I can also write a fake header if I manage to locate the flash data.