Tuesday, October 20, 2015

RABCDASM Angler SWF

Angler SWF has long since started using SecureSWF obfuscator to obfuscate it's SWF exploits. Analyzing SWF files obfuscated with SecureSWF can sometimes be a painstaking job. A sample SWF obfuscated with SecureSWF when loaded in ffdec will look like below. ffdec can help rename identifier, but without that option this how the SWF looks.



SecureSWF substitutes the important strings used within its code with its own function. This function is responsible for then returning a meaningful value that later gets used in the code. A small fragment of the code from Angler Exploit Kit that's highlighted below.


When the code starts executing the code "§_a_-_---§.§_a_--_--§(-1820302794)" code gets executed and the returned value is assigned to the variable "_loc2_". Looking up and solving this manually can be very time consuming and at times (actually everytime!) very irritating. The function "§_a_-_---§.§_a_--_--§" is responsible for taking a single argument and XOR it and use it as a index to lookup into a ARRAY.

The trick here is to use RABCDASM tool, disassemble the SWF file, add the routines that's required for us to reveal the returned data from the function at "§_a_-_---§.§_a_--_--§" and repack the SWF again. Well it can sound complicated but it will become easy as it goes on.

First we disassemble the SWF. For this we execute couple of commands on the SWF.


After executing the above commands, we get a folder with the all the disassembled class files, in this case - "3-0".

To ease things we add an helper function to the mix. This helper function will aid in printing out the required output (in our case the function results of function "§_a_-_---§.§_a_--_--§"). This helper function either can be pushed into one of the existing "*.script.asasm" files or into a separate file. Below is the helper function, this function sends out a "HTTP" request to the localhost with the actual string that's deobfuscated (the index + the deobfuscated string. Well it's not actually obfuscated but I don't know how to name it >:(.


We compile this ActionScript and disassemble it. After disassembling this has to be included with the existing code. This can be done by just adding a "include" statement to the "main" script asasm file, in this case "3-0.main.asasm". Below is what the folder structure and the "main" asasm file looks like.


Now is the time we edit the "§_a_-_---§.§_a_--_--§" function to push the deobfuscated string. Code below helps us achieving this. This code is responsible for calling the helper function that sends out the HTTP request with the index and the deobfuscated string.



Following this all the class files needs to be compiled, this will yield us the edited SWF file. Below commands helps us get there.

We verify if everything has panned out as expected. Take a look at the SWF under decompiler now.



As it turns out everything worked as expected. We now load the SWF into the browser and voila we get the data we are after (with the dumbest possible way :). Take a look out Fiddler.


There are multiple other ways to dump the strings,

  • push it to a textbox
  • push it to SharedObject
  • push it to flashdebug log under debugger version of flash
and plenty more.

References:
http://h30499.www3.hp.com/t5/Security-Research-Blog/Playing-with-Adobe-Flash-Player-Exploits-and-Byte-Code/ba-p/6505942

No comments:

Post a Comment