Thursday, April 21, 2016

Decoding Angler Redirect SWF using JPEXS FFDEC

Of late Angler Exploit is seen to use SWF that redirects an unwary user to Angler Exploit Kit gate website. This SWF is not highly obfuscated, but encodes the redirection HTML code using "base64" and has a little algorithm that decodes the string post "base64" decoding. Below is the decoding logic, the function takes 2 arguments, "param1" is the "base64" decoded string and "param2" is an integer that passed through "Flashvars" from HTML code.

"Base64" encoded string below which is later decoded and passed to "de" function above.

"param2" that's passed from HTML code,

Lets use FFDEC to get the HTML code. FFDEC now supports SWF file debugging. You can set breakpoints on the "actionscript" code and observe what's happening to the variables, stack calls etc.

In order to get the code that redirects to Angler Exploit Kit, place a breakpoint on "return _loc3_;" (that return the decoded HTML) line in the "de" function. Running the SWF after placing breakpoint will yield us the HTML code responsible for the redirection.

Note: You can use the edit function in FFDEC to replace "param2" with '3' (check value of param2 in below snapshot) as passed from the HTML code. Debugging the SWF should break at "de" function and display the HTML code as seen below.

Thanks to the developers of "JPEXS Free Flash Decompiler" for this wonderful tool.

No comments:

Post a Comment