fluscate/bin/fluscate.pl

#!/usr/bin/perl

# fluscate.pl 0.04 - The Flash Obfuscator

# $Id: fluscate.pl,v 1.3 2004/07/23 12:56:07 joko Exp $
# $Log: fluscate.pl,v $
# Revision 1.4  2004/07/26 13:51:54  joko
# updated pod
#
# Revision 1.3  2004/07/23 12:56:07  joko
# updated pod
#
# Revision 1.2  2004/07/23 12:24:52  joko
# pod
#
# Revision 1.1  2004/07/23 12:13:14  joko
# initial commit
#

=pod

  This software is Copyright (C) 2004 Andreas Motl
  Ideas and future AppleScript integration by Holger Marseille.
  
  This program is free software; you can redistribute it and/or
  modify it under the terms of the GNU General Public License
  as published by the Free Software Foundation; either version 2
  of the License, or (at your option) any later version.
  
  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

=cut


=pod

=head1 Features


=head2 Obfuscation

  See ASO Pro: http://www.genable.com/aso/preview.html
  

=head2 Functions

  fluscate handles two different styles of function declarations:

  1. "Normal" ones
      function mp3Player ('arg1', 'arg2')

  2. There may be "stacked" function declarations
      push 'mp3Player'
      function  ()


=head1 Dependencies

  "flasm" is required to disassemble swf files, see http://www.nowrap.de/flasm.html
  ACKs go to Igor Kogan.


=head1 Usage

=head2 win32

  #> flasm.exe -d puzzle.swf > puzzle.flm
  #> cat puzzle.flm | perl fluscate.pl > puzzle_fusc.flm
  #> flasm.exe -a puzzle_fusc.flm

=head2 *nix

  #> ./flasm -d puzzle.swf > puzzle.flm
  #> cat puzzle.flm | ./fluscate.pl > puzzle_fusc.flm
  #> ./flasm -a puzzle_fusc.flm


=head1 Development

=head2 Todo

  - provide list of flash event handler names to exclude from symbol replacement

=head2 Wishlist

  - komplexere verschlüsselung als "-1, -2 ..." z-b nicht in der numerischen reihenfolge sondern nach 
    zufallsprinip (-21,-3,-89)? (->random)
  - evtl. constants nach abfrage ersetzen ? leider sehr aufwendig, bei vielen constants (->ask)
  - rausgeben des arrays mit den "neuen" werten um evtl die obfuscation rückgängig zu machen (->undo)
  -  "    push 0
         ls:
         dup
         trace
         branchIfTrue ls" 
    ... after each "constants" declaration (->pollute)
  - what about other symbols beside "function"s? (e.g. variables) (->mode)
  - include list of ->keywords from:
    http://www.macromedia.com/support/flash/action_scripts/actionscript_dictionary/
  - replace symbols in multiple files (->multifile)

=head2 Notes

  - no function may be called "Initialize", rename it to (e.g.) "Initialize2", reassembling will not work otherwise
    (doesn't matter when obfuscating since function names will be replaced of course)
  - function names seem to be/work case insensitive (shuffle <-> Shuffle)
  - successfully tested with http://download.macromedia.com/pub/flash/showme/win/puzzle.zip
  - make sure -1, -2, -3, .... gets replaced with '-1', '-2', '-3', ...
  - there are multiple caller lines: callFunction, callMethod; do we have to take special care to methods?
  - "getMember" and "getVariable" also do function calls!
  - there are reserved function names which must not be replaced! (-> event handlers, e.g. "onPress")


=head1 Links

=head2 ActionScript Decompilers / Disassemblers

  Flasm:
    http://www.nowrap.de/flasm.html
    http://www.opaque.net/~dave/flasm/
  Flare: http://www.nowrap.de/flare.html
  Sothink SWF Decompiler: http://www.srctec.com/flashdecompiler/
  Imperator FLA: http://www.ave-imperator.com/
  SWF Decompiler: http://www.19.5degs.com/swfdecompiler.php
  Gordon: http://www.futurecandy.com/

=head2 ActionScript Editors & Co.

  URL Action Editor and Actionscript Viewer:
    http://www.buraks.com/
    http://voisen.org/archives/2003/02/uae_303_and_asv_309.php
  SE|PY ActionScript Editor: http://www.sephiroth.it/python/sepy.php

=head2 Obfuscators

  ASO Pro (ActionScript Obfuscator Pro): http://www.genable.com/aso/preview.html
  SWOB (swf obfuscator): http://home.byu.net/jtb64/Swob.htm
  OBFU - A Flash Actionscript obfuscator: http://opaque.net/~dave/obfu/

=head2 Misc

  ActionScript Protection:
    http://www.as-protect.com/
    http://www.quasimondo.com/archives/000377.php
  Developer's SWF Guardian: http://anyrd.anyorganization.com/
  Password Busting / SWF Protections: http://www.searchlores.org/cinix_fla.htm

=head2 Off-Topic
  
  XPath for Actionscript and other stuff: http://www.xfactorstudio.com/Actionscript/
  SerializerClass: http://sourceforge.net/projects/serializerclass/
  AMF::Perl - Flash Remoting in Perl and Python - using Flash Remoting protocol (AMF):
    http://simonf.com/amfperl/
  PEAR::SWF - Read and write SWF head tag: http://www.sephiroth.it/test/php/SWF/
  AMFPHP - Flash Remoting for PHP: http://www.amfphp.org/

=cut


use strict;
use warnings;

my $regex = {
  'function' => 'function(?:2|)\s(.+?)\s\(.*?\)',
  'constants' => 'constants',
  'call' => '(?:callFunction|callMethod|getMember|getVariable)',
  'function_stacked' => 'function(?:2|)\s\s\(.*?\)',
  'push' => 'push\s\'(.+?)\'',
};
my @symbols_events = qw( 
  onDragOut
  onDragOver
  onKeyUp
  onKeyDown
  onKillFocus
  onPress
  onRelease
  onReleaseOutside
  onRollOut
  onRollOver
  onSetFocus
  onActivity
  onStatus
  onSelect
  onData
  onLoad
  allowDomain
  allowInsecureDomain
  onMouseDown
  onMouseMove
  onMouseUp
  onMouseWheel
  onEnterFrame
  onUnload
  onLoadComplete
  onLoadError
  onLoadInit
  onLoadProgress
  onLoadStart
  onID3
  onSoundComplete
  onResize
  onChanged
  onScroller
);
my @symbols;

# 1. read flasm code from STDIN
my @lines = <STDIN>;

my $counter = 0;
foreach (@lines) {
  
  # trim newlines
  #chomp;
  my $symbol;
  
  # check for all "function" / "function2" symbols and ...
  if (m/$regex->{function}/) {
    # ... remember them
    $symbol = $1;
  
  
  } elsif (m/$regex->{function_stacked}/) {
    if ($lines[$counter - 1] =~ m/$regex->{push}/) {
      $symbol = $1;
    }
  }
  
  if ($symbol and not grep(/$symbol/, @symbols_events)) {
    push @symbols, $symbol;
  }
  
  $counter++;
  
}

#print join("\n", @symbols); exit;

# 2. step through all symbols found and replace them
my $symbol_counter = -1;
foreach my $symbol (@symbols) {
  my $line_counter = 0;
  foreach (@lines) {
    
    # function declarations; single quotes might not be there!
    if (m/$regex->{function}/) {
      s/\s'*$symbol'*\s/ '$symbol_counter' /i;
    
    # "constants"-line at begin of each block; single quotes should already be there
    } elsif (m/$regex->{constants}/) {
      s/'$symbol'/'$symbol_counter'/i;
    
    # function calls; replace inside predecessor line of calling-lines
    } elsif (m/$regex->{call}/) {
      $lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;

    # function declarations; name of function is pushed on stack one line before!
    } elsif (m/$regex->{function_stacked}/) {
      $lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
    }

    $line_counter++;
    
  }
  $symbol_counter--;
}

# write all stuff to STDOUT
print STDOUT @lines;
1	joko	1.1	#!/usr/bin/perl
2
3	joko	1.5	# fluscate.pl 0.04 - The Flash Obfuscator
4	joko	1.1
5	joko	1.4	# $Id: fluscate.pl,v 1.3 2004/07/23 12:56:07 joko Exp $
6	joko	1.2	# $Log: fluscate.pl,v $
7	joko	1.5	# Revision 1.4 2004/07/26 13:51:54 joko
8			# updated pod
9			#
10	joko	1.4	# Revision 1.3 2004/07/23 12:56:07 joko
11			# updated pod
12			#
13	joko	1.3	# Revision 1.2 2004/07/23 12:24:52 joko
14			# pod
15			#
16	joko	1.2	# Revision 1.1 2004/07/23 12:13:14 joko
17			# initial commit
18			#
19	joko	1.1
20			=pod
21
22	joko	1.2	This software is Copyright (C) 2004 Andreas Motl
23			Ideas and future AppleScript integration by Holger Marseille.
24
25			This program is free software; you can redistribute it and/or
26			modify it under the terms of the GNU General Public License
27			as published by the Free Software Foundation; either version 2
28			of the License, or (at your option) any later version.
29
30			This program is distributed in the hope that it will be useful,
31			but WITHOUT ANY WARRANTY; without even the implied warranty of
32			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
33			GNU General Public License for more details.
34
35			You should have received a copy of the GNU General Public License
36			along with this program; if not, write to the Free Software
37			Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
38
39	joko	1.1	=cut
40
41
42			=pod
43
44			=head1 Features
45
46	joko	1.4
47			=head2 Obfuscation
48
49			See ASO Pro: http://www.genable.com/aso/preview.html
50
51
52	joko	1.2	=head2 Functions
53
54			fluscate handles two different styles of function declarations:
55
56			1. "Normal" ones
57			function mp3Player ('arg1', 'arg2')
58
59			2. There may be "stacked" function declarations
60			push 'mp3Player'
61			function ()
62
63
64	joko	1.3	=head1 Dependencies
65
66			"flasm" is required to disassemble swf files, see http://www.nowrap.de/flasm.html
67			ACKs go to Igor Kogan.
68
69
70	joko	1.2	=head1 Usage
71
72			=head2 win32
73
74			#> flasm.exe -d puzzle.swf > puzzle.flm
75			#> cat puzzle.flm \| perl fluscate.pl > puzzle_fusc.flm
76			#> flasm.exe -a puzzle_fusc.flm
77
78			=head2 *nix
79
80	joko	1.3	#> ./flasm -d puzzle.swf > puzzle.flm
81			#> cat puzzle.flm \| ./fluscate.pl > puzzle_fusc.flm
82			#> ./flasm -a puzzle_fusc.flm
83	joko	1.2
84
85			=head1 Development
86
87			=head2 Todo
88
89			- provide list of flash event handler names to exclude from symbol replacement
90
91			=head2 Wishlist
92
93	joko	1.1	- komplexere verschlüsselung als "-1, -2 ..." z-b nicht in der numerischen reihenfolge sondern nach
94			zufallsprinip (-21,-3,-89)? (->random)
95			- evtl. constants nach abfrage ersetzen ? leider sehr aufwendig, bei vielen constants (->ask)
96			- rausgeben des arrays mit den "neuen" werten um evtl die obfuscation rückgängig zu machen (->undo)
97			- " push 0
98			ls:
99			dup
100			trace
101			branchIfTrue ls"
102			... after each "constants" declaration (->pollute)
103	joko	1.2	- what about other symbols beside "function"s? (e.g. variables) (->mode)
104	joko	1.5	- include list of ->keywords from:
105			http://www.macromedia.com/support/flash/action_scripts/actionscript_dictionary/
106			- replace symbols in multiple files (->multifile)
107	joko	1.1
108	joko	1.2	=head2 Notes
109	joko	1.1
110			- no function may be called "Initialize", rename it to (e.g.) "Initialize2", reassembling will not work otherwise
111			(doesn't matter when obfuscating since function names will be replaced of course)
112			- function names seem to be/work case insensitive (shuffle <-> Shuffle)
113			- successfully tested with http://download.macromedia.com/pub/flash/showme/win/puzzle.zip
114			- make sure -1, -2, -3, .... gets replaced with '-1', '-2', '-3', ...
115			- there are multiple caller lines: callFunction, callMethod; do we have to take special care to methods?
116			- "getMember" and "getVariable" also do function calls!
117			- there are reserved function names which must not be replaced! (-> event handlers, e.g. "onPress")
118	joko	1.4
119
120			=head1 Links
121
122			=head2 ActionScript Decompilers / Disassemblers
123
124			Flasm:
125			http://www.nowrap.de/flasm.html
126			http://www.opaque.net/~dave/flasm/
127			Flare: http://www.nowrap.de/flare.html
128			Sothink SWF Decompiler: http://www.srctec.com/flashdecompiler/
129			Imperator FLA: http://www.ave-imperator.com/
130			SWF Decompiler: http://www.19.5degs.com/swfdecompiler.php
131			Gordon: http://www.futurecandy.com/
132
133			=head2 ActionScript Editors & Co.
134
135			URL Action Editor and Actionscript Viewer:
136			http://www.buraks.com/
137			http://voisen.org/archives/2003/02/uae_303_and_asv_309.php
138			SE\|PY ActionScript Editor: http://www.sephiroth.it/python/sepy.php
139
140			=head2 Obfuscators
141
142			ASO Pro (ActionScript Obfuscator Pro): http://www.genable.com/aso/preview.html
143			SWOB (swf obfuscator): http://home.byu.net/jtb64/Swob.htm
144			OBFU - A Flash Actionscript obfuscator: http://opaque.net/~dave/obfu/
145
146			=head2 Misc
147
148			ActionScript Protection:
149			http://www.as-protect.com/
150			http://www.quasimondo.com/archives/000377.php
151			Developer's SWF Guardian: http://anyrd.anyorganization.com/
152			Password Busting / SWF Protections: http://www.searchlores.org/cinix_fla.htm
153
154			=head2 Off-Topic
155
156			XPath for Actionscript and other stuff: http://www.xfactorstudio.com/Actionscript/
157			SerializerClass: http://sourceforge.net/projects/serializerclass/
158			AMF::Perl - Flash Remoting in Perl and Python - using Flash Remoting protocol (AMF):
159			http://simonf.com/amfperl/
160			PEAR::SWF - Read and write SWF head tag: http://www.sephiroth.it/test/php/SWF/
161			AMFPHP - Flash Remoting for PHP: http://www.amfphp.org/
162	joko	1.1
163			=cut
164
165
166			use strict;
167			use warnings;
168
169			my $regex = {
170			'function' => 'function(?:2\|)\s(.+?)\s\(.*?\)',
171			'constants' => 'constants',
172			'call' => '(?:callFunction\|callMethod\|getMember\|getVariable)',
173			'function_stacked' => 'function(?:2\|)\s\s\(.*?\)',
174			'push' => 'push\s\'(.+?)\'',
175			};
176	joko	1.5	my @symbols_events = qw(
177			onDragOut
178			onDragOver
179			onKeyUp
180			onKeyDown
181			onKillFocus
182			onPress
183			onRelease
184			onReleaseOutside
185			onRollOut
186			onRollOver
187			onSetFocus
188			onActivity
189			onStatus
190			onSelect
191			onData
192			onLoad
193			allowDomain
194			allowInsecureDomain
195			onMouseDown
196			onMouseMove
197			onMouseUp
198			onMouseWheel
199			onEnterFrame
200			onUnload
201			onLoadComplete
202			onLoadError
203			onLoadInit
204			onLoadProgress
205			onLoadStart
206			onID3
207			onSoundComplete
208			onResize
209			onChanged
210			onScroller
211			);
212	joko	1.1	my @symbols;
213
214			# 1. read flasm code from STDIN
215			my @lines = <STDIN>;
216
217			my $counter = 0;
218			foreach (@lines) {
219
220			# trim newlines
221			#chomp;
222			my $symbol;
223
224			# check for all "function" / "function2" symbols and ...
225			if (m/$regex->{function}/) {
226			# ... remember them
227			$symbol = $1;
228
229
230			} elsif (m/$regex->{function_stacked}/) {
231			if ($lines[$counter - 1] =~ m/$regex->{push}/) {
232			$symbol = $1;
233			}
234			}
235
236			if ($symbol and not grep(/$symbol/, @symbols_events)) {
237			push @symbols, $symbol;
238			}
239
240			$counter++;
241
242			}
243
244			#print join("\n", @symbols); exit;
245
246			# 2. step through all symbols found and replace them
247			my $symbol_counter = -1;
248			foreach my $symbol (@symbols) {
249			my $line_counter = 0;
250			foreach (@lines) {
251
252			# function declarations; single quotes might not be there!
253			if (m/$regex->{function}/) {
254	joko	1.5	s/\s'$symbol'\s/ '$symbol_counter' /i;
255	joko	1.1
256			# "constants"-line at begin of each block; single quotes should already be there
257			} elsif (m/$regex->{constants}/) {
258			s/'$symbol'/'$symbol_counter'/i;
259
260			# function calls; replace inside predecessor line of calling-lines
261			} elsif (m/$regex->{call}/) {
262			$lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
263
264			# function declarations; name of function is pushed on stack one line before!
265			} elsif (m/$regex->{function_stacked}/) {
266			$lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
267			}
268
269			$line_counter++;
270
271			}
272			$symbol_counter--;
273			}
274
275			# write all stuff to STDOUT
276			print STDOUT @lines;
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26