fluscate/bin/fluscate.pl

#!/usr/bin/perl

# fluscate - The Flash Obfuscator

# $Id: fluscate.pl,v 1.5 2004/07/26 16:11:58 joko Exp $
# $Log: fluscate.pl,v $
# Revision 1.5  2004/07/26 16:11:58  joko
# updated pod
# included more complete list of flash event-handlers
# fixed substitution regex #1: now using spaces around function names
#
# Revision 1.4  2004/07/26 13:51:54  joko
# updated pod
#
# Revision 1.3  2004/07/23 12:56:07  joko
# updated pod
#
# Revision 1.2  2004/07/23 12:24:52  joko
# pod
#
# Revision 1.1  2004/07/23 12:13:14  joko
# initial commit
#

=pod

  fluscate - The Flash Obfuscator

  This software is Copyright (C) 2004 Andreas Motl
  Ideas and MacOS X Application by Holger Marseille
  
  This program is free software; you can redistribute it and/or
  modify it under the terms of the GNU General Public License
  as published by the Free Software Foundation; either version 2
  of the License, or (at your option) any later version.
  
  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

=cut


=pod

=head1 Features


=head2 Obfuscation

  See ASO Pro: http://www.genable.com/aso/preview.html
  

=head2 Functions

  fluscate handles two different styles of function declarations:

  1. "Normal" ones, e.g.
      function mp3Player ('arg1', 'arg2')

  2. There may be "stacked" function declarations, e.g.
      push 'mp3Player'
      function  ()

=head2 Pollute

  Some flash-disassemblers might croak when inserting the following code 
  after a/each "constants"-declaration:

    push 0
    ls:
      dup
      trace
      branchIfTrue ls" 


=head1 Dependencies

  "flasm" is required to disassemble swf files, see http://www.nowrap.de/flasm.html
  ACKs go to Igor Kogan.


=head1 Usage

=head2 General

  Please type "fluscate --help" to get more information about command-line parameters.

=head2 win32

  #> flasm.exe -d puzzle.swf > puzzle.flm
  #> cat puzzle.flm | perl fluscate.pl > puzzle_fusc.flm
  #> flasm.exe -a puzzle_fusc.flm

=head2 *nix

  #> ./flasm -d puzzle.swf > puzzle.flm
  #> cat puzzle.flm | ./fluscate.pl > puzzle_fusc.flm
  #> ./flasm -a puzzle_fusc.flm


=head1 Development

=head2 Todo

  - provide list of flash event handler names to exclude from symbol replacement

=head2 Wishlist

  - komplexere verschlüsselung als "-1, -2 ..." z-b nicht in der numerischen reihenfolge sondern nach 
    zufallsprinip (-21,-3,-89)? (->random)
  - evtl. constants nach abfrage ersetzen ? leider sehr aufwendig, bei vielen constants (->ask)
  - rausgeben des arrays mit den "neuen" werten um evtl die obfuscation rückgängig zu machen (->undo)
  - what about other symbols beside "function"s? (e.g. variables) (->mode)
  - include list of ->keywords from:
    http://www.macromedia.com/support/flash/action_scripts/actionscript_dictionary/
  - replace symbols in multiple files (->multifile)

=head2 Notes

  - no function may be called "Initialize", rename it to (e.g.) "Initialize2", reassembling will not work otherwise
    (doesn't matter when obfuscating since function names will be replaced of course)
  - function names seem to be/work case insensitive (shuffle <-> Shuffle)
  - successfully tested with http://download.macromedia.com/pub/flash/showme/win/puzzle.zip
  - make sure -1, -2, -3, .... gets replaced with '-1', '-2', '-3', ...
  - there are multiple caller lines: callFunction, callMethod; do we have to take special care to methods?
  - "getMember" and "getVariable" also do function calls!
  - there are reserved function names which must not be replaced! (-> event handlers, e.g. "onPress")


=head1 Links

=head2 ActionScript Decompilers / Disassemblers

  Flasm:
    http://www.nowrap.de/flasm.html
    http://www.opaque.net/~dave/flasm/
  Flare: http://www.nowrap.de/flare.html
  Sothink SWF Decompiler: http://www.srctec.com/flashdecompiler/
  Imperator FLA: http://www.ave-imperator.com/
  SWF Decompiler: http://www.19.5degs.com/swfdecompiler.php
  Gordon: http://www.futurecandy.com/

=head2 ActionScript Editors & Co.

  URL Action Editor and Actionscript Viewer:
    http://www.buraks.com/
    http://voisen.org/archives/2003/02/uae_303_and_asv_309.php
  SE|PY ActionScript Editor: http://www.sephiroth.it/python/sepy.php

=head2 Obfuscators

  ASO Pro (ActionScript Obfuscator Pro): http://www.genable.com/aso/preview.html
  SWOB (swf obfuscator): http://home.byu.net/jtb64/Swob.htm
  OBFU - A Flash Actionscript obfuscator: http://opaque.net/~dave/obfu/

=head2 Misc

  ActionScript Protection:
    http://www.as-protect.com/
    http://www.quasimondo.com/archives/000377.php
  Developer's SWF Guardian: http://anyrd.anyorganization.com/
  Password Busting / SWF Protections: http://www.searchlores.org/cinix_fla.htm

=head2 Off-Topic

=head3 XML

  XPath for Actionscript and other stuff: http://www.xfactorstudio.com/Actionscript/
  XMLRPC Flash Libraries for ActionScript 2.0: http://xmlrpcflash.sourceforge.net/

=head3 Marshalling / AMF (Flash Remoting protocol)

  AMFPHP - Flash Remoting for PHP: http://www.amfphp.org/
  AMF::Perl - Flash Remoting in Perl and Python: http://simonf.com/amfperl/
  SerializerClass: http://sourceforge.net/projects/serializerclass/

=head3 Misc

  PEAR::SWF - Read and write SWF head tag: http://www.sephiroth.it/test/php/SWF/
  Convert videos to flv:
    http://ffmpeg.sourceforge.net/
    http://www.videohelp.com/tools?tool=263
  Flash-CMS: http://www.lachoseinteractive.net/fr/produits/alahup/

=cut


use strict;
use warnings;

use Getopt::Long;
use Storable;
use Data::Dumper;

my $VERSION = "0.10";

my $regex = {
  'function' => 'function(?:2|)\s(.+?)\s\(.*?\)',
  'constants' => 'constants',
  'call' => '(?:callFunction|callMethod|getMember|getVariable)',
  'function_stacked' => 'function(?:2|)\s\s\(.*?\)',
  'push' => 'push\s\'(.+?)\'',
};
my @symbols;
my @lines;
my $options;

sub read_options {
  GetOptions(
    "pollute" => \$options->{pollute},
    "help" => \$options->{help},
    "version" => \$options->{version}
  );
}

sub scan_symbols {
  my @symbols_events = qw( 
    onDragOut
    onDragOver
    onKeyUp
    onKeyDown
    onKillFocus
    onPress
    onRelease
    onReleaseOutside
    onRollOut
    onRollOver
    onSetFocus
    onActivity
    onStatus
    onSelect
    onData
    onLoad
    allowDomain
    allowInsecureDomain
    onMouseDown
    onMouseMove
    onMouseUp
    onMouseWheel
    onEnterFrame
    onUnload
    onLoadComplete
    onLoadError
    onLoadInit
    onLoadProgress
    onLoadStart
    onID3
    onSoundComplete
    onResize
    onChanged
    onScroller
  );
  
  my $counter = 0;
  foreach (@lines) {
    
    # trim newlines
    #chomp;
    my $symbol;
    
    # check for all "function" / "function2" symbols and ...
    if (m/$regex->{function}/) {
      # ... remember them
      $symbol = $1;
    
    
    } elsif (m/$regex->{function_stacked}/) {
      if ($lines[$counter - 1] =~ m/$regex->{push}/) {
        $symbol = $1;
      }
    }
    
    if ($symbol and not grep(/$symbol/, @symbols_events)) {
      push @symbols, $symbol;
    }
    
    $counter++;
    
  }
  
}

#print join("\n", @symbols); exit;

# 2. step through all symbols found and replace them
sub obfuscate {

  # 1st stage: symbol replacement
  my $symbol_counter = -1;
  foreach my $symbol (@symbols) {
    my $line_counter = 0;
    foreach (@lines) {
      
      # function declarations; single quotes might not be there!
      if (m/$regex->{function}/) {
        s/\s'*$symbol'*\s/ '$symbol_counter' /i;
      
      # "constants"-line at begin of each block; single quotes should already be there
      } elsif (m/$regex->{constants}/) {
        s/'$symbol'/'$symbol_counter'/i;
      
      # function calls; replace inside predecessor line of calling-lines
      } elsif (m/$regex->{call}/) {
        $lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
  
      # function declarations; name of function is pushed on stack one line before!
      } elsif (m/$regex->{function_stacked}/) {
        $lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
      }

      $line_counter++;
      
    }
    $symbol_counter--;
  }

  # 2nd stage: pollute & Co.
  if ($options->{pollute}) {
    foreach (@lines) {
      if (m/$regex->{constants}/) {
        my $inject = qq(
      push 0
      ls:
        dup
        trace
        branchIfTrue ls
  
);
        $_ .= $inject;
      }
    }
  }

}

sub usage {
  print "fluscate - The Flash Obfuscator (v$VERSION)", "\n";
  if (not $options->{version}) {
  print <<USAGE;
    [-p|--pollute]      Pollute code by inserting snippet making life harder for disassemblers 
    [-h|--help]         This text
    [-v|--version]      Show version information only
USAGE
  };
}

sub main {
  read_options();
  #print Dumper($options);
  if ($options->{help} || $options->{version}) {
    usage();
    exit;
  }
  # read flasm code from STDIN
  @lines = <STDIN>;
  scan_symbols();
  obfuscate();
  # write all stuff to STDOUT
  print STDOUT @lines;
}

main();

1;
__END__
1	joko	1.1	#!/usr/bin/perl
2
3	joko	1.6	# fluscate - The Flash Obfuscator
4	joko	1.1
5	joko	1.6	# $Id: fluscate.pl,v 1.5 2004/07/26 16:11:58 joko Exp $
6	joko	1.2	# $Log: fluscate.pl,v $
7	joko	1.6	# Revision 1.5 2004/07/26 16:11:58 joko
8			# updated pod
9			# included more complete list of flash event-handlers
10			# fixed substitution regex #1: now using spaces around function names
11			#
12	joko	1.5	# Revision 1.4 2004/07/26 13:51:54 joko
13			# updated pod
14			#
15	joko	1.4	# Revision 1.3 2004/07/23 12:56:07 joko
16			# updated pod
17			#
18	joko	1.3	# Revision 1.2 2004/07/23 12:24:52 joko
19			# pod
20			#
21	joko	1.2	# Revision 1.1 2004/07/23 12:13:14 joko
22			# initial commit
23			#
24	joko	1.1
25			=pod
26
27	joko	1.6	fluscate - The Flash Obfuscator
28
29	joko	1.2	This software is Copyright (C) 2004 Andreas Motl
30	joko	1.6	Ideas and MacOS X Application by Holger Marseille
31	joko	1.2
32			This program is free software; you can redistribute it and/or
33			modify it under the terms of the GNU General Public License
34			as published by the Free Software Foundation; either version 2
35			of the License, or (at your option) any later version.
36
37			This program is distributed in the hope that it will be useful,
38			but WITHOUT ANY WARRANTY; without even the implied warranty of
39			MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
40			GNU General Public License for more details.
41
42			You should have received a copy of the GNU General Public License
43			along with this program; if not, write to the Free Software
44			Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
45
46	joko	1.1	=cut
47
48
49			=pod
50
51			=head1 Features
52
53	joko	1.4
54			=head2 Obfuscation
55
56			See ASO Pro: http://www.genable.com/aso/preview.html
57
58
59	joko	1.2	=head2 Functions
60
61			fluscate handles two different styles of function declarations:
62
63	joko	1.6	1. "Normal" ones, e.g.
64	joko	1.2	function mp3Player ('arg1', 'arg2')
65
66	joko	1.6	2. There may be "stacked" function declarations, e.g.
67	joko	1.2	push 'mp3Player'
68			function ()
69
70	joko	1.6	=head2 Pollute
71
72			Some flash-disassemblers might croak when inserting the following code
73			after a/each "constants"-declaration:
74
75			push 0
76			ls:
77			dup
78			trace
79			branchIfTrue ls"
80
81	joko	1.2
82	joko	1.3	=head1 Dependencies
83
84			"flasm" is required to disassemble swf files, see http://www.nowrap.de/flasm.html
85			ACKs go to Igor Kogan.
86
87
88	joko	1.2	=head1 Usage
89
90	joko	1.6	=head2 General
91
92			Please type "fluscate --help" to get more information about command-line parameters.
93
94	joko	1.2	=head2 win32
95
96			#> flasm.exe -d puzzle.swf > puzzle.flm
97			#> cat puzzle.flm \| perl fluscate.pl > puzzle_fusc.flm
98			#> flasm.exe -a puzzle_fusc.flm
99
100			=head2 *nix
101
102	joko	1.3	#> ./flasm -d puzzle.swf > puzzle.flm
103			#> cat puzzle.flm \| ./fluscate.pl > puzzle_fusc.flm
104			#> ./flasm -a puzzle_fusc.flm
105	joko	1.2
106
107			=head1 Development
108
109			=head2 Todo
110
111			- provide list of flash event handler names to exclude from symbol replacement
112
113			=head2 Wishlist
114
115	joko	1.1	- komplexere verschlüsselung als "-1, -2 ..." z-b nicht in der numerischen reihenfolge sondern nach
116			zufallsprinip (-21,-3,-89)? (->random)
117			- evtl. constants nach abfrage ersetzen ? leider sehr aufwendig, bei vielen constants (->ask)
118			- rausgeben des arrays mit den "neuen" werten um evtl die obfuscation rückgängig zu machen (->undo)
119	joko	1.2	- what about other symbols beside "function"s? (e.g. variables) (->mode)
120	joko	1.5	- include list of ->keywords from:
121			http://www.macromedia.com/support/flash/action_scripts/actionscript_dictionary/
122			- replace symbols in multiple files (->multifile)
123	joko	1.1
124	joko	1.2	=head2 Notes
125	joko	1.1
126			- no function may be called "Initialize", rename it to (e.g.) "Initialize2", reassembling will not work otherwise
127			(doesn't matter when obfuscating since function names will be replaced of course)
128			- function names seem to be/work case insensitive (shuffle <-> Shuffle)
129			- successfully tested with http://download.macromedia.com/pub/flash/showme/win/puzzle.zip
130			- make sure -1, -2, -3, .... gets replaced with '-1', '-2', '-3', ...
131			- there are multiple caller lines: callFunction, callMethod; do we have to take special care to methods?
132			- "getMember" and "getVariable" also do function calls!
133			- there are reserved function names which must not be replaced! (-> event handlers, e.g. "onPress")
134	joko	1.4
135
136			=head1 Links
137
138			=head2 ActionScript Decompilers / Disassemblers
139
140			Flasm:
141			http://www.nowrap.de/flasm.html
142			http://www.opaque.net/~dave/flasm/
143			Flare: http://www.nowrap.de/flare.html
144			Sothink SWF Decompiler: http://www.srctec.com/flashdecompiler/
145			Imperator FLA: http://www.ave-imperator.com/
146			SWF Decompiler: http://www.19.5degs.com/swfdecompiler.php
147			Gordon: http://www.futurecandy.com/
148
149			=head2 ActionScript Editors & Co.
150
151			URL Action Editor and Actionscript Viewer:
152			http://www.buraks.com/
153			http://voisen.org/archives/2003/02/uae_303_and_asv_309.php
154			SE\|PY ActionScript Editor: http://www.sephiroth.it/python/sepy.php
155
156			=head2 Obfuscators
157
158			ASO Pro (ActionScript Obfuscator Pro): http://www.genable.com/aso/preview.html
159			SWOB (swf obfuscator): http://home.byu.net/jtb64/Swob.htm
160			OBFU - A Flash Actionscript obfuscator: http://opaque.net/~dave/obfu/
161
162			=head2 Misc
163
164			ActionScript Protection:
165			http://www.as-protect.com/
166			http://www.quasimondo.com/archives/000377.php
167			Developer's SWF Guardian: http://anyrd.anyorganization.com/
168			Password Busting / SWF Protections: http://www.searchlores.org/cinix_fla.htm
169
170			=head2 Off-Topic
171	joko	1.6
172			=head3 XML
173
174	joko	1.4	XPath for Actionscript and other stuff: http://www.xfactorstudio.com/Actionscript/
175	joko	1.6	XMLRPC Flash Libraries for ActionScript 2.0: http://xmlrpcflash.sourceforge.net/
176
177			=head3 Marshalling / AMF (Flash Remoting protocol)
178
179			AMFPHP - Flash Remoting for PHP: http://www.amfphp.org/
180			AMF::Perl - Flash Remoting in Perl and Python: http://simonf.com/amfperl/
181	joko	1.4	SerializerClass: http://sourceforge.net/projects/serializerclass/
182	joko	1.6
183			=head3 Misc
184
185	joko	1.4	PEAR::SWF - Read and write SWF head tag: http://www.sephiroth.it/test/php/SWF/
186	joko	1.6	Convert videos to flv:
187			http://ffmpeg.sourceforge.net/
188			http://www.videohelp.com/tools?tool=263
189			Flash-CMS: http://www.lachoseinteractive.net/fr/produits/alahup/
190	joko	1.1
191			=cut
192
193
194			use strict;
195			use warnings;
196
197	joko	1.6	use Getopt::Long;
198			use Storable;
199			use Data::Dumper;
200
201			my $VERSION = "0.10";
202
203	joko	1.1	my $regex = {
204			'function' => 'function(?:2\|)\s(.+?)\s\(.*?\)',
205			'constants' => 'constants',
206			'call' => '(?:callFunction\|callMethod\|getMember\|getVariable)',
207			'function_stacked' => 'function(?:2\|)\s\s\(.*?\)',
208			'push' => 'push\s\'(.+?)\'',
209			};
210			my @symbols;
211	joko	1.6	my @lines;
212			my $options;
213	joko	1.1
214	joko	1.6	sub read_options {
215			GetOptions(
216			"pollute" => \$options->{pollute},
217			"help" => \$options->{help},
218			"version" => \$options->{version}
219			);
220			}
221	joko	1.1
222	joko	1.6	sub scan_symbols {
223			my @symbols_events = qw(
224			onDragOut
225			onDragOver
226			onKeyUp
227			onKeyDown
228			onKillFocus
229			onPress
230			onRelease
231			onReleaseOutside
232			onRollOut
233			onRollOver
234			onSetFocus
235			onActivity
236			onStatus
237			onSelect
238			onData
239			onLoad
240			allowDomain
241			allowInsecureDomain
242			onMouseDown
243			onMouseMove
244			onMouseUp
245			onMouseWheel
246			onEnterFrame
247			onUnload
248			onLoadComplete
249			onLoadError
250			onLoadInit
251			onLoadProgress
252			onLoadStart
253			onID3
254			onSoundComplete
255			onResize
256			onChanged
257			onScroller
258			);
259	joko	1.1
260	joko	1.6	my $counter = 0;
261			foreach (@lines) {
262
263			# trim newlines
264			#chomp;
265			my $symbol;
266
267			# check for all "function" / "function2" symbols and ...
268			if (m/$regex->{function}/) {
269			# ... remember them
270	joko	1.1	$symbol = $1;
271	joko	1.6
272
273			} elsif (m/$regex->{function_stacked}/) {
274			if ($lines[$counter - 1] =~ m/$regex->{push}/) {
275			$symbol = $1;
276			}
277			}
278
279			if ($symbol and not grep(/$symbol/, @symbols_events)) {
280			push @symbols, $symbol;
281	joko	1.1	}
282	joko	1.6
283			$counter++;
284
285	joko	1.1	}
286
287			}
288
289			#print join("\n", @symbols); exit;
290
291			# 2. step through all symbols found and replace them
292	joko	1.6	sub obfuscate {
293
294			# 1st stage: symbol replacement
295			my $symbol_counter = -1;
296			foreach my $symbol (@symbols) {
297			my $line_counter = 0;
298			foreach (@lines) {
299
300			# function declarations; single quotes might not be there!
301			if (m/$regex->{function}/) {
302			s/\s'$symbol'\s/ '$symbol_counter' /i;
303
304			# "constants"-line at begin of each block; single quotes should already be there
305			} elsif (m/$regex->{constants}/) {
306			s/'$symbol'/'$symbol_counter'/i;
307
308			# function calls; replace inside predecessor line of calling-lines
309			} elsif (m/$regex->{call}/) {
310			$lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
311
312			# function declarations; name of function is pushed on stack one line before!
313			} elsif (m/$regex->{function_stacked}/) {
314			$lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
315			}
316
317			$line_counter++;
318
319			}
320			$symbol_counter--;
321			}
322	joko	1.1
323	joko	1.6	# 2nd stage: pollute & Co.
324			if ($options->{pollute}) {
325			foreach (@lines) {
326			if (m/$regex->{constants}/) {
327			my $inject = qq(
328			push 0
329			ls:
330			dup
331			trace
332			branchIfTrue ls
333
334			);
335			$_ .= $inject;
336			}
337	joko	1.1	}
338	joko	1.6	}
339
340			}
341	joko	1.1
342	joko	1.6	sub usage {
343			print "fluscate - The Flash Obfuscator (v$VERSION)", "\n";
344			if (not $options->{version}) {
345			print <<USAGE;
346			[-p\|--pollute] Pollute code by inserting snippet making life harder for disassemblers
347			[-h\|--help] This text
348			[-v\|--version] Show version information only
349			USAGE
350			};
351			}
352
353			sub main {
354			read_options();
355			#print Dumper($options);
356			if ($options->{help} \|\| $options->{version}) {
357			usage();
358			exit;
359	joko	1.1	}
360	joko	1.6	# read flasm code from STDIN
361			@lines = <STDIN>;
362			scan_symbols();
363			obfuscate();
364			# write all stuff to STDOUT
365			print STDOUT @lines;
366	joko	1.1	}
367
368	joko	1.6	main();
369
370			1;
371			__END__
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26