fluscate/bin/fluscate.pl

#!/usr/bin/perl

# fluscate - The Flash Obfuscator

# $Id: fluscate.pl,v 1.5 2004/07/26 16:11:58 joko Exp $
# $Log: fluscate.pl,v $
# Revision 1.5  2004/07/26 16:11:58  joko
# updated pod
# included more complete list of flash event-handlers
# fixed substitution regex #1: now using spaces around function names
#
# Revision 1.4  2004/07/26 13:51:54  joko
# updated pod
#
# Revision 1.3  2004/07/23 12:56:07  joko
# updated pod
#
# Revision 1.2  2004/07/23 12:24:52  joko
# pod
#
# Revision 1.1  2004/07/23 12:13:14  joko
# initial commit
#

=pod

  fluscate - The Flash Obfuscator

  This software is Copyright (C) 2004 Andreas Motl
  Ideas and MacOS X Application by Holger Marseille
  
  This program is free software; you can redistribute it and/or
  modify it under the terms of the GNU General Public License
  as published by the Free Software Foundation; either version 2
  of the License, or (at your option) any later version.
  
  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

=cut


=pod

=head1 Features


=head2 Obfuscation

  See ASO Pro: http://www.genable.com/aso/preview.html
  

=head2 Functions

  fluscate handles two different styles of function declarations:

  1. "Normal" ones, e.g.
      function mp3Player ('arg1', 'arg2')

  2. There may be "stacked" function declarations, e.g.
      push 'mp3Player'
      function  ()

=head2 Pollute

  Some flash-disassemblers might croak when inserting the following code 
  after a/each "constants"-declaration:

    push 0
    ls:
      dup
      trace
      branchIfTrue ls" 


=head1 Dependencies

  "flasm" is required to disassemble swf files, see http://www.nowrap.de/flasm.html
  ACKs go to Igor Kogan.


=head1 Usage

=head2 General

  Please type "fluscate --help" to get more information about command-line parameters.

=head2 win32

  #> flasm.exe -d puzzle.swf > puzzle.flm
  #> cat puzzle.flm | perl fluscate.pl > puzzle_fusc.flm
  #> flasm.exe -a puzzle_fusc.flm

=head2 *nix

  #> ./flasm -d puzzle.swf > puzzle.flm
  #> cat puzzle.flm | ./fluscate.pl > puzzle_fusc.flm
  #> ./flasm -a puzzle_fusc.flm


=head1 Development

=head2 Todo

  - provide list of flash event handler names to exclude from symbol replacement

=head2 Wishlist

  - komplexere verschlüsselung als "-1, -2 ..." z-b nicht in der numerischen reihenfolge sondern nach 
    zufallsprinip (-21,-3,-89)? (->random)
  - evtl. constants nach abfrage ersetzen ? leider sehr aufwendig, bei vielen constants (->ask)
  - rausgeben des arrays mit den "neuen" werten um evtl die obfuscation rückgängig zu machen (->undo)
  - what about other symbols beside "function"s? (e.g. variables) (->mode)
  - include list of ->keywords from:
    http://www.macromedia.com/support/flash/action_scripts/actionscript_dictionary/
  - replace symbols in multiple files (->multifile)

=head2 Notes

  - no function may be called "Initialize", rename it to (e.g.) "Initialize2", reassembling will not work otherwise
    (doesn't matter when obfuscating since function names will be replaced of course)
  - function names seem to be/work case insensitive (shuffle <-> Shuffle)
  - successfully tested with http://download.macromedia.com/pub/flash/showme/win/puzzle.zip
  - make sure -1, -2, -3, .... gets replaced with '-1', '-2', '-3', ...
  - there are multiple caller lines: callFunction, callMethod; do we have to take special care to methods?
  - "getMember" and "getVariable" also do function calls!
  - there are reserved function names which must not be replaced! (-> event handlers, e.g. "onPress")


=head1 Links

=head2 ActionScript Decompilers / Disassemblers

  Flasm:
    http://www.nowrap.de/flasm.html
    http://www.opaque.net/~dave/flasm/
  Flare: http://www.nowrap.de/flare.html
  Sothink SWF Decompiler: http://www.srctec.com/flashdecompiler/
  Imperator FLA: http://www.ave-imperator.com/
  SWF Decompiler: http://www.19.5degs.com/swfdecompiler.php
  Gordon: http://www.futurecandy.com/

=head2 ActionScript Editors & Co.

  URL Action Editor and Actionscript Viewer:
    http://www.buraks.com/
    http://voisen.org/archives/2003/02/uae_303_and_asv_309.php
  SE|PY ActionScript Editor: http://www.sephiroth.it/python/sepy.php

=head2 Obfuscators

  ASO Pro (ActionScript Obfuscator Pro): http://www.genable.com/aso/preview.html
  SWOB (swf obfuscator): http://home.byu.net/jtb64/Swob.htm
  OBFU - A Flash Actionscript obfuscator: http://opaque.net/~dave/obfu/

=head2 Misc

  ActionScript Protection:
    http://www.as-protect.com/
    http://www.quasimondo.com/archives/000377.php
  Developer's SWF Guardian: http://anyrd.anyorganization.com/
  Password Busting / SWF Protections: http://www.searchlores.org/cinix_fla.htm

=head2 Off-Topic

=head3 XML

  XPath for Actionscript and other stuff: http://www.xfactorstudio.com/Actionscript/
  XMLRPC Flash Libraries for ActionScript 2.0: http://xmlrpcflash.sourceforge.net/

=head3 Marshalling / AMF (Flash Remoting protocol)

  AMFPHP - Flash Remoting for PHP: http://www.amfphp.org/
  AMF::Perl - Flash Remoting in Perl and Python: http://simonf.com/amfperl/
  SerializerClass: http://sourceforge.net/projects/serializerclass/

=head3 Misc

  PEAR::SWF - Read and write SWF head tag: http://www.sephiroth.it/test/php/SWF/
  Convert videos to flv:
    http://ffmpeg.sourceforge.net/
    http://www.videohelp.com/tools?tool=263
  Flash-CMS: http://www.lachoseinteractive.net/fr/produits/alahup/

=cut


use strict;
use warnings;

use Getopt::Long;
use Storable;
use Data::Dumper;

my $VERSION = "0.10";

my $regex = {
  'function' => 'function(?:2|)\s(.+?)\s\(.*?\)',
  'constants' => 'constants',
  'call' => '(?:callFunction|callMethod|getMember|getVariable)',
  'function_stacked' => 'function(?:2|)\s\s\(.*?\)',
  'push' => 'push\s\'(.+?)\'',
};
my @symbols;
my @lines;
my $options;

sub read_options {
  GetOptions(
    "pollute" => \$options->{pollute},
    "help" => \$options->{help},
    "version" => \$options->{version}
  );
}

sub scan_symbols {
  my @symbols_events = qw( 
    onDragOut
    onDragOver
    onKeyUp
    onKeyDown
    onKillFocus
    onPress
    onRelease
    onReleaseOutside
    onRollOut
    onRollOver
    onSetFocus
    onActivity
    onStatus
    onSelect
    onData
    onLoad
    allowDomain
    allowInsecureDomain
    onMouseDown
    onMouseMove
    onMouseUp
    onMouseWheel
    onEnterFrame
    onUnload
    onLoadComplete
    onLoadError
    onLoadInit
    onLoadProgress
    onLoadStart
    onID3
    onSoundComplete
    onResize
    onChanged
    onScroller
  );
  
  my $counter = 0;
  foreach (@lines) {
    
    # trim newlines
    #chomp;
    my $symbol;
    
    # check for all "function" / "function2" symbols and ...
    if (m/$regex->{function}/) {
      # ... remember them
      $symbol = $1;
    
    
    } elsif (m/$regex->{function_stacked}/) {
      if ($lines[$counter - 1] =~ m/$regex->{push}/) {
        $symbol = $1;
      }
    }
    
    if ($symbol and not grep(/$symbol/, @symbols_events)) {
      push @symbols, $symbol;
    }
    
    $counter++;
    
  }
  
}

#print join("\n", @symbols); exit;

# 2. step through all symbols found and replace them
sub obfuscate {

  # 1st stage: symbol replacement
  my $symbol_counter = -1;
  foreach my $symbol (@symbols) {
    my $line_counter = 0;
    foreach (@lines) {
      
      # function declarations; single quotes might not be there!
      if (m/$regex->{function}/) {
        s/\s'*$symbol'*\s/ '$symbol_counter' /i;
      
      # "constants"-line at begin of each block; single quotes should already be there
      } elsif (m/$regex->{constants}/) {
        s/'$symbol'/'$symbol_counter'/i;
      
      # function calls; replace inside predecessor line of calling-lines
      } elsif (m/$regex->{call}/) {
        $lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
  
      # function declarations; name of function is pushed on stack one line before!
      } elsif (m/$regex->{function_stacked}/) {
        $lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
      }

      $line_counter++;
      
    }
    $symbol_counter--;
  }

  # 2nd stage: pollute & Co.
  if ($options->{pollute}) {
    foreach (@lines) {
      if (m/$regex->{constants}/) {
        my $inject = qq(
      push 0
      ls:
        dup
        trace
        branchIfTrue ls
  
);
        $_ .= $inject;
      }
    }
  }

}

sub usage {
  print "fluscate - The Flash Obfuscator (v$VERSION)", "\n";
  if (not $options->{version}) {
  print <<USAGE;
    [-p|--pollute]      Pollute code by inserting snippet making life harder for disassemblers 
    [-h|--help]         This text
    [-v|--version]      Show version information only
USAGE
  };
}

sub main {
  read_options();
  #print Dumper($options);
  if ($options->{help} || $options->{version}) {
    usage();
    exit;
  }
  # read flasm code from STDIN
  @lines = <STDIN>;
  scan_symbols();
  obfuscate();
  # write all stuff to STDOUT
  print STDOUT @lines;
}

main();

1;
__END__
1	#!/usr/bin/perl
2
3	# fluscate - The Flash Obfuscator
4
5	# $Id: fluscate.pl,v 1.5 2004/07/26 16:11:58 joko Exp $
6	# $Log: fluscate.pl,v $
7	# Revision 1.5 2004/07/26 16:11:58 joko
8	# updated pod
9	# included more complete list of flash event-handlers
10	# fixed substitution regex #1: now using spaces around function names
11	#
12	# Revision 1.4 2004/07/26 13:51:54 joko
13	# updated pod
14	#
15	# Revision 1.3 2004/07/23 12:56:07 joko
16	# updated pod
17	#
18	# Revision 1.2 2004/07/23 12:24:52 joko
19	# pod
20	#
21	# Revision 1.1 2004/07/23 12:13:14 joko
22	# initial commit
23	#
24
25	=pod
26
27	fluscate - The Flash Obfuscator
28
29	This software is Copyright (C) 2004 Andreas Motl
30	Ideas and MacOS X Application by Holger Marseille
31
32	This program is free software; you can redistribute it and/or
33	modify it under the terms of the GNU General Public License
34	as published by the Free Software Foundation; either version 2
35	of the License, or (at your option) any later version.
36
37	This program is distributed in the hope that it will be useful,
38	but WITHOUT ANY WARRANTY; without even the implied warranty of
39	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
40	GNU General Public License for more details.
41
42	You should have received a copy of the GNU General Public License
43	along with this program; if not, write to the Free Software
44	Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
45
46	=cut
47
48
49	=pod
50
51	=head1 Features
52
53
54	=head2 Obfuscation
55
56	See ASO Pro: http://www.genable.com/aso/preview.html
57
58
59	=head2 Functions
60
61	fluscate handles two different styles of function declarations:
62
63	1. "Normal" ones, e.g.
64	function mp3Player ('arg1', 'arg2')
65
66	2. There may be "stacked" function declarations, e.g.
67	push 'mp3Player'
68	function ()
69
70	=head2 Pollute
71
72	Some flash-disassemblers might croak when inserting the following code
73	after a/each "constants"-declaration:
74
75	push 0
76	ls:
77	dup
78	trace
79	branchIfTrue ls"
80
81
82	=head1 Dependencies
83
84	"flasm" is required to disassemble swf files, see http://www.nowrap.de/flasm.html
85	ACKs go to Igor Kogan.
86
87
88	=head1 Usage
89
90	=head2 General
91
92	Please type "fluscate --help" to get more information about command-line parameters.
93
94	=head2 win32
95
96	#> flasm.exe -d puzzle.swf > puzzle.flm
97	#> cat puzzle.flm \| perl fluscate.pl > puzzle_fusc.flm
98	#> flasm.exe -a puzzle_fusc.flm
99
100	=head2 *nix
101
102	#> ./flasm -d puzzle.swf > puzzle.flm
103	#> cat puzzle.flm \| ./fluscate.pl > puzzle_fusc.flm
104	#> ./flasm -a puzzle_fusc.flm
105
106
107	=head1 Development
108
109	=head2 Todo
110
111	- provide list of flash event handler names to exclude from symbol replacement
112
113	=head2 Wishlist
114
115	- komplexere verschlüsselung als "-1, -2 ..." z-b nicht in der numerischen reihenfolge sondern nach
116	zufallsprinip (-21,-3,-89)? (->random)
117	- evtl. constants nach abfrage ersetzen ? leider sehr aufwendig, bei vielen constants (->ask)
118	- rausgeben des arrays mit den "neuen" werten um evtl die obfuscation rückgängig zu machen (->undo)
119	- what about other symbols beside "function"s? (e.g. variables) (->mode)
120	- include list of ->keywords from:
121	http://www.macromedia.com/support/flash/action_scripts/actionscript_dictionary/
122	- replace symbols in multiple files (->multifile)
123
124	=head2 Notes
125
126	- no function may be called "Initialize", rename it to (e.g.) "Initialize2", reassembling will not work otherwise
127	(doesn't matter when obfuscating since function names will be replaced of course)
128	- function names seem to be/work case insensitive (shuffle <-> Shuffle)
129	- successfully tested with http://download.macromedia.com/pub/flash/showme/win/puzzle.zip
130	- make sure -1, -2, -3, .... gets replaced with '-1', '-2', '-3', ...
131	- there are multiple caller lines: callFunction, callMethod; do we have to take special care to methods?
132	- "getMember" and "getVariable" also do function calls!
133	- there are reserved function names which must not be replaced! (-> event handlers, e.g. "onPress")
134
135
136	=head1 Links
137
138	=head2 ActionScript Decompilers / Disassemblers
139
140	Flasm:
141	http://www.nowrap.de/flasm.html
142	http://www.opaque.net/~dave/flasm/
143	Flare: http://www.nowrap.de/flare.html
144	Sothink SWF Decompiler: http://www.srctec.com/flashdecompiler/
145	Imperator FLA: http://www.ave-imperator.com/
146	SWF Decompiler: http://www.19.5degs.com/swfdecompiler.php
147	Gordon: http://www.futurecandy.com/
148
149	=head2 ActionScript Editors & Co.
150
151	URL Action Editor and Actionscript Viewer:
152	http://www.buraks.com/
153	http://voisen.org/archives/2003/02/uae_303_and_asv_309.php
154	SE\|PY ActionScript Editor: http://www.sephiroth.it/python/sepy.php
155
156	=head2 Obfuscators
157
158	ASO Pro (ActionScript Obfuscator Pro): http://www.genable.com/aso/preview.html
159	SWOB (swf obfuscator): http://home.byu.net/jtb64/Swob.htm
160	OBFU - A Flash Actionscript obfuscator: http://opaque.net/~dave/obfu/
161
162	=head2 Misc
163
164	ActionScript Protection:
165	http://www.as-protect.com/
166	http://www.quasimondo.com/archives/000377.php
167	Developer's SWF Guardian: http://anyrd.anyorganization.com/
168	Password Busting / SWF Protections: http://www.searchlores.org/cinix_fla.htm
169
170	=head2 Off-Topic
171
172	=head3 XML
173
174	XPath for Actionscript and other stuff: http://www.xfactorstudio.com/Actionscript/
175	XMLRPC Flash Libraries for ActionScript 2.0: http://xmlrpcflash.sourceforge.net/
176
177	=head3 Marshalling / AMF (Flash Remoting protocol)
178
179	AMFPHP - Flash Remoting for PHP: http://www.amfphp.org/
180	AMF::Perl - Flash Remoting in Perl and Python: http://simonf.com/amfperl/
181	SerializerClass: http://sourceforge.net/projects/serializerclass/
182
183	=head3 Misc
184
185	PEAR::SWF - Read and write SWF head tag: http://www.sephiroth.it/test/php/SWF/
186	Convert videos to flv:
187	http://ffmpeg.sourceforge.net/
188	http://www.videohelp.com/tools?tool=263
189	Flash-CMS: http://www.lachoseinteractive.net/fr/produits/alahup/
190
191	=cut
192
193
194	use strict;
195	use warnings;
196
197	use Getopt::Long;
198	use Storable;
199	use Data::Dumper;
200
201	my $VERSION = "0.10";
202
203	my $regex = {
204	'function' => 'function(?:2\|)\s(.+?)\s\(.*?\)',
205	'constants' => 'constants',
206	'call' => '(?:callFunction\|callMethod\|getMember\|getVariable)',
207	'function_stacked' => 'function(?:2\|)\s\s\(.*?\)',
208	'push' => 'push\s\'(.+?)\'',
209	};
210	my @symbols;
211	my @lines;
212	my $options;
213
214	sub read_options {
215	GetOptions(
216	"pollute" => \$options->{pollute},
217	"help" => \$options->{help},
218	"version" => \$options->{version}
219	);
220	}
221
222	sub scan_symbols {
223	my @symbols_events = qw(
224	onDragOut
225	onDragOver
226	onKeyUp
227	onKeyDown
228	onKillFocus
229	onPress
230	onRelease
231	onReleaseOutside
232	onRollOut
233	onRollOver
234	onSetFocus
235	onActivity
236	onStatus
237	onSelect
238	onData
239	onLoad
240	allowDomain
241	allowInsecureDomain
242	onMouseDown
243	onMouseMove
244	onMouseUp
245	onMouseWheel
246	onEnterFrame
247	onUnload
248	onLoadComplete
249	onLoadError
250	onLoadInit
251	onLoadProgress
252	onLoadStart
253	onID3
254	onSoundComplete
255	onResize
256	onChanged
257	onScroller
258	);
259
260	my $counter = 0;
261	foreach (@lines) {
262
263	# trim newlines
264	#chomp;
265	my $symbol;
266
267	# check for all "function" / "function2" symbols and ...
268	if (m/$regex->{function}/) {
269	# ... remember them
270	$symbol = $1;
271
272
273	} elsif (m/$regex->{function_stacked}/) {
274	if ($lines[$counter - 1] =~ m/$regex->{push}/) {
275	$symbol = $1;
276	}
277	}
278
279	if ($symbol and not grep(/$symbol/, @symbols_events)) {
280	push @symbols, $symbol;
281	}
282
283	$counter++;
284
285	}
286
287	}
288
289	#print join("\n", @symbols); exit;
290
291	# 2. step through all symbols found and replace them
292	sub obfuscate {
293
294	# 1st stage: symbol replacement
295	my $symbol_counter = -1;
296	foreach my $symbol (@symbols) {
297	my $line_counter = 0;
298	foreach (@lines) {
299
300	# function declarations; single quotes might not be there!
301	if (m/$regex->{function}/) {
302	s/\s'$symbol'\s/ '$symbol_counter' /i;
303
304	# "constants"-line at begin of each block; single quotes should already be there
305	} elsif (m/$regex->{constants}/) {
306	s/'$symbol'/'$symbol_counter'/i;
307
308	# function calls; replace inside predecessor line of calling-lines
309	} elsif (m/$regex->{call}/) {
310	$lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
311
312	# function declarations; name of function is pushed on stack one line before!
313	} elsif (m/$regex->{function_stacked}/) {
314	$lines[$line_counter - 1] =~ s/'$symbol'/'$symbol_counter'/i;
315	}
316
317	$line_counter++;
318
319	}
320	$symbol_counter--;
321	}
322
323	# 2nd stage: pollute & Co.
324	if ($options->{pollute}) {
325	foreach (@lines) {
326	if (m/$regex->{constants}/) {
327	my $inject = qq(
328	push 0
329	ls:
330	dup
331	trace
332	branchIfTrue ls
333
334	);
335	$_ .= $inject;
336	}
337	}
338	}
339
340	}
341
342	sub usage {
343	print "fluscate - The Flash Obfuscator (v$VERSION)", "\n";
344	if (not $options->{version}) {
345	print <<USAGE;
346	[-p\|--pollute] Pollute code by inserting snippet making life harder for disassemblers
347	[-h\|--help] This text
348	[-v\|--version] Show version information only
349	USAGE
350	};
351	}
352
353	sub main {
354	read_options();
355	#print Dumper($options);
356	if ($options->{help} \|\| $options->{version}) {
357	usage();
358	exit;
359	}
360	# read flasm code from STDIN
361	@lines = <STDIN>;
362	scan_symbols();
363	obfuscate();
364	# write all stuff to STDOUT
365	print STDOUT @lines;
366	}
367
368	main();
369
370	1;
371	__END__
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26