If you are looking for the decompiler itself, visit https://github.com/jindrapetrik/jpexs-decompiler
NEW : We have got a new blog where we post some interesting SWF internals info.
List of issues#1244 Incorrect showing of NOP instructions
Author: Owyn
Date created:
Type: bug
Visibility: Everybody
Assigned to:
State: closed
> What steps will reproduce the problem?
1. Have a file with some NOP instructions in the code
2. Open in in FFDEC and view HEX with instructions
3. You will see 5 byte jumps shown instead, example:
loc6709:Jump loc670e
; 99 02 00 00 00
loc670e:Jump loc6713
; 99 02 00 00 00
loc6713:Jump loc6718
; 99 02 00 00 00
loc6718:Jump loc671d
; 99 02 00 00 00
loc671d:Jump loc6722
> What is the expected output? What do you see instead?
It should show NOP instructions (files I checked are in AS3, so those are "x02")
; 02
NOP
But instead I see some non-existent hex code out of nowhere
> What version of the product are you using? Is it "nightly build"? Which operating system
do you have?
v8.0.1 on Win10
> Please provide any additional information below. If the problem is related to a SWF
file, attach it here, otherwise we can't help you.
Ok, attached example file (Line 1277 of decompiled code for example)
HEXED_S1UI_CharacterWindow.swf (311 KiB)
Answer is the same as in issue #1241, they are not the original bytes from your file. The
action list is fixed (also removes nop instuctions) by FFDec. If you want to see the
original bytes, use Hex view.
State: new→upgraded
Can't code writer use NOPs at all? I mean it would be usefull to view those (or at least
to just fully remove those instead of these 5 byte jumps).
Should I start a feature type request or could you change the type of this one then?
Sorry, I was a little bit wrong. There is no Nop instuction in AS2. 0x02 is replaced with
a jump because it is an unknown action code.
Did you find any documentation where it is written that 0x02 is Nop? I can't find any, I
think it is not NOP in AS2, only in AS3
https://www.adobe.com/content/dam/Adobe/en/devnet/actionscript/articles/avm2overview.pdf
nop
Operation
Do nothing.
Format
nop
Forms
nop = 2 (0x02)
Stack
… => …
Description
Do nothing.
There are Nop instructions in both AS2 and AS3. In our decompiler we use NOP opcodes for
some internal usages during deobfuscation. We replace obfuscated jumps with nops (or we
did it in the past) and then remove blocks with all nops in them. This is probably the
reason why you don't see regular nop instructions. I agree we should make removing regular
nops configurable.
JPEXS: which is the code of the Nop action? I can't find it in any documentation.
I tried 0x02, it seems to be Nop, but also tried 0x01, it is the same.
Owyn: That is AS3, they are completely different than AS1/2 action codes
JPEXS: Btw, FFDec currently using 0xff (-1) in AS2 for Nops, which is probably also
incorrect
Isn't my file I posted AS3? so that should be correct
Google says AS2 has no native support for NOPs but AS1 does,
can't you just edit some bytes in AS2 file and check what result would it run into? -
Would it nop or would it error, and then just base on the results.
Btw, Results doesn't have to be the same for all the versions of the AS, and I just wanted
it to show NOPs correctly in the AS3
From here: http://www.cheatengine.org/forum/viewtopic.php?t=472493
ActionScript 1 OpCodes:
No Operation (NOP) = 0x02
ActionScript 3 OpCodes:
final int OP_bkpt = 0x01;
final int OP_nop = 0x02;
Your file is AS2. (Actions are in AS1/2, AVM2 instuctions in AS3)
AS1/2 and AS3 (AVM2) are totally different things.
AS1/2: DoAction/DoInitAction tags
AS3 (AVM2): DoABC, DoABC2 tag
AS1 is basically the same as AS2, this is why I usually write AS1/2
So maybe 0x02 is also NOP in AS1/2, but I can't find it in any official documentation.
Hmm, looks like over time I forgot what AS I was editing ...
but x02 seemed to work like it should all this time. - can you check this for sure (check
that x02 just works)?
If AS2 is the same as AS1, it should have NOPs, right? Because AS1 did have those as
people write
Best opcode list for AS2 I found so far: http://globeriz.blogspot.ru/2014/01/flash-vm-instruction-reference.html but it has no
NOPs
x02 seems to work as I mentioned it earlier (05/28/2016, 4:34:31 pm)
But if I write 0x01, the result is the same, so probably 0x02 is not a nop, only an
unknown action, and flashplayer skips the unknown actions. (Or maybe it is only an
undocumented action which has no visible result)
The link you wrote is not an official document, probably the guy tried to use 0x02, he saw
that it usually works...
Somebody else on the same forum wrote:
"AS2 doesn't so you'll have to be creative. I usually push and pop stuff from the stack."
AS1 and AS2 are basically the same, It compiles exactly to the same pcode, so if there is
not NOP in AS2, there is no NOP in AS1, too. Only unknown actions, which behaves like
NOPs.
From wikipedia: ActionScript 2.0 featured compile-time type checking and class-based
syntax, such as the keywords class and extends. (While this allowed for a more structured
object-oriented programming approach, the code would still be compiled to ActionScript 1.0
bytecode, allowing it to be used on the preceding Flash Player 6 as well.
> unknown actions
well, if FFDEC wrote
02
; UNKNOWN ACTION
that would be ok too, or by just removing those and not inserting those 5 byte jumps.
ummm, sorry about that AS1/2 Nop info, my bad.
There is no official documented Nop Action. (These are called "Actions" in AS1/2)
There is nop instruction with opcode 0x02 in AS3 (See /www.free-decompiler.com/flash/docs/as3_pcode_instructions.en.html or
any better source, this comes from our research and many sources)
All nop info from my previous post was for the AS3 (AVM2).
Jpexs: Now all the unknown actions are repaced with ActionJump, but Owyn has right,
sometimes we can write
Unknown_0xab and ignore them during decompiling
sometimes = when the code < 0x80, they are single byte actions, for longer actions we
should keep the jumps (they are probably obfuscated things anyway)
I'll make this modification, but I need a little time to do it.
If you use invalid instruction(Action) in AS1/2 then the FlashPlayer will probably crash
and not continue to play the file at all. I don't think we should put big amount of effort
to implement any cool detection of such SWFs. If you put invalid SWF into the decompiler,
do not expect it will show anything nice.
Yeah, "UNKNOWN ACTION" would be handsome, but... we decompile and edit SWF files. We
silently expect that we get files that are playable by Flash Player, because... who the
fuck would want a SWF file which is unplayable?
I mean... you should check the SWF file by playing it in the Flash Player first. Install
debug version of flash player, it will tell you exactly where the problem in the SWF file
is ("invalid opcode" or something).
Do not use FFDec to check SWF file for validity, it is not a good tool for this (never
will be). Adobe has better tool for you.
honfika: okay, implement what you want (if you have time for it), but "uknown opcode" is
showstopper. You cannot decode anything after such byte, you don't know where next
instruction is. There is no "ignore one instruction" and continue on next, there's no
next.
I tried 0x01 and 0x02, they works in non-debug flash player. Flash player "ignores"
(nothing visible difference, keeps the stack) them, so they are quasi NOP actions.
hmm, there is "length" in the Action record, so probably one action can be skipped, so
maybe it might work (?).
Okay,... maybe I am just too tired today to think :-).
This is why only the 1 byte actions should implemented in this way. Multi byte actions
should be jumps. (as they are currently)
length is only then code >= 0x80
*when
Owyn: please try the next (1445 or newer) nightly build, will be released in 5 minutes:
/www.free-decompiler.com/flash/nightly/
honfika: Yes, v1445 shows:
; 02
Unknown_02
nicely, thanks. It's a lot more understandable to read now.
Owyn:
Earlier you wrote: "or at least to just fully remove those instead of these 5 byte jumps"
They were already removed (in 8.0.1 stable also) when automatic deobfuscation is enabled.
But now it shows the unknown action when the code < 0x80.
Unknown actions will be removed when you enable automatic deobfuscation, so if you want to
see them, you should disable this setting.
So is this task ready, may I close it?
+As JPEXS said Unknown actions may crash Flash Player, so use it at your own risk.
I Never used deobfuscation feature so I don't know what it does, but
yes, task i ready.
State: upgraded→closed