background.png

Threat Landscape

Next Gen Managed Detection and Response Starts Here.

How to Use JPEXS for a Foolproof Dynamic Flash Analysis

We come across many flash based applications during our penetration tests for customers.

We’ve decided to share a fix-it, or trick if you will, that makes our penetration testing for flash applications much easier.

At CyberInt, our pen testing team used to have recurring difficulties when we tried to execute dynamic analyses on Flash applications.

This is how we overcame it among our team:

(By the way, this trick has also helped us a lot with static analyses.)

JPEXS (FFDEC) Decompiling Tool

10.png

Our pen-testing team is known for using JPEXS whenever we need to analyse an SWF file.

You can download JPEXS here: www.free-decompiler.com/flash/download/

SWF Dynamic Analysis

What we’ve found in our pen-testing lab is that JPEXS is a simple, yet optimal tool for dynamic analyses on SWF files.

Before you carry out the SWF Dynamic Analysis, you need to do the following:

Download the most updated:
  1. Flash Player Standalone
  2. Flash Player Standalone Debugger
  3. Flash Player Global SWC File

All downloads are available here: labs.adobe.com/downloads/flashplayer.html

11.jpg

Once you’ve downloaded the flash player updates, configure JPEXS to load the file downloads;

9.jpg

  • Select the “Settings” tab on the upper tool bar
  • Select “Advanced Settings”

8.jpg
  • Select the “Paths” tab.
  • Load the path file names.

That’s it! Dynamic Analyses is ready to roll;

The Fun Part: Dynamic Analysis of the SWF File

Example: Adobe Labs’ “Puzzle Game”

  • We use the ‘Puzzle Game’ as a sample SWF file for the dynamic analysis.

Download the Puzzle Game here:

www.adobe.com/devnet/archive/flash/articles/puzzle_game.html

7.jpg

Analysis Flow:

  1. Load the AS3_PuzzleGame.swf file using the (configured) JPEXS tool;6.jpg

By analyzing the AS3 functions, we have figured that when a player is finish connecting all of the puzzle parts a function named puzzleSolved is called.

4.jpg

Aha! Moment: as soon as the player connects all the pieces, the puzzleSolved function gets called!

Now we need to find the the function’s code to see if the application can call it from another location;

5.jpg

This is how the application defines the puzzleSolved function:

This is where we realized that there’s no validation of who calls the puzzleSolved function.

Now what?

We need to find a good enough location for calling the puzzleSolved function without actually solving the puzzle.  

This is how we did it:

By the way, JPEXS supports editing the game’s AS3 so that you can change the calling point;

We found the MouseDown event, which is defined in the pieceMove function.

The MouseDown event is triggered after each click by the user.

This is a perfect location to relocate the puzzleSolved call.

3.jpg

What’s Next?

  • Click on ‘Save’ and then ‘Run’

Now the tool compiles the application with our changes and saves the SWF to the Temp folder.

C:\Users\user\AppData\Local\Temp

2.jpg

  • Copy the SWF file into your webserver root folder.
  • Open the root folder using ‘modern browser’

Each time the mouseDown event gets triggered, the puzzleSolve function will be called.

See for yourself!

1.jpg

P.S. you can also use JPEXS to perform an SWF static analysis.

Mitigation Takeaway

How can you protect your SWF files from being analysed by hackers?

One way your SWF files can be obfuscated is by using the general obfuscation tools available via Google search.

We are Hiring Click to see open positions at CyberInt

SUBSCRIBE

download.jpg