how does obfuscation and obfuscated code actually work?
-migrated-
Let's skip the ropes, I'm a software engineer, and I'd like to get started on SWF obfuscation. The one I encountered is Protector IV.V on Kongregate (protector-4point5_Secure.swf). When I look at it in a decompiler, I see stuff like this:

Code: [Select]
var x01 = -348 + x04x05();
while (x01 = eval("x01") + 709, eval("x01") == 786)
{
    x01 = eval("x01") + 107;
    break;
}
if (eval("x01") == 683)
{
    x01 = eval("x01") - 108;
}

So it looks like valid bytecode since the decompiler doesn't crash, but it looks like garbage, keeps doing a huge amount of math with a variable named x01. My question is not what emits this or what can decode this because I saw it here in other topics. I'd like to know HOW it's done. Is this the actual bytecode that runs in Flash and this math adds up to some actual, useful code? Or is there some hidden AS code that changes the bytecode itself? What capability of the Flash VM do these obfuscators exploit?
Creamy Goodness.
Programmer simply decided to name all his variables something crazy. This can be achieved by writing the code, copypastaing it into a word processor, and find/replacing every var with something difficult to read. To fix this, view as raw data, find out what one variable is, find/replace every instance of it with something more tangible, and then decoding it until you can do something with it. Then, find the bytes you need to change, and change them as with a regular AoB



lol idek why i still come here

It's got to be more than that. Why would a game algorithm use the same variable for hundreds of times for nothing else that doing basic math operations with 2-3 digit arbitrary numbers? Imagine that the entire script of a game is just like what I pasted above, thousands of that and nothing else.
Never let a computer tell me shit.
Quote from: "PseudoFamous"
Programmer simply decided to name all his variables something crazy. blah blah blah
this is 100% incorrect. at least in relation to the code posted.
what youve posted is amayeta encryption. Im not going to pretend i know it works exactly, but BASICALLY it works by adding junk instructions to the code. at runtime, the actionscript virtual machine ignores the junk and the game runs as normal. however when you try to decompile it, the decompiler tries to make sense of the junk data and chokes. Amayeta is only as2 btw.

in AS3 the go to method for encryption is to inject something like the following into method bodies you wish to protect from decompilers.
10 03 00 00 05 24 01 this is just off the top of my heat, it may not be exactly what it is but its something close, i know it starts with 10 ?? 00 00 00
now obviously the AVM doesnt care about 05 24 01, its never going to see it as its unreachable. but when the decompiler tries to interpret that shit, it just straight up crashes.


so if you want to see exactly how amayeta works, decrypt it, and compare the original and decrypted files in a hex editor. easy peasy.

for simple renaming, then, you know, hashmap, obviously....



I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it.
"Obviously, windows are central to Windows. They are so important that they named the operating system after them. But what is a window?"

So the good old jump in the middle of an instruction technique then. Thank you! I didn't get to decrypting yet, I saw there were certain tools mentioned on these forums, half of them didn't work, the other half I couldn't fetch. I don't mind though, I'm more interested in researching at the moment.

So here's my theory: find a tool to uncompress an SWF (I guess it will be much easier to find a free tool for that than a decrypter), replace the jump with nops, then the decompiler will be correctly aligned with the instructions.
Never let a computer tell me shit.
well with amayeta, theres more going on than just jumps, but its still just junk bytes...

so I would write a program and parse through the bytes of the encrypted/unencrypted and print out the junk bytes

use the program i attached to recover amayeta encrypted swfs



I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it.
"Obviously, windows are central to Windows. They are so important that they named the operating system after them. But what is a window?"

Thanks, it works!
TIM the Enchanter
Level: 1
ADR Info
Awesome Kolonel.  Thanks for the help.  (broken image removed)




Everything's coming up KongHack!

"When you know nothing matters, the universe is yours" ~Rick Sanchez

Hi, I have similar problem, but I try to decode .swf file. But if I use UnSWFEncrypt od Action Script Viewer Demo and action script is still encrypted, any idea how to decrypt swf file?
Code looks like:
Code: [Select]
1 = eval("x01") - 63;
var x0f = eval("1");
if (eval("x01") == 275)
{
    x01 = eval("x1") + 614;

} // end if