Category:Digital-Forensics/Browser-based-Malware/Flash
(Redirected from Digital-Forensics/Browser-based-Malware/Flash)
| You are here: | Flash
|
Structure of a SWF file
Overview
Header
The header is as follows:
- F|C|Z
- "F" (opcode 0x46) indicates an uncompressed Flash file
- "C" (opcode 0x43) is for a compressed one
- "Z" (opcode 0x5a) indicates a LZMA compressed SWF (SWF 13 and later only)
- W
- Signature byte always "W" (opcode 0x57)
- S
- Signature byte always "S" (opcode 0x53)
- Version
- Single byte file version (e.g. 0x06 for SWF 6)
- FileLength
- Length of entire file in bytes
- FrameSize
- Frame size (width and height of the on-screen display) in twips
- FrameRate
- Frame delay in 8.8 fixed number of frames per second (fps)
- FrameCount
- Total number of frames in file
FileAttributes tag
- The FileAttributes tag is only required for SWF 8 and later.
- It contains additional details
Definition and control tags
There are 2 types of tags:
- Definition tags: define objects (aka characters) such as fonts, shapes, ...
- Control tags: manipulate the objects
The tags are identified by a tag type number:
- 1: ShowFrame (onstructs Flash Player to display the contents of the display list)
- 5: RemoveObject (removes the specified character from the display list)
- 9: SetBackgroundColor (sets the background color of the display)
For a list of all tags, refer to the official documentation: http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/swf/pdf/swf-file-format-spec.pdf
ActionScript versions
(Source: http://www.mediacollege.com/adobe/flash/player/version/)
| Flash Player Version | Release Date | ActionScript version | Notable New Features |
|---|---|---|---|
| Flash 2 | 1997 | N/A |
|
| Flash 3 | 1998 | N/A | Alpha transparency, MP3 support. |
| Flash 4 | May 1999 | N/A |
|
| Flash 5 | August 2000 | ActionScript 1 | ActionScript |
| Flash 6 | March 2002 | ActionScript 1 | Video support (Sorenson Sparc codec), application components, shared libraries, accessibility. |
| Flash 7 | September 2003 | ActionScript 2 | Charts & graphs, text effects, 3rd-party extensions, high-quality PDF & Adobe Illustrator import. ActionScript 2.0. |
| Flash 8 | August 2005 | ActionScript 2 | Filter effects, blending modes, GIF & PNG support, bitmap caching, FlashType type rendering, mobile device emulator, and a significant new video codec (On2 VP6). |
| Flash 9 | June 2006 | ActionScript 3 | ActionScript Virtual Machine AVM2, ActionScript 3. |
| Flash 9 Update 1 | November 2006 | ActionScript 3 | (v9.0.28.0, codenamed "Marvin") |
| Flash 9 Update 3 | December 2007 | ActionScript 3 |
|
| Flash 10 | October 2008 | ActionScript 3 |
|
| Flash 10.1 | June 2010 | ActionScript 3 |
|
| Flash 10.2 | (Previewed September 2010) | ActionScript 3 | Support for 64-bit browsers. |
Flash protection
Some SWF files can be protected:
$ swfdump -Ddu easyforex_728x90.swf | grep -A2 PROTECT
[018] 31 PROTECT
-=> 00 00 24 31 24 35 4c 24 4e 6c 61 6f 56 59 32 69 ..$1$5L$NlaoVY2i
-=> 52 49 74 37 56 6e 70 61 78 56 62 4d 50 31 00 RIt7VnpaxVbMP1.
- Flashkeeper (http://www.flashkeeper.com/) can unprotect such files.
- Wepawet (http://wepawet.iseclab.org/) seems to be able to analyze protected Flash files
- You can also manually unprotect them by removing the protected byte.
Online resources
Comments
Pages in this category
Pages in category "Digital-Forensics/Browser-based-Malware/Flash"
The following 14 pages are in this category, out of 14 total.