Disassembling a SWF with swfdump

I mentioned in an earlier post that the open-source Flex SDK project includes a Java library — swfutils.jar — that supports reading and writing SWF files and the ActionScript Byte Code (ABC) inside them.

The bin folder of the SDK includes a command-line tool, swfdump, which uses swfutils.jar to produce a disassembly of a SWF file. It doesn’t bear much resemblance to your MXML and AS source code, because that got compiled down to low-level instructions for the ActionScript Virtual Machine. But it provides the most detailed info about a SWF that you can obtain.

Take any old SWF and do this:

swfdump -abc MyApp.swf > out.txt

I suggest piping the output to a file, or you’ll end up waiting a long time for the output to scroll by in your shell window.

Here an example of what the getter and setter for the label property of mx.controls.Button look like:

Getter:

B2 13 01 01 0B 0C 06 function get mx.controls:Button:::label()::String
maxStack:1 localCount:1 initScopeDepth:11 maxScopeDepth:12
D0                       getlocal0
30                       pushscope
60 AA 10                 getlex        	private:_label
48                       returnvalue
0 Extras
0 Traits Entries

Setter:

B3 13 03 02 0B 0C 3D function set mx.controls:Button:::label(:String)::void
maxStack:3 localCount:2 initScopeDepth:11 maxScopeDepth:12
D0                       getlocal0
30                       pushscope
5E A1 10                 findproperty  	private:labelSet
26                       pushtrue
68 A1 10                 initproperty  	private:labelSet
60 AA 10                 getlex        	private:_label
D1                       getlocal1
13 2B 00 00              ifeq          	L0
5E AA 10                 findproperty  	private:_label
D1                       getlocal1
68 AA 10                 initproperty  	private:_label
5E E2 0F                 findproperty  	private:labelChanged
26                       pushtrue
68 E2 0F                 initproperty  	private:labelChanged
5D F1 04                 findpropstrict	:invalidateSize
4F F1 04 00              callpropvoid  	:invalidateSize (0)
5D C1 02                 findpropstrict	:invalidateDisplayList
4F C1 02 00              callpropvoid  	:invalidateDisplayList (0)
5D F7 03                 findpropstrict	:dispatchEvent
5D 13                    findpropstrict	flash.events:Event
2C 97 02                 pushstring    	"labelChanged"
4A 13 01                 constructprop 	flash.events:Event (1)
4F F7 03 01              callpropvoid  	:dispatchEvent (1)
47                   L0: returnvoid
0 Extras
0 Traits Entries

As you can see, it actually shows the names of classes, properties, and methods, and isn’t that unintelligible, especially once you begin to understand the bytecode instructions. Now that anyone can disassemble anybody else’s SWF, I guess this means that the market for a good AS3 obfuscator is going to heat up!