Disassembling a SWF with swfdump
I mentioned in an earlier post that the open-source Flex SDK project includes a Java library -- swfutils.jar -- that supports reading and writing SWF files and the ActionScript Byte Code (ABC) inside them.
The bin folder of the SDK includes a command-line tool, swfdump, which uses swfutils.jar to produce a disassembly of a SWF file. It doesn't bear much resemblance to your MXML and AS source code, because that got compiled down to low-level instructions for the ActionScript Virtual Machine. But it provides the most detailed info about a SWF that you can obtain.
Take any old SWF and do this:
swfdump -abc MyApp.swf > out.txt
I suggest piping the output to a file, or you'll end up waiting a long time for the output to scroll by in your shell window.
Here an example of what the getter and setter for the label property of mx.controls.Button look like:
Getter:
B2 13 01 01 0B 0C 06 function get mx.controls:Button:::label()::String
maxStack:1 localCount:1 initScopeDepth:11 maxScopeDepth:12
D0 getlocal0
30 pushscope
60 AA 10 getlex private:_label
48 returnvalue
0 Extras
0 Traits Entries
Setter:
B3 13 03 02 0B 0C 3D function set mx.controls:Button:::label(:String)::void
maxStack:3 localCount:2 initScopeDepth:11 maxScopeDepth:12
D0 getlocal0
30 pushscope
5E A1 10 findproperty private:labelSet
26 pushtrue
68 A1 10 initproperty private:labelSet
60 AA 10 getlex private:_label
D1 getlocal1
13 2B 00 00 ifeq L0
5E AA 10 findproperty private:_label
D1 getlocal1
68 AA 10 initproperty private:_label
5E E2 0F findproperty private:labelChanged
26 pushtrue
68 E2 0F initproperty private:labelChanged
5D F1 04 findpropstrict :invalidateSize
4F F1 04 00 callpropvoid :invalidateSize (0)
5D C1 02 findpropstrict :invalidateDisplayList
4F C1 02 00 callpropvoid :invalidateDisplayList (0)
5D F7 03 findpropstrict :dispatchEvent
5D 13 findpropstrict flash.events:Event
2C 97 02 pushstring "labelChanged"
4A 13 01 constructprop flash.events:Event (1)
4F F7 03 01 callpropvoid :dispatchEvent (1)
47 L0: returnvoid
0 Extras
0 Traits Entries
As you can see, it actually shows the names of classes, properties, and methods, and isn't that unintelligible, especially once you begin to understand the bytecode instructions. Now that anyone can disassemble anybody else's SWF, I guess this means that the market for a good AS3 obfuscator is going to heat up!
Comments
java $VMARGS -jar "$FLEX_HOME/lib/swfdump.jar" "$@"
Neither swfdump.jar nor swfutils.jar exist.
Posted by: George | February 25, 2008 1:31 AM
Resolved. Need to rebuild with ant.
Posted by: George | February 25, 2008 7:19 AM
Just a quick note that in earlier releases of Flex before we went open source, swfutils.jar used to be called swfkit.jar (but going forward it will be swfutils.jar).
Posted by: Pete Farland | February 25, 2008 8:05 AM
Here is old application (AIR) written by one of our consultants that is a bit more interactive/easier to use:
http://www.docsultant.com/nemo440/
Enjoy,
Anatole
Posted by: Anatole Taratkovsky | February 25, 2008 10:57 PM
Well... Here's my question for the really gifted computer scientists and engineers out there:
If swf's are so easy to decompile, how is there even a market for creating swfs? I'm sure swfs are easier to decompile than say compiled C/C++ code.
Posted by: William C. | February 26, 2008 3:08 PM
The swfdump tool is a disassembler, not a decompiler; it doesn't produce AS or MXML source code. There are similar disassemblers that output virtual machine instructions for Java and .NET code. C/C++ can be disassembled to processor-level instructions, which are definitely harder to make sense of than virtual machine instructions. But ultimately, there is no software that can't be reverse-engineered.
Posted by: Gordon Smith | February 26, 2008 7:22 PM