+ update 2020: WARNING - support of the decompiler is now VERY LIMITED. There are no active developers. This means we will NOT develop new features and/or fix most of bugs. We left the tracker running in case somebody from community would like to work on it. Sorry for the inconvenience.
State: closed new: Initial state. As long as issue is in this state, the work on the issue has not yet begun. opened: Opened state means developer started working on the issue. Feature/Fix will probably be in the next release. postponed: This means developer is not working on it now, for some reason it cannot be implemented now. Issue may be opened again in the future. upgraded: Issue is in upgraded state when developer made changes to the program and new version was released. closed: This means the user is satisfied with issue results and no more changes are needed. invalid: These issues cannot be solved. ignored: Developer decided to take no action on this issue. returned: Program changes were made but user is not satisfied and returned the issue.
> What steps will reproduce the problem?
1. Have a file with some NOP instructions in the code
2. Open in in FFDEC and view HEX with instructions
3. You will see 5 byte jumps shown instead, example:
; 99 02 00 00 00
; 99 02 00 00 00
; 99 02 00 00 00
; 99 02 00 00 00
> What is the expected output? What do you see instead?
It should show NOP instructions (files I checked are in AS3, so those are "x02")
But instead I see some non-existent hex code out of nowhere
> What version of the product are you using? Is it "nightly build"? Which operating system
do you have?
v8.0.1 on Win10
> Please provide any additional information below. If the problem is related to a SWF
file, attach it here, otherwise we can't help you.
Ok, attached example file (Line 1277 of decompiled code for example)
Answer is the same as in issue #1241, they are not the original bytes from your file. The
action list is fixed (also removes nop instuctions) by FFDec. If you want to see the
original bytes, use Hex view.
Can't code writer use NOPs at all? I mean it would be usefull to view those (or at least
to just fully remove those instead of these 5 byte jumps).
Should I start a feature type request or could you change the type of this one then?
Sorry, I was a little bit wrong. There is no Nop instuction in AS2. 0x02 is replaced with
a jump because it is an unknown action code.
Did you find any documentation where it is written that 0x02 is Nop? I can't find any, I
think it is not NOP in AS2, only in AS3
There are Nop instructions in both AS2 and AS3. In our decompiler we use NOP opcodes for
some internal usages during deobfuscation. We replace obfuscated jumps with nops (or we
did it in the past) and then remove blocks with all nops in them. This is probably the
reason why you don't see regular nop instructions. I agree we should make removing regular
JPEXS: which is the code of the Nop action? I can't find it in any documentation.
I tried 0x02, it seems to be Nop, but also tried 0x01, it is the same.
Owyn: That is AS3, they are completely different than AS1/2 action codes
Isn't my file I posted AS3? so that should be correct
Google says AS2 has no native support for NOPs but AS1 does,
can't you just edit some bytes in AS2 file and check what result would it run into? -
Would it nop or would it error, and then just base on the results.
Btw, Results doesn't have to be the same for all the versions of the AS, and I just wanted
it to show NOPs correctly in the AS3
From here: http://www.cheatengine.org/forum/viewtopic.php?t=472493
ActionScript 1 OpCodes:
No Operation (NOP) = 0x02
ActionScript 3 OpCodes:
final int OP_bkpt = 0x01;
final int OP_nop = 0x02;
Your file is AS2. (Actions are in AS1/2, AVM2 instuctions in AS3)
AS1/2 and AS3 (AVM2) are totally different things.
AS1/2: DoAction/DoInitAction tags
AS3 (AVM2): DoABC, DoABC2 tag
AS1 is basically the same as AS2, this is why I usually write AS1/2
So maybe 0x02 is also NOP in AS1/2, but I can't find it in any official documentation.
Hmm, looks like over time I forgot what AS I was editing ...
but x02 seemed to work like it should all this time. - can you check this for sure (check
that x02 just works)?
If AS2 is the same as AS1, it should have NOPs, right? Because AS1 did have those as
Best opcode list for AS2 I found so far: http://globeriz.blogspot.ru/2014/01/flash-vm-instruction-reference.html but it has no
x02 seems to work as I mentioned it earlier (05/28/2016, 4:34:31 pm)
But if I write 0x01, the result is the same, so probably 0x02 is not a nop, only an
unknown action, and flashplayer skips the unknown actions. (Or maybe it is only an
undocumented action which has no visible result)
The link you wrote is not an official document, probably the guy tried to use 0x02, he saw
that it usually works...
Somebody else on the same forum wrote:
"AS2 doesn't so you'll have to be creative. I usually push and pop stuff from the stack."
AS1 and AS2 are basically the same, It compiles exactly to the same pcode, so if there is
not NOP in AS2, there is no NOP in AS1, too. Only unknown actions, which behaves like
From wikipedia: ActionScript 2.0 featured compile-time type checking and class-based
syntax, such as the keywords class and extends. (While this allowed for a more structured
object-oriented programming approach, the code would still be compiled to ActionScript 1.0
bytecode, allowing it to be used on the preceding Flash Player 6 as well.
ummm, sorry about that AS1/2 Nop info, my bad.
There is no official documented Nop Action. (These are called "Actions" in AS1/2)
There is nop instruction with opcode 0x02 in AS3 (See /www.free-decompiler.com/flash/docs/as3_pcode_instructions.en.html or
any better source, this comes from our research and many sources)
All nop info from my previous post was for the AS3 (AVM2).
Jpexs: Now all the unknown actions are repaced with ActionJump, but Owyn has right,
sometimes we can write
Unknown_0xab and ignore them during decompiling
sometimes = when the code < 0x80, they are single byte actions, for longer actions we
should keep the jumps (they are probably obfuscated things anyway)
I'll make this modification, but I need a little time to do it.
If you use invalid instruction(Action) in AS1/2 then the FlashPlayer will probably crash
and not continue to play the file at all. I don't think we should put big amount of effort
to implement any cool detection of such SWFs. If you put invalid SWF into the decompiler,
do not expect it will show anything nice.
Yeah, "UNKNOWN ACTION" would be handsome, but... we decompile and edit SWF files. We
silently expect that we get files that are playable by Flash Player, because... who the
fuck would want a SWF file which is unplayable?
I mean... you should check the SWF file by playing it in the Flash Player first. Install
debug version of flash player, it will tell you exactly where the problem in the SWF file
is ("invalid opcode" or something).
Do not use FFDec to check SWF file for validity, it is not a good tool for this (never
will be). Adobe has better tool for you.
honfika: okay, implement what you want (if you have time for it), but "uknown opcode" is
showstopper. You cannot decode anything after such byte, you don't know where next
instruction is. There is no "ignore one instruction" and continue on next, there's no
Earlier you wrote: "or at least to just fully remove those instead of these 5 byte jumps"
They were already removed (in 8.0.1 stable also) when automatic deobfuscation is enabled.
But now it shows the unknown action when the code < 0x80.
Unknown actions will be removed when you enable automatic deobfuscation, so if you want to
see them, you should disable this setting.
So is this task ready, may I close it?