List of issues
: WARNING - support of the decompiler is now VERY LIMITED. There are no active developers. This means waiting times in the issue tracker are very long and mostly depend on community. Sorry for the inconvenience.
#1244 Incorrect showing of NOP instructions
> What steps will reproduce the problem? 1. Have a file with some NOP instructions in the code 2. Open in in FFDEC and view HEX with instructions 3. You will see 5 byte jumps shown instead, example: loc6709:Jump loc670e ; 99 02 00 00 00 loc670e:Jump loc6713 ; 99 02 00 00 00 loc6713:Jump loc6718 ; 99 02 00 00 00 loc6718:Jump loc671d ; 99 02 00 00 00 loc671d:Jump loc6722 > What is the expected output? What do you see instead? It should show NOP instructions (files I checked are in AS3, so those are "x02") ; 02 NOP But instead I see some non-existent hex code out of nowhere > What version of the product are you using? Is it "nightly build"? Which operating system do you have? v8.0.1 on Win10 > Please provide any additional information below. If the problem is related to a SWF file, attach it here, otherwise we can't help you. Ok, attached example file (Line 1277 of decompiled code for example)
HEXED_S1UI_CharacterWindow.swf (311 KiB)
Answer is the same as in issue #1241, they are not the original bytes from your file. The action list is fixed (also removes nop instuctions) by FFDec. If you want to see the original bytes, use Hex view.
Can't code writer use NOPs at all? I mean it would be usefull to view those (or at least to just fully remove those instead of these 5 byte jumps). Should I start a feature type request or could you change the type of this one then?
Sorry, I was a little bit wrong. There is no Nop instuction in AS2. 0x02 is replaced with a jump because it is an unknown action code. Did you find any documentation where it is written that 0x02 is Nop? I can't find any, I think it is not NOP in AS2, only in AS3
https://www.adobe.com/content/dam/Adobe/en/devnet/actionscript/articles/avm2overview.pdf nop Operation Do nothing. Format nop Forms nop = 2 (0x02) Stack … => … Description Do nothing.
There are Nop instructions in both AS2 and AS3. In our decompiler we use NOP opcodes for some internal usages during deobfuscation. We replace obfuscated jumps with nops (or we did it in the past) and then remove blocks with all nops in them. This is probably the reason why you don't see regular nop instructions. I agree we should make removing regular nops configurable.
JPEXS: which is the code of the Nop action? I can't find it in any documentation. I tried 0x02, it seems to be Nop, but also tried 0x01, it is the same. Owyn: That is AS3, they are completely different than AS1/2 action codes
JPEXS: Btw, FFDec currently using 0xff (-1) in AS2 for Nops, which is probably also incorrect
Isn't my file I posted AS3? so that should be correct Google says AS2 has no native support for NOPs but AS1 does, can't you just edit some bytes in AS2 file and check what result would it run into? - Would it nop or would it error, and then just base on the results. Btw, Results doesn't have to be the same for all the versions of the AS, and I just wanted it to show NOPs correctly in the AS3 From here: http://www.cheatengine.org/forum/viewtopic.php?t=472493 ActionScript 1 OpCodes: No Operation (NOP) = 0x02 ActionScript 3 OpCodes: final int OP_bkpt = 0x01; final int OP_nop = 0x02;
Your file is AS2. (Actions are in AS1/2, AVM2 instuctions in AS3) AS1/2 and AS3 (AVM2) are totally different things. AS1/2: DoAction/DoInitAction tags AS3 (AVM2): DoABC, DoABC2 tag AS1 is basically the same as AS2, this is why I usually write AS1/2 So maybe 0x02 is also NOP in AS1/2, but I can't find it in any official documentation.
Hmm, looks like over time I forgot what AS I was editing ... but x02 seemed to work like it should all this time. - can you check this for sure (check that x02 just works)? If AS2 is the same as AS1, it should have NOPs, right? Because AS1 did have those as people write Best opcode list for AS2 I found so far: http://globeriz.blogspot.ru/2014/01/flash-vm-instruction-reference.html but it has no NOPs
x02 seems to work as I mentioned it earlier (05/28/2016, 4:34:31 pm) But if I write 0x01, the result is the same, so probably 0x02 is not a nop, only an unknown action, and flashplayer skips the unknown actions. (Or maybe it is only an undocumented action which has no visible result) The link you wrote is not an official document, probably the guy tried to use 0x02, he saw that it usually works... Somebody else on the same forum wrote: "AS2 doesn't so you'll have to be creative. I usually push and pop stuff from the stack." AS1 and AS2 are basically the same, It compiles exactly to the same pcode, so if there is not NOP in AS2, there is no NOP in AS1, too. Only unknown actions, which behaves like NOPs. From wikipedia: ActionScript 2.0 featured compile-time type checking and class-based syntax, such as the keywords class and extends. (While this allowed for a more structured object-oriented programming approach, the code would still be compiled to ActionScript 1.0 bytecode, allowing it to be used on the preceding Flash Player 6 as well.
> unknown actions well, if FFDEC wrote 02 ; UNKNOWN ACTION that would be ok too, or by just removing those and not inserting those 5 byte jumps.
ummm, sorry about that AS1/2 Nop info, my bad. There is no official documented Nop Action. (These are called "Actions" in AS1/2) There is nop instruction with opcode 0x02 in AS3 (See docs/as3_pcode_instructions.en.html or any better source, this comes from our research and many sources) All nop info from my previous post was for the AS3 (AVM2).
Jpexs: Now all the unknown actions are repaced with ActionJump, but Owyn has right, sometimes we can write Unknown_0xab and ignore them during decompiling sometimes = when the code < 0x80, they are single byte actions, for longer actions we should keep the jumps (they are probably obfuscated things anyway) I'll make this modification, but I need a little time to do it.
If you use invalid instruction(Action) in AS1/2 then the FlashPlayer will probably crash and not continue to play the file at all. I don't think we should put big amount of effort to implement any cool detection of such SWFs. If you put invalid SWF into the decompiler, do not expect it will show anything nice. Yeah, "UNKNOWN ACTION" would be handsome, but... we decompile and edit SWF files. We silently expect that we get files that are playable by Flash Player, because... who the fuck would want a SWF file which is unplayable? I mean... you should check the SWF file by playing it in the Flash Player first. Install debug version of flash player, it will tell you exactly where the problem in the SWF file is ("invalid opcode" or something). Do not use FFDec to check SWF file for validity, it is not a good tool for this (never will be). Adobe has better tool for you.
honfika: okay, implement what you want (if you have time for it), but "uknown opcode" is showstopper. You cannot decode anything after such byte, you don't know where next instruction is. There is no "ignore one instruction" and continue on next, there's no next.
I tried 0x01 and 0x02, they works in non-debug flash player. Flash player "ignores" (nothing visible difference, keeps the stack) them, so they are quasi NOP actions.
hmm, there is "length" in the Action record, so probably one action can be skipped, so maybe it might work (?). Okay,... maybe I am just too tired today to think :-).
This is why only the 1 byte actions should implemented in this way. Multi byte actions should be jumps. (as they are currently)
length is only then code >= 0x80
Owyn: please try the next (1445 or newer) nightly build, will be released in 5 minutes: nightly/
honfika: Yes, v1445 shows: ; 02 Unknown_02 nicely, thanks. It's a lot more understandable to read now.
Owyn: Earlier you wrote: "or at least to just fully remove those instead of these 5 byte jumps" They were already removed (in 8.0.1 stable also) when automatic deobfuscation is enabled. But now it shows the unknown action when the code < 0x80. Unknown actions will be removed when you enable automatic deobfuscation, so if you want to see them, you should disable this setting. So is this task ready, may I close it?
+As JPEXS said Unknown actions may crash Flash Player, so use it at your own risk.
I Never used deobfuscation feature so I don't know what it does, but yes, task i ready.