JPEXS Free Flash Decompiler Issue Tracker

If you are looking for the decompiler itself, visit

List of issuesList of issues

#1430 SWF File obfuscated with Leawo cannot be opened or deobfuscated.
Author: user bennh
Date created:
Type: bug
Visibility: Everybody read only
Assigned to: admin JPEXS
Labels: AS1/2DeobfuscationObfuscated
State: closed Help

> What steps will reproduce the problem? Open the attach file with rename invalid identifiers turned on will cause the loading of the file to fail with the exception attached the file can be loaded without this option but code is unreadable as automatic deobfuscation has no effects on the code at all. > What is the expected output? What do you see instead? The invalid identifiers should be renamed instead an error is received. It would also be nice if JPEXS was able to deobfuscate the swf. > What version of the product are you using? Is it "nightly build"? Which operating system do you have? I am using the latest stable version 10.0.0 on Windows 8.1 but have have tested the nightly version and the problem still exists. > Please provide any additional information below. If the problem is related to a SWF file, attach it here, otherwise we can't help you. File was obfuscated with the Leawo obfuscater, I believe it was the latest version which is which was released in 2012.
Despite of me not working on the decompiler anymore, I looked quickly on the SWF file using FFDec and with a little manual work, the script can be transferred to more readable version. Some tips for you: - The P-code (on the right in the GUI) contains multiple ConstantPool instructions. - Constantpool is list of all strings including variable of function names. - For FFDec to correctly display ActionScript source in central panel, it must detect correct Constantpool instruction. - Standard compiled AS1/2 SWF contains usually only 1 Constantpool instruction per script, this is easy - Obfuscators insert various ConstantPool instructions (with often invalid identifier names) and also some p-code on the beginning of the file, which selects the correct one ConstantPool for the app. - The code which selects ConstantPool cannot be executed by FFDec automatically(FFdec tries a lot, but obfuscators are usually one step ahead) thus FFDec does not know which of ConstantPools is correct, which leads to incorrect display of its constants in central panel. - You can help FFDec to identify correct ConstantPool in your file: 1) Uncheck checkbox "Automatic deobfuscation" and "Auto rename identifiers" 2) Uncheck checkbox "Simplify expressions" 3) Uncheck "Resolve constants" button above P-code section (this disables using ConstantPool strings detection in P-code editor, making constantXX identifiers instead) 4) Find the correct ConstantPool instruction in the P-code (it is usually the one which has easily readable strings) - in your SWF file it's on line 30 5) Identify P-code which calculates the correct ConstantPool instruction - it is in the beginning of the file, in your file its everything before line 61. 6) Press "Edit P-code" on the bottom right. 7) Remove code from step 5 and replace it with the ConstantPool instruction from step 4 8) Press "Save" (P-code) on the bottom right 9) The AS code in central panel should now be pretty readable as FFDec detected the ConstantPool correctly now. - In your case, the code still contains few variables with § mark (invalid identifiers), but it's visible what's going on there in the code.
Umm, nevermind, try nightly version of FFDec 1659 or later with "Automatic deobfuscation" enabled, it should do the trick. ( / )
State: new→upgraded
Assigned:admin JPEXS
State: upgraded→closed