: WARNING - support of the decompiler is now VERY LIMITED. There are no active developers. This means waiting times in the issue tracker are very long and mostly depend on community. Sorry for the inconvenience.

List of issuesList of issues

#341 Unnecessary removing setlocal (kill removes temporary registers)
Author: user poxyran
Date created:
Type: bug
Visibility: Everybody
Assigned to: admin JPEXS
Labels: AS3Obfuscated
State: postponed Help

Hi!, I'm analyzing a sample located at: https://sites.google.com/site/villys777/crsenvironscan.zip (pwd is infected). It is a SWF embedded into a .xls. The thing is that when looking at bytecode level, I see some instruction pushing a string literal but this is not reflected in the decompiled code: decompiled code: {{{ [...] _loc1_.writeInt(2.425393296E9); _loc1_.writeInt(2.425393296E9); _loc1_.writeBytes(hexToBin(_loc4_)); while(_loc3_ < 65536) [...] }}} bytecode: {{{ pushdouble 2.425393296E9 callpropvoid m[6]"writeInt" 1 getlocal 1 pushdouble 2.425393296E9 callpropvoid m[6]"writeInt" 1 pushstring "141414141414141414141414141414141414141414141414141464A1300000008B400C8B701CAD8B7008E93D0 200005881EC000200008BFC89770889471090FF770868EC97030CE8CC01000089471CFF770868F622B97CE8BC0 10000894720FF770868A517007CE8AC010000894724FF770868FB97FD0FE89C010000894728FF7708681665FA1 0E88C01000089472CFF7708681F790AE8E87C010000894730FF77086825B0FFC2E86C010000894734FF770868A C08DA76E85C010000894738FF77086898FE8A0EE84C01000089473CFF77086883B9B578E83C010000894740FF7 70868E6178F7BE82C010000894744FF770868AD9B7DDFE81C010000894748FF7710FF573433F6468D47605056F F574883F8FF74F23D0000010076EB894704897760FF77046A40FF571C89475C6A006A006A00FF7760FF573883F 8FF744B6A008D5F7053FF7704FF775CFF7760FF572C8B4F7083E9108B475C408138432E4247750981780404068 9197404E2ECEB1A83C0088947144081384655634B750981780424048219740EE2ECFF775CFF57200F8572FFFFF F83C0088947186A0068800000006A026A006A006800000040FF7710FF5724894764C7476C4D5A90006A008D5F7 0536A048D5F6C53FF7764FF57308B47182B471483E8088B5F1430034348434883F80075F56A008D5F70538B5F1 82B5F1483EB0853FF7714FF7764FF5730FF7764FF57286A00FF7710FF573C6A00FF57446A0050FF5740558BEC5 78B7D088B5D0C568B733C8B74337803F3568B762003F333C94941AD03C35633F60FBE1038D67408C1CE0D03F24 0EBF13BFE5E75E55A8BEB8B5A2403DD668B0C4B8B5A1C03DD8B048B03C55E5F5DC20800E8BEFDFFFF612E65786 50000" setlocal 4 getlocal 1 findpropstrict m[5]"hexToBin" getlocal 4 callproperty m[5]"hexToBin" 1 coerce_a callpropvoid m[4]"writeBytes" 1 getlocal 1 }}} _loc4_ is not showed in the decompiled code but in the bytecode. PS: attached goes the extracted SWF file.
user
btw, here is some output from another decompiler (I don't know exactly which one, Shothink maybe?) where you can see that _loc4_ is showed: http://pastebin.com/UscAZvCV
admin
The problem is that FFDec handles registers deleted with kill instruction as temporary and removes them. For some reason in this SWF, kill instructions are called for every register. Do you know which compiler produced the SWF file?
Assigned:admin JPEXS
user
no, I have no idea about the compiler used to produce this swf file. however, shothink seems to be handling these kill instructions and shows the code anyways. Is there any chances to add this "feature" to ffdec?.
admin
I will think about it. It has low priority for me as this kind of code is nonstandard and most of FFDec users probably won't use this feature.
State: new→postponed
admin
Title: Failed decompilation - inconsistency between bytecode and decompiled code→Unnecessary removing setlocal (kill removes temporary registers)
Assigned:admin JPEXS
user
mmm .. well, I'm not so sure about the low priority. There are a lot of malware analyst using ffdec and this kind of files are common in the field. Thanks!.
admin
hmm, okay, then please send me more of such files.
user
check your inbox at flash@....
 
Google Translate: Translate to Czech Translate to Slovak Translate to Russian Translate to Hungarian Translate to Swedish Translate to French Translate to German Translate to Spanish Translate to Italian
Change style: oceanic classic