Far from being an expert, but I will try to tackle this one. You need:
* Alexis' SWF reference (http://www.m2osw.com/swf_alexref.html) * swfmill tool (http://swfmill.org) * python interpreter installed * some AS3 decompiler (there are some) On 27.10.2009 John Gilmore <[email protected]> napisaĆ: > So can our gnash initialization start running an AS3 "ABC file"? Is > that what Youtube is offering from its web site, e.g. from: > > http://s.ytimg.com/yt/swf/watch_as3-vfl128620.swf > > "file" calls it "Macromedia Flash data (compressed), version 10", > not an "ABC file" (which is what the AVM2 spec calls its input file). SWF is just a container for several objects, called "tags". swfmill swf2xml watch_as3-vfl128620.swf watch_as3-vfl128620.xml will convert this file for you. Just search for UnknownTag (tags that swfmill does not directly support) and you will find: 12 0x57 tags (dec - 87) 1 0x29 tag (dec - 41) 1 0x4c tag (dec - 76) 1 0x52 tag (dec - 82) Alexis refence says that tag 87 means DefineBinaryData (arbitrary bytes), tag 41 is ProductInfo, tag 76 is SymbolClass means "Instantiate objects from a set of classes." and tag 82 is DoABCDefine is the ActionScript 3 container. Tags 76 and 82 have been introduced in SWF9 together with AS3/AVM2. What one needs to do is to take contents of interesting tags (76 and 82) and analyze that further. swfmill stores their contents as a series of base64-encoded bytes. I have used a text editor to leave only one line of base64-encoded text for each tag. In this case, file watch_as3-vfl128620_52 contains base64-encoded text of tag 82 (one line of text that starts with "AQAAAGZyYW1...."). File watch_as3-vfl128620_4c contains base64-encoded text of the tag 76 (starts with "FwABAGNvbS5...."). I use following python one-liners in python to get binary contents: python -c 'import base64; base64.decode(open("watch_as3-vfl128620_52", "r"), open("52.bin", "w"))' python -c 'import base64; base64.decode(open("watch_as3-vfl128620_4c", "r"), open("4c.bin", "w"))' Above are really one liners for the UNIX shell. If you are using windows, you might be better off putting "a one-liner" in the file and running "python filename". The resulting 4c.bin is 1330 bytes long, the 52.bin has 185714 bytes. The following C program will decode "4c.bin" for us, according to the Alexis' SWF reference: #include <stdio.h> #include <sys/types.h> int main() { uint8_t buf[1000]; int f_symbol_count, f_symbol_id; int i; char x; if (read(0, &buf, 2) < 2) { perror("read: f_symbol_count"); return 1; } f_symbol_count = buf[0] | (buf[1] << 8); printf("f_symbol_count = %d\n", f_symbol_count); for (i = 0; i < f_symbol_count; i ++) { if (read(0, &buf, 2) == 2) { f_symbol_id = buf[0] | (buf[1] << 8); do { if (read(0, &x, 1) != 1) { perror("read: f_symbol_name"); return 1; } if (x != 0) printf("%c", x); } while (x != 0); printf("\t%d\n", f_symbol_id); } else { perror("read: f_symbol_id"); return 1; } } } The result is: f_symbol_count = 23 com.google.youtube.ui.QualityButton_HqOffIcon_dataClass 1 com.google.youtube.ui.WatchEndScreen_replayIcon_dataClass 2 com.google.youtube.ui.QualityButton_HqOffIcon 3 com.google.youtube.players.threed.Http3dVideoPlayer_RowInterleaveFilter 4 (... and so on...) The next file, 52.bin, contains the actual ActionScript code. Let's have a look (I am using hd(1) utility): 00000000 01 00 00 00 66 72 61 6d 65 31 00 10 00 2e 00 66 |....frame1.....f| 00000010 00 0a 01 ff ff ff ff 0f 64 05 65 90 03 03 80 80 |........d.e.....| 00000020 40 02 c0 02 f0 01 e8 02 e0 03 80 05 f0 2e a0 1f |@...............| According to the reference, 01 00 00 00 are f_action_flags, usually one, and "frame1" is the f_action_name. The actual bytecode starts with byte number 11 ("10 00 2e 00 .... "). This UNIX command: dd if=52.bin bs=1 skip=11 of=52code.bin creates "52code.bin" bytecode file that you can probably feed the disassembler with. You might want to try one from Tamarin VM: https://www.flashsec.org/wiki/Simple_AS3_Decompiler_Using_Tamarin Not easy to get it working, as the instructions are not perfect, but probably the most complete one. > I'm sure that all this info exists in somebody's head. If it's > written down anywhere, please just point me at that place. Hope the above helps a bit! -- << Marcin Cieslak // [email protected] >> _______________________________________________ Gnash-dev mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnash-dev
