Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement to unswf #98

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Enhancement to unswf #98

wants to merge 3 commits into from

Conversation

apolkosnik-old
Copy link
Contributor

This PR adds the output from Flare tool to Raw data.

The inheritance of sources into the RawData requires the fixed raw_data handler (crits/crits#432)

@apolkosnik-old
Copy link
Contributor Author

Just added the relationship forming between the sample and the RawData objects.

@wxsBSD
Copy link
Contributor

wxsBSD commented Mar 29, 2015

My gut says the action script should be a sample. This is similar to how resources work. What are your thoughts for making it raw data?

@apolkosnik
Copy link
Contributor

My reasons for making it raw data are:

  • It's an output from some tool
  • the resulting action script pseudo-code that Flare produces is similar to
    the disassembly from IDA piped through hexrays, so it's not really a sample.
  • I liked the readability provided by raw data form with the line numbers
    and comments
    On Mar 29, 2015 7:24 AM, "Wesley Shields" [email protected] wrote:

My gut says the action script should be a sample. This is similar to how
resources work. What are your thoughts for making it raw data?


Reply to this email directly or view it on GitHub
#98 (comment).

@wxsBSD
Copy link
Contributor

wxsBSD commented Apr 3, 2015

OK, you've convinced me. The fact that it is decompiled is the big seller for it being raw_data IMO. Going to test this out and provide feedback or merge in the next few days.

@wxsBSD
Copy link
Contributor

wxsBSD commented Apr 3, 2015

I just went to test this and I'm afraid it is likely a non-starter for me. Flare only comes in binary and the binary for OS X is PPC only, which hasn't run on OS X for a number of years now. I'm completely unable to test this and given that many of us run CRITs on OS X even if we accept it, it will just become bitrot.

@pinowudi
Copy link

pinowudi commented Apr 3, 2015

We have CRITs on Ubuntu and also use Flare and Flasm on Ubuntu-based forensics builds. Having it would be a nice feature. The code has been stable since - geez, it looks like 2005. Can you reference the download page as a dependency and let folks implement the binary piece themselves?

Regards,

Drew

On Apr 3, 2015, at 11:57 AM, Wesley Shields [email protected] wrote:

I just went to test this and I'm afraid it is likely a non-starter for me. Flare only comes in binary and the binary for OS X is PPC only, which hasn't run on OS X for a number of years now. I'm completely unable to test this and given that many of us run CRITs on OS X even if we accept it, it will just become bitrot.


Reply to this email directly or view it on GitHub #98 (comment).

@pinowudi
Copy link

pinowudi commented Apr 3, 2015

Alternatively, the following toolsets have available code and may suffice as replacements:

https://github.com/sporst/SWFREtools https://github.com/sporst/SWFREtools

http://www.swftools.org/download.html http://www.swftools.org/download.html

Regards,

Drew

On Apr 3, 2015, at 11:57 AM, Wesley Shields [email protected] wrote:

I just went to test this and I'm afraid it is likely a non-starter for me. Flare only comes in binary and the binary for OS X is PPC only, which hasn't run on OS X for a number of years now. I'm completely unable to test this and given that many of us run CRITs on OS X even if we accept it, it will just become bitrot.


Reply to this email directly or view it on GitHub #98 (comment).

@wxsBSD
Copy link
Contributor

wxsBSD commented Apr 3, 2015

The dependency listing does that. I will review the code in a bit and merge. Maintenance of it will have to be done by those that run it,

@pinowudi
Copy link

pinowudi commented Apr 3, 2015

I found the flare source

http://flasm.cvs.sourceforge.net/viewvc/flasm/flasm/ http://flasm.cvs.sourceforge.net/viewvc/flasm/flasm/

Regards,

Drew

On Apr 3, 2015, at 12:54 PM, Wesley Shields [email protected] wrote:

The dependency listing does that. I will review the code in a bit and merge. Maintenance of it will have to be done by those that run it,


Reply to this email directly or view it on GitHub #98 (comment).

@apolkosnik-old
Copy link
Contributor Author

I guess that swftools could be pretty easy to add and useful: swfdump/swfextract for listing and extraction of swf elements.

@apolkosnik-old
Copy link
Contributor Author

I've started tinkering with pyswf, results look promising.

@ckane
Copy link
Member

ckane commented Jun 25, 2016

Have you looked into this one?
https://www.free-decompiler.com/flash/download/

I've used the predecessor "asdec" in the past with great success. It is open-source and published on github.

@apolkosnik
Copy link
Contributor

I am sorry, but I 'm allergic to J*va ;-).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@apolkosnik-old @wxsBSD @apolkosnik @pinowudi @ckane