Slides from my Flash on the Beach session on decompiling SWFs

Here are the slides from my presentation that I gave today at Flash on the Beach. The presentation covers decompiling Flash and Flex SWFs and includes an overview of the tools available, a few examples of the kind of code you might see, and some security suggestions. I will not be posting any of the code that I showed during the session (apart from the very tiny snippets in the slides). I think it’s pretty obvious why I’m not going to post the decompiled Photoshop Express code 🙂

I don’t think there’s any formal feedback survey or anything at FOTB, so if you were at my session I’d love to hear what you thought about it. You can email me at doug@dougmccune.com or leave some comments here. Let me know what you liked and what you didn’t.


I just decompiled a decompiler so I could use it to decompile itself

Update: Turns out that the code in Nemo 440 is actually just the code from the abcdump.as file in the Tamarin project. It looks like the abcdump.as file was written by Dan Schaffer from Adobe. So it turns out I could have just grabbed that file and not decompiled Nemo 440 at all, oh well 🙂 Shigeru Nakagakai has also used that same abcdump.as file to create his own AIR app that lets you compare SWFs and inspect classes and packages.

My brain almost exploded with meta-geekiness. If you haven’t seen the Nemo 440 AIR app, it’s a SWF decompiler written in AS3 as an AIR application, written by Vadim Melnik. It lets you load SWF files (or SWCs) and it will show you a list of all classes in the SWF, as well as the detailed ABC bytecode for each class. Technically I guess using the word “decompiler” isn’t correct, Nemo 440 is a SWF disassembler that produces ActionScript Byte Code (ABC). This isn’t the same as a true decompiler that produces real ActionScript code (like the Sothink Decompiler).

So if you download and play with Nemo 440 you’ll see what it can do. Basically you can see all the classes in any SWF, and all the methods within those classes. You also get to see some stuff like class-level and static variables. Then if you want to uber geek out you can see the ActionScript Byte Code of the SWF. That means you get shit that looks like this:

    0       getlocal0     	
    1       pushscope     	
    2       getlex        	http://www.adobe.com/2006/flex/mx/internal::layoutObject
    5       getlocal1     	
    6       setproperty   	direction
    9       findpropstrict	invalidateSize

That’s far from being nice beautiful AS3 code that you can actually use, but if you spend enough time understanding ABC code you can start to make some sense of it. But even just seeing the packages, classes used, and the methods of all the classes is pretty awesome.

So after playing with Nemo 440 a bit I encountered the glaringly obvious question. What happens if I use Nemo 440 to decompile the Nemo 440 application itself? Excited in my geekery, I quickly extracted the SWF file from the AIR app and loaded it in, only to be sorely disappointed. When I decompiled the app I could see all the Flex classes and other libraries that were used (even some components from Flexlib!), but I couldn’t see any classes that were used to do the decompiling. Hmm, I thought, how odd.

I figured that it wasn’t technically possible that the dissassembler would work so well on all SWFs except itself, something was fishy. I mean, that just doesn’t make sense. So I decided to load the SWF into the Sothink Decompiler to have a look. Then I came across this little gem within the Nemo 440 source code:

private function _checkName(param1:String) : Boolean
   if (param1 != null)
      if (param1.indexOf("docsultant") >= 0)
         return false;
      if (param1.indexOf("nemo440") >= 0)
         return false;
   return true;

That code specifically checks if the package name matches one of the packages used in the Nemo 440 source code and excludes it from being processed! Mother fucker!

So I decompiled the code using the Sothink Decompiler, and then decided I wanted to put it back together into a running app. It took me about 6 hours or so of work, and I had to consult the SWF specification document and the AVM 2 spec document a lot during the process, but I got it working.

So then I had my own AIR app that used the code from the Nemo 440 app to load SWFs and disassemble them. The first thing I did, obviously, was load up the Nemo 440 SWF file and give it a whirl, and I was instantly looking at the full class/package structure and the disassembled ABC bytecode of all the classes.

Ahh, sometimes it feels so good to geek out so much.

For those interested in learning more about decompiling, disassembling, ABC bytecode, and all that good stuff, I’ll be talking about this whole thing and a bunch more stuff in my presentation at Flash on the Beach in Brighton, England on October 1st. I won’t be posting the code that I decompiled and put back together, unless I get the original author’s permission (which I’ll be asking for, but haven’t yet done). Who knows, maybe the guy will be cool with open sourcing it 🙂 but maybe not. And if not, that’s cool too, he put a lot of work into it (I have a great appreciation for the amount of work after reading through much of the SWF spec and seeing the kind of code he had to write).

I just thought the concept of decompiling the decompiler to decompile the decompiler was too cool. God, I’m such a geek.


Description of my Flash on the Beach session: Decompiling Flex and Flash

speakerbadge_200_120_e.gifI’ve just posted the title and description of the session I’ll be giving at Flash on the Beach, which is happening September 28-Oct 1 in Brighton, England. My session is titled: Decompiling Flex and Flash. Here’s the full description (which you can also find on the FOTB site):

In this session we’ll learn how to decompile ActionScript 3 SWF files and peek inside other people’s code. Decompiling a SWF is often seen as an evil tactic that should be punishable by death, but regardless of your moral opinion, every SWF you create can be decompiled into often beautifully readable source code. If you’ve produced something cool, chances are someone has decompiled it (hell, chances are I’ve decompiled it myself).

In this session you’ll learn what you get when you decompile a SWF and what you don’t. We’ll cover how far you can get piecing a decompiled application back together and I’ll share a few real-world stories of how decompiling has proven invaluable in my development career.

This session will focus on ripping apart some large-scale Flex applications and diving into the source (we’ll see if I can get sued by the end of the session). I’ll cover some Flex-specifics that are important when you decompile a Flex app (Flex framework classes, generated MXML code, data binding code, etc). But decompiling AS3 SWFs is just as applicable for SWFs produced in Flash Authoring as well, so there should be plenty of information for everyone.

And for all the paranoid folks out there, in addition to decompiling code, I’ll also cover a few techniques to protect your source code to make it harder for people to steal.

I hope to see some of you in England!


I’m Speaking at Flash on the Beach! (what should I present?)

FOTBI’m speaking at the Flash on the Beach conference in Brighton, England in September! I’m really excited about this conference because it’s not a Flex conference, it’s a Flash conference (but of course there will be plenty of Flex represented). I’ve got a little notoriety among you Flex developers, but Flash guys are like, “Doug McWho?”, so that’ll be pretty dope to get out in front of a different audience.

I’m going to be presenting on a yet-to-be-determined Flex topic, and I’ll likely ask for some suggestions as I’m refining my presentation ideas. Here are my current potential topics:

  • super-sweet data visualization in Flex
    I’ve been reading lots of Edward Tufte books and other information visualization books. These are fantastic resources to help you think about effective ways of visualizing information, and I’m thinking about taking many of the principles and applying them to the Flex framework. This would involve the creation of a bunch of altered charting controls (new axis renderers, different chart types, etc). And I’d analyze what’s good and bad about the current set of data visualization components available (in the Flex SDK, the iLog component set, and the open source community). I’d probably throw in some brief mapping examples too.
  • Maps, maps, maps
    I’ve been doing a ton of Flex mapping applications for work. Unfortunately a lot of that stuff can’t be shared (I certainly can’t show much of the code, and I can’t even show demos of some of it). But I’m thinking about doing a session that goes over all the different options for AS3 map components (we now have ESRI, MapQuest, Google, Yahoo, UMap, Poly9). A year ago or so ESRI was pretty much the only game in town, now there are a bunch. So I’m thinking about showing some demos of how to use the different map components, and some data visualization techniques for working with geospatial data.
  • advanced open source Flex projects
    My presentation at the last 360|Flex conference in Atlanta was on using open source projects in your Flex apps. I’m thinking about doing a part 2 of that topic anhd going into more depth with a smaller number of projects. My last preso was sort of the shotgun approach (ie show many projects with only cursory information). This preso would be focusing on creating two or three demos that combine a handful of projects and dive deeper into the code and how I went about creating the demos.
  • Decompiling Flex applications for fun and profit
    I’ve been playing a lot with SWF decompiling tools and ripping apart lots of Flex applications. There’s a lot you can learn from this (it’s not an inherently bad thing to decompile someone’s code). I’m thinking about stepping through the process of decompiling an app and talk about what you can learn, what decompiling actually gets you, how you can piece things back together, etc. I figured I could rip apart one or two main example apps (like Photoshop Express or Buzzword). I toyed with the idea of submitting this as a topic for MAX, just to see if Adobe would let me rip apart the Buzzword code base and show it off to everyone. But I figure at FOTB it’s all fair game.
  • Using Flash 10 features in your Flex apps
    I’m considering a presentation that focuses on taking advantage of all the new features of Flash Player 10 (specifically in relation to the Flex SDK). I’m considering this topic because it would force me to stay on top of the new technology and know my shit. I haven’t yet played with FP10, so this would force me to do some cool stuff.

I’ll be holding down the Flex front with a few other guys, I know that Ben Stucki and Tink are both going to present on Flex topics. I’m also excited to meet some Flash peeps I’ve admired for a long time.

So if you’re looking for a European vacation near the end of September, then come to FOTB and hang out in Brighton! It’s gonna be sweet.


Upcoming conferences (where I’ll be, where I won’t)

This is a quick post to about a few of the conferences I’m either speaking at, going to, or regretting not being able to attend.

When: August 18-20, 2008
Where: San Jose, CA

I can’t go! Nooo! I’ll be in Sweden. I might make it back in time to come and hang out with people at one of the last parties, we’ll see. Tom tried to convince me to fly from Sweden to Cali and give a presentation the next day and that just sounded like a horrible idea, so sadly I won’t be presenting at this 360|Flex. I really wanted to, I think 360|Flex is one of the best conferences, and it’s certainly where I’ve had the most fun. I’ve attended the first three 360|Flex conferences (all the ones in North America) and I spoke at the last two. And since I love the conference so much (but can’t present a session this time), I’ve made sure I’ll still make my mark on all attendees (more on that in a post tomorrow).

speakerbadge_200_120_e.gifFlash on the Beach
When: September 28-October 1, 2008
Where: Brighton, UK

I’m presenting! w00t! I’m looking forward to this one, I get to fly over and kick it in England and present cool Flex shit to a bunch of Flashers. I’ll write a full post about FOTB shortly…

screenshot001.jpgAdobe MAX
When: November 16-19, 2008
Where: San Francisco, CA

I’ll be attending MAX, but not presenting. I thought about submitting a session topic, seeing as MAX is literally in my backyard this year. But I’ve heard some horror stories about multiple required submissions months and months ahead of time, and that’s not really how I roll. I’ve been pretty overwhelmed with writing Flex for Dummies, so the MAX session topic submission just sort of felt like an additional ordeal I didn’t want to deal with. That said, I’ll definitely be there and we’re going to rock the shit out of San Francisco, so come and play.