Skip to content

Enhancement to unswf#98

Open
apolkosnik-old wants to merge 3 commits intocrits:masterfrom
apolkosnik-old:unswf
Open

Enhancement to unswf#98
apolkosnik-old wants to merge 3 commits intocrits:masterfrom
apolkosnik-old:unswf

Conversation

@apolkosnik-old
Copy link
Contributor

@apolkosnik-old apolkosnik-old commented Mar 24, 2015

This PR adds the output from Flare tool to Raw data.

The inheritance of sources into the RawData requires the fixed raw_data handler (crits/crits#432)

@apolkosnik-old
Copy link
Contributor Author

apolkosnik-old commented Mar 25, 2015

Just added the relationship forming between the sample and the RawData objects.

@wxsBSD
Copy link
Contributor

wxsBSD commented Mar 29, 2015

My gut says the action script should be a sample. This is similar to how resources work. What are your thoughts for making it raw data?

@apolkosnik
Copy link
Contributor

apolkosnik commented Mar 29, 2015

My reasons for making it raw data are:

  • It's an output from some tool
  • the resulting action script pseudo-code that Flare produces is similar to
    the disassembly from IDA piped through hexrays, so it's not really a sample.
  • I liked the readability provided by raw data form with the line numbers
    and comments
    On Mar 29, 2015 7:24 AM, "Wesley Shields" notifications@github.com wrote:

My gut says the action script should be a sample. This is similar to how
resources work. What are your thoughts for making it raw data?


Reply to this email directly or view it on GitHub
#98 (comment).

@wxsBSD
Copy link
Contributor

wxsBSD commented Apr 3, 2015

OK, you've convinced me. The fact that it is decompiled is the big seller for it being raw_data IMO. Going to test this out and provide feedback or merge in the next few days.

@wxsBSD
Copy link
Contributor

wxsBSD commented Apr 3, 2015

I just went to test this and I'm afraid it is likely a non-starter for me. Flare only comes in binary and the binary for OS X is PPC only, which hasn't run on OS X for a number of years now. I'm completely unable to test this and given that many of us run CRITs on OS X even if we accept it, it will just become bitrot.

@pinowudi
Copy link

pinowudi commented Apr 3, 2015

We have CRITs on Ubuntu and also use Flare and Flasm on Ubuntu-based forensics builds. Having it would be a nice feature. The code has been stable since - geez, it looks like 2005. Can you reference the download page as a dependency and let folks implement the binary piece themselves?

Regards,

Drew

On Apr 3, 2015, at 11:57 AM, Wesley Shields notifications@github.com wrote:

I just went to test this and I'm afraid it is likely a non-starter for me. Flare only comes in binary and the binary for OS X is PPC only, which hasn't run on OS X for a number of years now. I'm completely unable to test this and given that many of us run CRITs on OS X even if we accept it, it will just become bitrot.


Reply to this email directly or view it on GitHub #98 (comment).

@pinowudi
Copy link

pinowudi commented Apr 3, 2015

Alternatively, the following toolsets have available code and may suffice as replacements:

https://github.com/sporst/SWFREtools https://github.com/sporst/SWFREtools

http://www.swftools.org/download.html http://www.swftools.org/download.html

Regards,

Drew

On Apr 3, 2015, at 11:57 AM, Wesley Shields notifications@github.com wrote:

I just went to test this and I'm afraid it is likely a non-starter for me. Flare only comes in binary and the binary for OS X is PPC only, which hasn't run on OS X for a number of years now. I'm completely unable to test this and given that many of us run CRITs on OS X even if we accept it, it will just become bitrot.


Reply to this email directly or view it on GitHub #98 (comment).

@wxsBSD
Copy link
Contributor

wxsBSD commented Apr 3, 2015

The dependency listing does that. I will review the code in a bit and merge. Maintenance of it will have to be done by those that run it,

@pinowudi
Copy link

pinowudi commented Apr 3, 2015

I found the flare source

http://flasm.cvs.sourceforge.net/viewvc/flasm/flasm/ http://flasm.cvs.sourceforge.net/viewvc/flasm/flasm/

Regards,

Drew

On Apr 3, 2015, at 12:54 PM, Wesley Shields notifications@github.com wrote:

The dependency listing does that. I will review the code in a bit and merge. Maintenance of it will have to be done by those that run it,


Reply to this email directly or view it on GitHub #98 (comment).

@apolkosnik-old
Copy link
Contributor Author

apolkosnik-old commented Apr 11, 2015

I guess that swftools could be pretty easy to add and useful: swfdump/swfextract for listing and extraction of swf elements.

@apolkosnik-old
Copy link
Contributor Author

apolkosnik-old commented Aug 6, 2015

I've started tinkering with pyswf, results look promising.

@ckane
Copy link
Member

ckane commented Jun 25, 2016

Have you looked into this one?
https://www.free-decompiler.com/flash/download/

I've used the predecessor "asdec" in the past with great success. It is open-source and published on github.

@apolkosnik
Copy link
Contributor

apolkosnik commented Jun 27, 2016

I am sorry, but I 'm allergic to J*va ;-).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@apolkosnik-old @wxsBSD @apolkosnik @pinowudi @ckane