Simple AS3 Decompiler Using Tamarin

From FlashSec

Note: With Flex 4 there is a more convenient possibility to decompile Flash 9 files, called swfdump (see Disassembling a SWF with swfdump for more information and get the Open Source Flex SDK from the repository to build it from source).

---

[edit] How to build Tamarin

• Obtain Mercurial, the SCM used by Mozilla Foundation
• Getting the Tamarin source (hg clone http://hg.mozilla.org/tamarin-central tamarin-central)
• If you are running an OS != Win32: change shell/DataIO.h (line 124 - 131) according to the endianess of your system if necessary.
• Build Tamarin (http://developer.mozilla.org/en/docs/Tamarin_Build_Documentation#Building_Tamarin)

MacOS X:

cd tamarin-central/core
xcodebuild -project platform/mac/shell/shell.xcodeproj

• Download and install the Adobe Flex 2 SDK (http://www.adobe.com/products/flex/downloads/)
• The ActionScript compiler is found in lib/asc.jar. Copy lib/asc.jar from the Flex SDK installation directory to tamarin-central/utils/
• Use asc.jar to compile the Tamarin intrinsics into builtin.abc:

cd tamarin-central/core
java -ea -DAS3 -Xmx200m -DAVMPLUS \
    -classpath ../utils/asc.jar macromedia.asc.embedding.ScriptCompiler \
    -d -builtin -out builtin builtin.as Math.as Error.as RegExp.as Date.as XML.as

Note: Under MacOS X avmplus is under platform/mac/shell/build/Release/shell. For convenience reasons you can copy shell to utils/avmplus. You can now use asc.jar and builtin.abc to compile applications. Use the -help options of asc.jar and avmplus for more details.

Here's an example for testing your installation. Take a simple AS3 file "hello.as":

package
{
  print ( "Hello World!" );
}

Now compile this as file using java -jar asc.jar hello.as

java -jar asc.jar hello.as

hello.abc, 85 bytes written

Now run avmplus with hello.abc:

avmplus hello.abc
Hello World!

Et voilà! Now it's possible to build a AS3 Bytecode Decompiler.

[edit] How to build an AS3 decompiler

java -jar utils/asc.jar core/builtin.as
java -jar utils/asc.jar shell/ByteArray.as
java -jar utils/asc.jar -exe avmplus -import core/builtin.abc -import shell/ByteArray.abc utils/abcdump.as

Note: If there is trouble compiling ByteArray.as with an error such as "Error #1017: The definition of base class Object was not found." add the following line to core/builtin.as: include "../shell/ByteArray.as". The import option for shell/ByteArray is not necessary after adding this line.

Now the simple decompiler is ready to use:

utils/abcdump.exe path/to/as3.swf

[edit] References

• Tamarin Docs: http://developer.mozilla.org/en/docs/Tamarin
• TamarinBuild Documentation: http://developer.mozilla.org/en/docs/Tamarin_Build_Documentation
• AS3 Decompiler: http://www.5etdemi.com/blog/archives/2007/01/as3-decompiler/
• avmplus 101: http://ecmascript.zwetan.com/2007/04/avmplus-101.html
• Tamarin Gotchas: http://ecmascript.zwetan.com/2007/05/tamarin-gotchas.html
• Precompiled Windows binary: http://nsdevaraj.wordpress.com/2008/01/30/flash-9-decompiler-with-source/ (download via registration only)