Posted on Sunday 7 January 2007
These two blog posts in French passed under the radar, so I am translating and posting them here. Basically, the Tamarin tools include an actionscript byte code (abc) decompiler, which can generate readable pseudocode from swf or abc files. This pseudocode could then be processed to generate actual AS3 code. Awesome, indeed.
Here is what follows. The first part explains how to build the compiler yourself. The second part lets you download the built compiler directly. The last part are my personal comments.
Creating executables with the Tamarin projects
Tamarin can be downloaded from CVS, as outlined by Zwetan. The cvs info is:
cvs -d :pserver:anonymous:anonymous@cvs-mirror.mozilla.org:/cvsroot co mozilla/js/tamarin
Follow the instructions in readme.txt. The project can be compiled under the Microsoft C compiler; you can download VC.NET express 2005 for free if you don't already have it.
The Tamarin project includes quite a few interesting things, including a utils folder containing an abc, swf and swc decompiler. You obtain pseudocode instead of AS3, but it's a start.
To compile abcdump.as, you need to compile the core builtins available in Tamarin to abc. You can do this using the Flex 2 SDK, like so:
java -jar asc.jar builtin.as
You get a builtin.abc file as the output. You also need the ByteArray class which is found in the shell folder:
java -jar asc.jar ByteArray.as
Now we're ready to compile abcdump:
java -jar asc.jar import builtin.abc -import ByteArray.abc abcdump.as
Now that we have the abcdump.abc file, we can run it using avmplus and decompile any .abc file we stumble upon, for example playerglobal.abc:
avmplus abcdump.abc playerglobal.abc
It's also possible to create an exe file using the asc compiler with the -exe flag. Thus:
java -jar asc.jar -exe avmplus.exe -import builtin.abc -import ByteArray.abc abcdump.as
And thus we get a reusable, command line decompiler by the name of abcdump.exe. How cool is that? Tamarin also includes several interesting files for File IO and other magical stuff.
A first ActionScript decompiler
I's possible to use the Tamarin File IO to dump the decompiled output of the decompiler to a file. This is the seed for the abcDump decompiler. To use:
D:\ASC>abcdump
AbcDump
usage:
abcdump <filename>
You can download it here (click the AbcDump.zip link appearing at the end of the post).
My comments
I tried it with the amfphp service browser, and I get a 7 MB servicebrowser.il file which is a bit cryptic but fairly readable nonetheless. For example the original RawAmfService class looks like this:
public class RawAmfService extends EventDispatcher
{
public var gatewayUrl:String = "";
var loader:URLLoader;
public function RawAmfService()
{
loader = new URLLoader();
loader.addEventListener('complete', readData);
}
...
}
And the decompiled class looks like:
class RawAmfService extends flash.events::EventDispatcher
{
var gatewayUrl:String = "" /* slot_id 0 */
var loader:flash.net::URLLoader /* slot_id 0 */
function RawAmfService():* /* disp_id -1*/
{
// local_count=1 max_scope=1 max_stack=3 code_len=40
0 getlocal0
1 pushscope
2 findproperty gatewayUrl
5 pushstring ""
7 initproperty gatewayUrl
10 getlocal0
11 constructsuper (0)
13 findproperty loader
16 findpropstrict flash.net::URLLoader
19 constructprop flash.net::URLLoader (0)
23 initproperty loader
26 getlex loader
29 pushstring "complete"
32 getlex readData
35 callpropvoid addEventListener (2)
39 returnvoid
}
...
}
I find it interesting that gatewayUrl seems to be set to its default value in the constructor. The next step would be to translate the .il file into something more readable. The fellow at iteratif mentioned that he was working on that, although I am not sure of the current status. You can contact him at contact AT iteratif DOT net if you're interested in working something out with him.
