Jpexs free flash decompiler add script
Jpexs free flash decompiler add script code#
Shown above: Text added to hvbfzupxggwpg.as, one of the files extracted from the Flash exploit with FFDec.Ĭompile the modified Flash code with MXMLC (Adobe AIR SDK 13). This can be achieved by adding following lines: The trick is to write these bytes to a file before loading it.
Loading another Flash file in memory involves creating a Loader object, then passing the Flash bytes to it using a method called loadBytes(). Shown above: Text added to one of the class files (c.as) extracted from the Flash exploit with FFDec. Next, I added the following embed statement with corresponding BinaryData name to all files which extend ByteArrayAsset class. To manually extract the second stage file, I dumped all the important files (script and BinaryData) using FFDec. Shown above: The Flash exploit opened in FFDec. The four BinaryData streams can be used to construct a new Flash file. Using FFDec, you'll find another Flash file embedded inside in the form BinaryData. Opening the Flash file using the JPEXS Free Flash Decompiler (FFDec) gave me some info about its nature. You can extract the Flash exploit from the pcap using Wireshark (in this case saved as: flash.swf). Shown above: The EK landing page, highlighting the URL for the Flash exploit.
Shown above: The EK landing page and Flash exploit from Wireshark's HTTP object list for the pcap. Shown above: Exporting the objects from the pcap in Wireshark. Shown above: TCP stream showing the EK landing page and the Flash exploit Shown above: Neutrino EK traffic from the pcap filtered in Wireshark. The landing page isn't complicated, with no obfuscated script and a link to one Flash file. Lets look at an example from Monday posted by Brad ( link ). Neutrino EK has an interesting infrastructure in place to add/modify exploits to its arsenal. Today, we'll look at the landing page, Flash exploit, ROP chain, shellcode, and Javascript used by Neutrino EK. This blog entry documents some of the techniques I use when digging into artifacts from exploit kit (EK) traffic. Hardik previously dissected CVE-2014-0502 at:.He is a musician and security analyst based in Bangalore, India.Information for this blog post was submitted by Hardik Suri.GUEST BLOG ENTRY BY HARDIK SURI - A CLOSER LOOK AT NEUTRINO EK