Remove the encrypted shell of Flash games MochiCrypt

Category: Tag:

Many small games will display a small lock icon next to the progress bar when loading, and will display advertisements on it when connected to the Internet.

Using Flash decompilation tool to open this kind of Flash, it is impossible to obtain the resources and program logic in the game.

This is because Flash uses the MochiCrypt packer. After a simple search on the Internet, a long time ago, a person named Cordy released an unpacking tool, but it should be because MochiCrypt was updated and it could not be decrypted. (On the virtual machine The reason for running in Win10 is that it does not work properly when opened under Win10, only a blank form is displayed, it can be seen that it is indeed very old)

 

There is no way but to study it by myself. Use the free and open-source JPEXS Free Flash Decompiler to open it and study it, and I found that there is a lot of code in this class called Preloader. Starting from the constructor, I found that new has a Loader and registered the loading event :

In this loading event, it is probably to perform a configuration and then start loading. You can see the word ads, which should be related to ads:

Scrolling down, this function called finish attracted my attention. First obtain a Payload class according to PAYLOAD_NAME, and then obtain a byte array through this class:

Then began to perform bit operations on this byte array that were obviously like decryption:

Finally, declare a Loader, load the decrypted Payload and display it on the stage:

The loaded Payload is in the SWF binary data, and the resource ID is 7 (this is true for all MochiCrypt packed Flash):

It seems very simple. Because I am not very familiar with AS3, I decided to use C# language to write a tool to unpack. First read the SWF to be decrypted, and analyze all its tags. Because the Flash file format is more complex, manual implementation is more time-consuming , Use the ready-made open source library SwfExtractor to read. This library does not support the Tag of Binary Data (DefineBinaryData), so I modified a version by myself (you can find it in my GitHub repository). The following is to open the SWF file and search Binary data with ID 7:

SwfParser swf = new SwfParser();
swf.Parse(data);
DefineBinaryData payloadTag = swf.FindTags<DefineBinaryData>().ToList().Find(i => i.CharacterID == 7);
byte[] payload = payloadTag.ExtractData();

 

The ciphertext data is stored in the byte array named payload. The decryption function of AS3 above is rewritten into C# syntax (the syntax of the two languages is roughly similar, with few changes). Among them, the AS3 source code exists data.uncompress() ; In one sentence, I found that Flash uses the zlib algorithm for compression and decompression of ByteArray, so the open source class library zlib.managed is used in the implementation of C#:

 

public static byte[] Decrypt(byte[] payload)
{
List<byte> S = new List<byte>();
int i = 0;
int j = 0;
int k = 0;
int n = 0;
int u = 0;
int v = 0;

n = payload.Length – 32;
while (i < 256)
{
S.Add((byte)i);
i++;
}
j = 0;
i = 0;
while (i < 256)
{
j = j + S[i] + payload[n + (i & 31)] & 255;
u = S[i];
S[i] = S[j];
S[j] = (byte)u;
i++;
}
if (n > 131072)
{
n = 131072;
}
j = 0;
i = 0;
k = 0;
while (k < n)
{
i = i + 1 & 255;
u = S[i];
j = j + u & 255;
v = S[j];
S[i] = (byte)v;
S[j] = (byte)u;
payload[k] = (byte)(payload[k] ^ S[u + v & 255]);
k++;
}

byte[] buf = new byte[65535];
int lastDecompressed = 0;
using (Stream input = new MemoryStream(payload))
using (MemoryStream output = new MemoryStream())
using (ZOutputStream zlib = new ZOutputStream(output))
{
do
{
lastDecompressed = input.Read(buf, 0, buf.Length);
zlib.Write(buf, 0, lastDecompressed);
output.Flush();
}
while (lastDecompressed > 0);
return output.ToArray();
}
}

 

 

Finally, some forms and logic code are implemented, and the final result:

Drag in some SWF files and non-SWF files to get the expected output (where 2 and 3 are MochiCrypt packed animations, 1 is not packed, and 4 is not a SWF file at all. The unpacked SWF file is saved in the same path as the source SWF file Below, the file name is “source file name_Unpacked.swf”):

Use FFDec to open the unpacked SWF file, you can successfully extract game resources:

 

Download: https://github.com/whc2001/MochiCryptUnpacker

 

Reviews

There are no reviews yet.

Be the first to review “Remove the encrypted shell of Flash games MochiCrypt”

Your email address will not be published. Required fields are marked *