nullsecurity.org/articles - "Extracting SWF from Flash Projector"

Ever wondered how to extract a SWF file from Adobe's Flash Projector? There is already both free and paid (LOL!) programs which should do the trick, but it's so easy that it doesn't worth the effort of downloading or paying (again, LOL!) for them.

Flash projected SWF's are actually a standalone flash player, bundled with the original SWF. The projector contains only the needed flash runtime library, which is... what "bundling" mean.

The structure of a Projector file looks like this:

Standard MZ-PE executable Projector

Original SWF file

DWORD, 0xFA123456Flash Projector "check" value

DWORD, Size of the original SWF file

The executable is designed that way, so it reads his own last 8 bytes, which are the projector check DWORD and the SWF size.
If the "check" DWORD is equal to 0xFA123456, it reads <size of the original SWF> bytes back (excluding the last 8 bytes), and process the data as standard SWF.

So, long story short, here's a small code that will extract SWF file from Projector bundle:

dump_projector.c, poorly written in C#include <stdio.h>
#include <windows.h>

int main() {
    int     szFile;
    char    dataEnd[8];
    DWORD   lpNumberOfBytesRW;
    HANDLE  hfInput,
            hfOutput,
            hMemHeap,
            hHeap;
    
    hfInput = CreateFile("input_projector.exe", GENERIC_READ, 0, NULL,\
                        OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hfInput == INVALID_HANDLE_VALUE) {
        printf("Cannot open input file for reading!\r\n");
    } else {
        szFile = GetFileSize(hfInput, NULL);
        SetFilePointer(hfInput, szFile-8, NULL, FILE_BEGIN);
        ReadFile(hfInput, dataEnd, 8, &lpNumberOfBytesRW, NULL);
        if (*(DWORD*)&dataEnd == 0xFA123456) { // Check the signature
            hHeap = GetProcessHeap();
            if (hHeap) {
                hMemHeap = (PHANDLE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, *(DWORD*)&dataEnd[4]);
                SetFilePointer(hfInput, szFile-8-*(DWORD*)&dataEnd[4], NULL, FILE_BEGIN);
                ReadFile(hfInput, hMemHeap, *(DWORD*)&dataEnd[4], &lpNumberOfBytesRW, NULL);
                hfOutput = CreateFile("dumped.swf", GENERIC_WRITE, 0, NULL,\
                                    CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
                if (hfOutput == INVALID_HANDLE_VALUE) {
                    printf("Cannot create output file for writing!\r\n");
                } else {
                    WriteFile(hfOutput, hMemHeap, *(DWORD*)&dataEnd[4], &lpNumberOfBytesRW, NULL);
                    CloseHandle(hfOutput);
                    printf("Done, check your shiny new dumped.swf! =)\r\n");
                }
                HeapFree(hHeap, 0, hMemHeap);
            } else {
                printf("Can't fetch the process heap!\r\n");
            }
        } else {
            printf("This doesn't seems to be a projector bundle.\r\n");
        }
        CloseHandle(hfInput);
    }
    return 0;
}

Well, that's all. ;)

Comments

* You have an opinion? Let us all hear it!

Guest 07 Oct, 2021 13:46

hi all

Guest 16 Sep, 2021 08:10

Please upload the compiled .exe file!

XpoZed 13 Feb, 2017 03:23

I have no problems with that.
I'm glad you found it useful, and thanks for linking my site. :)

Guest 29 Jan, 2017 07:41

Thanks a lot for the analysis! I have created a POSIX compatible version of the source (i.e. for Linux / Unix) on http://digitalimagecorp.de/software/dump_projector/ for those that need it.
(You didn't specify a license, so please contact me if I should remove the port.)

Guest 20 Jul, 2013 10:36

Thanks man!

login

register

Extracting SWF from Flash Projector

Comments