Join the discord

Extracting SWF from Flash Projector

25 Sep, 2011 00:00
Ever wondered how to extract a SWF file from Adobe's Flash Projector? There is already both free and paid (LOL!) programs which should do the trick, but it's so easy that it doesn't worth the effort of downloading or paying (again, LOL!) for them.

Flash projected SWF's are actually a standalone flash player, bundled with the original SWF. The projector contains only the needed flash runtime library, which is... what "bundling" mean.

The structure of a Projector file looks like this:

Standard MZ-PE executable Projector
Original SWF file
DWORD, 0xFA123456Flash Projector "check" value
DWORD, Size of the original SWF file

The executable is designed that way, so it reads his own last 8 bytes, which are the projector check DWORD and the SWF size.
If the "check" DWORD is equal to 0xFA123456, it reads <size of the original SWF> bytes back (excluding the last 8 bytes), and process the data as standard SWF.

So, long story short, here's a small code that will extract SWF file from Projector bundle:
dump_projector.c, poorly written in C#include <stdio.h>
#include <windows.h>

int main() {
    int     szFile;
    char    dataEnd[8];
    DWORD   lpNumberOfBytesRW;
    HANDLE  hfInput,
            hfOutput,
            hMemHeap,
            hHeap;
    
    hfInput = CreateFile("input_projector.exe", GENERIC_READ, 0, NULL,\
                        OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hfInput == INVALID_HANDLE_VALUE) {
        printf("Cannot open input file for reading!\r\n");
    } else {
        szFile = GetFileSize(hfInput, NULL);
        SetFilePointer(hfInput, szFile-8, NULL, FILE_BEGIN);
        ReadFile(hfInput, dataEnd, 8, &lpNumberOfBytesRW, NULL);
        if (*(DWORD*)&dataEnd == 0xFA123456) { // Check the signature
            hHeap = GetProcessHeap();
            if (hHeap) {
                hMemHeap = (PHANDLE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, *(DWORD*)&dataEnd[4]);
                SetFilePointer(hfInput, szFile-8-*(DWORD*)&dataEnd[4], NULL, FILE_BEGIN);
                ReadFile(hfInput, hMemHeap, *(DWORD*)&dataEnd[4], &lpNumberOfBytesRW, NULL);
                hfOutput = CreateFile("dumped.swf", GENERIC_WRITE, 0, NULL,\
                                    CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
                if (hfOutput == INVALID_HANDLE_VALUE) {
                    printf("Cannot create output file for writing!\r\n");
                } else {
                    WriteFile(hfOutput, hMemHeap, *(DWORD*)&dataEnd[4], &lpNumberOfBytesRW, NULL);
                    CloseHandle(hfOutput);
                    printf("Done, check your shiny new dumped.swf! =)\r\n");
                }
                HeapFree(hHeap, 0, hMemHeap);
            } else {
                printf("Can't fetch the process heap!\r\n");
            }
        } else {
            printf("This doesn't seems to be a projector bundle.\r\n");
        }
        CloseHandle(hfInput);
    }
    return 0;
}

Well, that's all. ;)

Comments

* You have an opinion? Let us all hear it!

XpoZed 13 Feb, 2017 10:23
I have no problems with that.
I'm glad you found it useful, and thanks for linking my site. :)
Guest 29 Jan, 2017 14:41
Thanks a lot for the analysis! I have created a POSIX compatible version of the source (i.e. for Linux / Unix) on http://digitalimagecorp.de/software/dump_projector/ for those that need it.
(You didn't specify a license, so please contact me if I should remove the port.)
Guest 20 Jul, 2013 17:36
Thanks man!
© nullsecurity.org 2011-2017 | legal | terms & rules | contacts
www.000webhost.com