First release

Author: timhir

ASByteArray.cpp

@@ -0,0 +1,86 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "ASByteArray.h"
+#include "FlashPlayerConfigBuilder.h"
+#include "Logger.h"
+
+ASByteArray::ASByteArray(void)
+{
+}
+
+
+ASByteArray::ASByteArray(UINT32* ptr)
+{
+	m_addr = (UINT32*)((UINT32)ptr & 0xfffffff8);
+	m_config = FlashPlayerConfigBuilder::instance().getConfig();
+}
+
+
+ASByteArray* ASByteArray::create(UINT32* ptr)
+{
+	if (!ASByteArray::isByteArray(ptr))
+	{
+		return NULL;
+	}
+
+	return new ASByteArray(ptr);
+}
+
+
+bool ASByteArray::isByteArray(UINT32* ptr)
+{
+	// Untag the pointer and try to read it
+	UINT32* addr = (UINT32*)((UINT32)ptr & 0xfffffff8);
+	Config* config = FlashPlayerConfigBuilder::instance().getConfig();
+
+	if (!WINDOWS::IsBadReadPtr((const void*)addr, 16))
+	{
+		UINT32* ba = (UINT32*)addr;
+		ADDRINT vtableAddr = (UINT32)ba[0];
+		if (vtableAddr == (config->loadOffset + config->byteArrayVTableRVA))
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+
+UINT8* ASByteArray::getData()
+{
+	UINT32* buffer = (UINT32*)m_addr[m_config->bufferOffsetInByteArray/sizeof(UINT32)];
+	UINT8* data = (UINT8*)buffer[m_config->dataOffsetInByteArrayBuffer/sizeof(UINT32)];
+	UINT32 count = buffer[m_config->countOffsetInByteArrayBuffer/sizeof(UINT32)];
+
+	UINT8* copyOfData = (UINT8*)malloc(count);
+	if (copyOfData == NULL)
+	{
+		return NULL;
+	}
+
+	memcpy(copyOfData, data, count);
+	return copyOfData;
+}
+
+
+UINT32 ASByteArray::getDataLength()
+{
+	UINT32* buffer = (UINT32*)m_addr[m_config->bufferOffsetInByteArray/sizeof(UINT32)];
+	UINT32 count = buffer[m_config->countOffsetInByteArrayBuffer/sizeof(UINT32)];
+	return count;
+}

ASByteArray.h

@@ -0,0 +1,41 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "pin.H"
+
+#include "FlashPlayerConfigBuilder.h"
+
+class ASByteArray
+{
+public:
+	static ASByteArray* create(UINT32* ptr);
+	UINT8* getData();
+	UINT32 getDataLength();
+
+private:
+	ASByteArray(void);
+	ASByteArray(UINT32*);
+	ASByteArray(ASByteArray const&);
+	void operator=(ASByteArray const&);
+
+	static bool ASByteArray::isByteArray(UINT32*);
+
+	Config* m_config;
+	UINT32* m_addr;
+};
+

ASMethodInfo.cpp

@@ -0,0 +1,328 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "ASMethodInfo.h"
+#include "ASMultiname.h"
+#include "Logger.h"
+
+map<UINT32*,ASMethodInfo*> ASMethodInfo::m_methodInfoCache;
+
+static UINT32 readU30(const char *&p)
+{
+	unsigned int result = p[0];
+	if (!(result & 0x00000080))
+	{
+		p++;
+		return result;
+	}
+	result = (result & 0x0000007f) | p[1]<<7;
+	if (!(result & 0x00004000))
+	{
+		p += 2;
+		return result;
+	}
+	result = (result & 0x00003fff) | p[2]<<14;
+	if (!(result & 0x00200000))
+	{
+		p += 3;
+		return result;
+	}
+	result = (result & 0x001fffff) | p[3]<<21;
+	if (!(result & 0x10000000))
+	{
+		p += 4;
+		return result;
+	}
+	result = (result & 0x0fffffff) | p[4]<<28;
+	p += 5;
+	return result;
+}
+
+
+ASMethodInfo::ASMethodInfo(void)
+{
+}
+
+
+ASMethodInfo::ASMethodInfo(UINT32* ptr) :
+	m_methodSignatureBuilt(false)
+{
+	m_methodInfo = ptr;
+	m_config = FlashPlayerConfigBuilder::instance().getConfig();
+}
+
+
+ASMethodInfo* ASMethodInfo::create(UINT32* ptr)
+{
+	if (m_methodInfoCache.find(ptr) != m_methodInfoCache.end())
+	{
+		return m_methodInfoCache[ptr];
+	}
+	else
+	{
+		m_methodInfoCache[ptr] = new ASMethodInfo(ptr);
+		return m_methodInfoCache[ptr];
+	}
+}
+
+
+UINT32 ASMethodInfo::getMethodId()
+{
+	return m_methodInfo[m_config->methodIdOffsetInMethodInfo>>2];
+}
+
+
+void ASMethodInfo::buildMethodSignature()
+{
+	UINT32* pool = (UINT32*)m_methodInfo[m_config->poolOffsetInMethodInfo>>2];	
+	UINT32 method_id = m_methodInfo[m_config->methodIdOffsetInMethodInfo>>2];
+	UINT32 flags = m_methodInfo[m_config->flagsOffsetInMethodInfo>>2];
+	UINT32* abc_info_pos = (UINT32*)m_methodInfo[m_config->abcInfoPosOffsetInMethodInfo>>2];
+	UINT32* precompNames = (UINT32*)pool[m_config->precompNamesOffsetInPoolObject/4];
+
+	precompNames = precompNames + m_config->precompNamesHeaderSize/sizeof(UINT32);
+
+	// Do some manual ABC parsing to find parameter and return value information
+	const char* pos = (char*)abc_info_pos;
+
+	UINT32 param_count = readU30(pos);
+
+	UINT32 ret_type_name_index = readU30(pos);
+	if (ret_type_name_index != 0)
+	{
+		UINT32* name = (UINT32*)&precompNames[ret_type_name_index*(m_config->multinameSize/sizeof(UINT32))];
+		ASMultiname* mn = ASMultiname::create(name);
+
+		if (mn == NULL)
+		{
+			m_returnValueType = "null";
+		}
+		else
+		{
+			m_returnValueType = mn->getFormatted();
+		}
+	}
+	else
+	{
+		m_returnValueType = "null";
+	}
+
+	for (UINT32 i=0; i < param_count; i++)
+	{
+		UINT32 param_name_index = readU30(pos);
+		if (param_name_index == 0)
+		{
+			m_parameterTypes.push_back("null");
+		}
+		else
+		{
+			ASMultiname* mn = ASMultiname::create((UINT32*)&precompNames[param_name_index*(m_config->multinameSize/sizeof(UINT32))]);
+			if (mn == NULL)
+			{
+				m_parameterTypes.push_back("null");
+			}
+			else
+			{
+				m_parameterTypes.push_back(mn->getFormatted());
+			}
+		}
+	}
+}
+
+
+string ASMethodInfo::getName()
+{
+	UINT32* declaringScopeOrTraits = (UINT32*)m_methodInfo[m_config->traitsOffsetInMethodInfo>>2];
+	UINT32* pool = (UINT32*)m_methodInfo[m_config->poolOffsetInMethodInfo>>2];	
+	UINT32 method_id = m_methodInfo[m_config->methodIdOffsetInMethodInfo>>2];
+	UINT32 flags = m_methodInfo[m_config->flagsOffsetInMethodInfo>>2];
+	UINT32* precompNames = (UINT32*)pool[m_config->precompNamesOffsetInPoolObject/4];
+
+	/**
+	 * Getting the name is easier with debug build because it has method_name_indices array that
+	 * maps method_id to an index in precompNames (precomputer multinames). With non-debug builds
+	 * we need to manually calculate that index. Since the calculation is slow, we cache the results.
+	 */
+
+	INT32 methodNameIndex;
+	
+	// Debug build is easier to handle
+	if (m_config->debugBuild)
+	{
+		UINT32* method_name_indices = (UINT32*)pool[m_config->methodNameIndicesOffsetInPoolObject/4];
+
+		UINT32 method_name_indices_size = method_name_indices[0];
+		if (method_id >= method_name_indices_size)
+		{
+			LOGF("ERROR: method_id %d is larger than method_name_indices_size %d\n",  method_id, method_name_indices_size);
+			return "ERROR";
+		}
+
+		// The first two element are for other stuff
+		methodNameIndex = method_name_indices[method_id+2];
+
+		if (methodNameIndex == 0)
+		{
+			LOGF("ERROR: methodNameIndex is zero for method_id 0x%x\n", method_id);
+			return "ERROR";
+		}
+		else if (methodNameIndex > 0)
+		{
+			// No name needed
+			return "";
+		}
+
+		// Change the sign because we prefer positive indeces
+		methodNameIndex = -methodNameIndex;
+	}
+	else
+	{
+		UINT32* traitsPtr = getTraitsPtr();		
+		ASTraits* as_traits = ASTraits::create(traitsPtr);
+		methodNameIndex = as_traits->methodIdToMethodNameIndex(method_id);
+		if (methodNameIndex == -1)
+		{
+			// No name needed
+			return "";
+		}
+	}
+
+	UINT32* pMultiname = precompNames + m_config->precompNamesHeaderSize/sizeof(UINT32);
+	pMultiname += methodNameIndex*(m_config->multinameSize/sizeof(UINT32));
+	ASMultiname* mn = ASMultiname::create(pMultiname);
+	if (mn == NULL)
+	{
+		LOGF("ERROR: Creating ASMultiname from precompNames failed\n");
+		return "ERROR";
+	}
+	return mn->getFormatted();
+}
+
+
+UINT32 ASMethodInfo::getFlags()
+{
+	return m_methodInfo[m_config->flagsOffsetInMethodInfo>>2];
+}
+
+
+UINT32* ASMethodInfo::getTraitsPtr()
+{
+
+	UINT32* declaringScopeOrTraits = (UINT32*)m_methodInfo[m_config->traitsOffsetInMethodInfo/4];
+
+	if ((UINT32)declaringScopeOrTraits & 1)
+	{
+		declaringScopeOrTraits = (UINT32*)((UINT32)declaringScopeOrTraits & ~1);
+		return (UINT32*)declaringScopeOrTraits[2];
+	}
+	else
+	{
+		return declaringScopeOrTraits;
+	}
+}
+
+
+string ASMethodInfo::getMethodNameWithTraits()
+{
+	if (!m_methodNameWithTraits.empty())
+	{
+		return m_methodNameWithTraits;
+	}
+
+	UINT32* pTraits = getTraitsPtr();
+	if (((UINT32)pTraits & ~3) == NULL)
+	{
+		return "Function/<anonymous>";
+	}
+
+	ASTraits* traits = ASTraits::create(pTraits);
+
+	if (traits == NULL)
+	{
+		LOGF("ERROR: ASTraits::create returned NULL\n");
+		m_methodNameWithTraits = "ERROR";
+		return m_methodNameWithTraits;
+	}
+
+	UINT32* init = traits->getInit();
+	if (init == NULL)
+	{
+		LOGF("ERROR: traits->getInit returned NULL\n");
+		m_methodNameWithTraits = "ERROR";
+		return m_methodNameWithTraits;
+	}
+
+	string traitsName = traits->getName();
+	string name = getName();
+
+	if (init == m_methodInfo)
+	{
+		UINT8 posType = traits->getPosType();
+
+		if (posType == TRAITSTYPE_SCRIPT)
+		{
+			m_methodNameWithTraits = traitsName + "$init";
+			return m_methodNameWithTraits;
+		}
+		else if (posType == TRAITSTYPE_CLASS)
+		{
+			m_methodNameWithTraits = traitsName + "cinit";
+			return m_methodNameWithTraits;
+		}
+		else
+		{
+			m_methodNameWithTraits = traitsName;
+			return m_methodNameWithTraits;
+		}
+	}
+
+	UINT32 flags = getFlags();
+	string sep = "/";
+
+	if (flags & IS_GETTER)
+	{
+		sep = "/get ";
+	}
+	else if (flags & IS_SETTER)
+	{
+		sep = "/set ";
+	}
+
+	m_methodNameWithTraits = traitsName + sep + name;
+	return m_methodNameWithTraits;
+}
+
+
+string ASMethodInfo::getReturnValueType()
+{
+	if (!m_methodSignatureBuilt)
+	{
+		buildMethodSignature();
+	}
+
+	return m_returnValueType; 
+}
+
+
+const vector<string>* ASMethodInfo::getParameterTypes()
+{
+	if (!m_methodSignatureBuilt)
+	{
+		buildMethodSignature();
+	}
+
+	return &m_parameterTypes; 
+}

ASMethodInfo.h

@@ -0,0 +1,62 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "pin.H"
+
+#include "FlashPlayerConfigBuilder.h"
+#include "ASString.h"
+#include "ASTraits.h"
+
+class ASMethodInfo
+{
+public:
+	static ASMethodInfo* create(UINT32* ptr);
+	string getName();
+	UINT32* getTraitsPtr();
+	string getMethodNameWithTraits();
+	UINT32 getFlags();
+	UINT32 getMethodId();
+
+	string getReturnValueType();
+	const vector<string>* getParameterTypes();
+
+private:
+	ASMethodInfo(void);
+	ASMethodInfo(UINT32*);
+	ASMethodInfo(ASMethodInfo const&);
+	void operator=(ASMethodInfo const&);
+
+	void buildMethodSignature();
+
+	Config* m_config;
+	UINT32* m_methodInfo;
+	
+	string m_methodNameWithTraits;
+	
+	bool m_methodSignatureBuilt;
+	string m_returnValueType;
+	vector<string> m_parameterTypes;
+
+	map<UINT32,UINT32> methodIdToMethodNameIndex;
+
+	static map<UINT32*,ASMethodInfo*> m_methodInfoCache;
+
+	static const UINT32 IS_GETTER = 0x100;
+	static const UINT32 IS_SETTER = 0x200;
+};
+

ASMultiname.cpp

@@ -0,0 +1,93 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "ASMultiname.h"
+#include "ASString.h"
+#include "FlashPlayerConfigBuilder.h"
+#include "Logger.h"
+
+map<UINT32*,ASMultiname*> ASMultiname::m_multinameCache;
+
+ASMultiname::ASMultiname(UINT32* ptr)
+{
+	m_config = FlashPlayerConfigBuilder::instance().getConfig();
+	m_addr = ptr;
+}
+
+
+ASMultiname* ASMultiname::create(UINT32* ptr)
+{
+	if (m_multinameCache.find(ptr) == m_multinameCache.end())
+	{
+		m_multinameCache[ptr] = new ASMultiname(ptr);
+	}
+
+	return m_multinameCache[ptr];
+}
+
+
+string ASMultiname::format(UINT32* ns, UINT32* name, bool hideNonPublicNamespaces)
+{
+	Config* config = FlashPlayerConfigBuilder::instance().getConfig();
+
+	UINT32* p_uri = (UINT32*)ns[config->uriOffsetInNamespace/4];
+
+	ASString* as_str = ASString::create(name);
+	string str_name = as_str->getString();
+
+	// Lower 3 bytes zero (public) and String length == 0, or
+	// non-public and we want to hide
+	if (((((UINT32)p_uri & 7) == 0) && p_uri[4] == 0) || (hideNonPublicNamespaces && (((UINT32)p_uri & 7) != 0)))
+	{
+		return str_name;
+	}
+	else
+	{
+		p_uri = (UINT32*)((UINT32)p_uri & 0xfffffff8);
+
+		as_str = ASString::create(p_uri);
+		string str_ns = as_str->getString();
+
+		return str_ns + "::" + str_name;
+	}
+}
+
+UINT32* ASMultiname::getNamePtr()
+{
+	UINT32* p_name = (UINT32*)m_addr[0];
+	return p_name;
+}
+
+UINT32* ASMultiname::getNamespacePtr()
+{
+	UINT32 multiname_flags = m_addr[2];
+	UINT32* pNamespaceOrNamespaceSet = (UINT32*)m_addr[1];
+	UINT32* pNamespace = pNamespaceOrNamespaceSet;
+
+	// Namespace set?
+	if ((multiname_flags & NSSET) == NSSET)
+	{
+		pNamespace = (UINT32*)pNamespaceOrNamespaceSet[m_config->namespacesOffsetInNamespaceSet/sizeof(UINT32)];
+	}
+	
+	return pNamespace;
+}
+
+
+string ASMultiname::getFormatted()
+{
+	return ASMultiname::format(getNamespacePtr(), getNamePtr());	
+}

ASMultiname.h

@@ -0,0 +1,48 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "pin.H"
+
+#include "FlashPlayerConfigBuilder.h"
+
+class ASMultiname
+{
+public:
+
+	static ASMultiname* create(UINT32* ptr);
+	static string format(UINT32* ns, UINT32* name, bool hideNonPublicNamespaces=true);
+	string getFormatted();
+
+private:
+
+	ASMultiname(void);
+	ASMultiname(UINT32*);
+	ASMultiname(ASMultiname const&);
+	void operator=(ASMultiname const&);
+
+	UINT32* getNamespacePtr();
+	UINT32* getNamePtr();
+
+	Config* m_config;
+	UINT32* m_addr;
+
+	static map<UINT32*,ASMultiname*> m_multinameCache;
+
+	const static UINT32 NSSET = 0x10;
+};
+

ASString.cpp

@@ -0,0 +1,101 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "ASString.h"
+#include "Logger.h"
+
+ASString::ASString(void)
+{
+	
+}
+
+ASString::ASString(UINT32* ptr)
+{
+	m_tagged = ((UINT32)ptr & 0x7) != 0;
+	m_addr = (UINT32*)((UINT32)ptr & 0xfffffff8);
+	m_config = FlashPlayerConfigBuilder::instance().getConfig();
+}
+
+
+ASString* ASString::create(UINT32* ptr)
+{
+	if (!ASString::isString(ptr))
+	{
+		return NULL;
+	}
+
+	return new ASString(ptr);
+}
+
+
+bool ASString::isString(UINT32* addr)
+{
+	// Untag the pointer and try to read it
+	addr = (UINT32*)((UINT32)addr & 0xfffffff8);
+	Config* config = FlashPlayerConfigBuilder::instance().getConfig();
+
+	if (!WINDOWS::IsBadReadPtr((const void*)addr, 16))
+	{
+		UINT32* obj = (UINT32*)addr;
+		ADDRINT vtableAddr = (UINT32)obj[0];
+		if (vtableAddr == (config->loadOffset + config->stringVTableRVA))
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+
+UINT8* ASString::getPtrToBuf()
+{
+	return (UINT8*)m_addr[m_config->stringBufferOffset>>2];
+}
+
+string ASString::getString(bool verbose)
+{
+	if (!WINDOWS::IsBadReadPtr((const void*)((ADDRINT)m_addr + m_config->stringLengthOffset), 16) && !WINDOWS::IsBadReadPtr((const void*)((ADDRINT)m_addr + m_config->stringBufferOffset), 16))
+	{
+		UINT32 flags = m_addr[0x14>>2];
+		UINT8* buffer = NULL;
+
+		// Dependent string?
+		if (flags & 4)
+		{
+
+			ASString* master = ASString::create((UINT32*)m_addr[0xc>>2]);
+			buffer = master->getPtrToBuf();
+			// Offset
+			buffer += m_addr[m_config->stringBufferOffset>>2];
+		}
+		else
+		{
+			buffer = (UINT8*)m_addr[m_config->stringBufferOffset>>2];
+		}
+
+		UINT32 length = m_addr[m_config->stringLengthOffset>>2];
+		
+
+		if (!WINDOWS::IsBadReadPtr((const void*)buffer, length))
+		{
+			string s = string((const char*)buffer, length);
+			return s;
+		}
+	}
+
+	return NULL;
+}

ASString.h

@@ -0,0 +1,50 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "pin.H"
+
+#include "FlashPlayerConfigBuilder.h"
+
+class ASString
+{
+public:
+
+	enum Type
+    {
+		DYNAMIC_STRING = 0,
+		STATIC_STRING = 1,
+		DEPENDENT_STRING = 2
+    };
+
+	static ASString* create(UINT32* ptr);
+	string getString(bool verbose=false);
+
+private:
+	ASString(void);
+	ASString(UINT32*);
+	ASString(ASString const&);
+	void operator=(ASString const&);
+
+	static BOOL isString(UINT32* addr);
+	UINT8* getPtrToBuf();
+
+	bool m_tagged;
+	UINT32* m_addr;
+	Config* m_config;
+};
+

ASTraits.cpp

@@ -0,0 +1,226 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "ASTraits.h"
+#include "ASMultiname.h"
+#include "Logger.h"
+
+map<UINT32*,ASTraits*> ASTraits::m_traitsCache;
+
+static UINT32 readU30(const char *&p)
+{
+	unsigned int result = p[0];
+	if (!(result & 0x00000080))
+	{
+		p++;
+		return result;
+	}
+	result = (result & 0x0000007f) | p[1]<<7;
+	if (!(result & 0x00004000))
+	{
+		p += 2;
+		return result;
+	}
+	result = (result & 0x00003fff) | p[2]<<14;
+	if (!(result & 0x00200000))
+	{
+		p += 3;
+		return result;
+	}
+	result = (result & 0x001fffff) | p[3]<<21;
+	if (!(result & 0x10000000))
+	{
+		p += 4;
+		return result;
+	}
+	result = (result & 0x0fffffff) | p[4]<<28;
+	p += 5;
+	return result;
+}
+
+
+ASTraits::ASTraits(void)
+{
+}
+
+ASTraits::ASTraits(UINT32* ptr) :
+	m_methodIdToMethodNameIndexPopulated(false)
+{
+	m_traits = ptr;
+	m_config = FlashPlayerConfigBuilder::instance().getConfig();
+}
+
+
+ASTraits* ASTraits::create(UINT32* ptr)
+{
+	if (m_traitsCache.find(ptr) != m_traitsCache.end())
+	{
+		return m_traitsCache[ptr];
+	}
+	else
+	{
+		m_traitsCache[ptr] = new ASTraits(ptr);
+		return m_traitsCache[ptr];
+	}
+}
+
+
+// Construct the name using info in private fields
+string ASTraits::getName()
+{
+	if (!m_name.empty())
+	{
+		return m_name;
+	}
+
+	UINT32* p_ns = (UINT32*)m_traits[m_config->namespaceOffsetInTraits/4];
+	UINT32* p_name = (UINT32*)m_traits[m_config->nameOffsetInTraits/4];
+
+	if (p_ns == NULL)
+	{
+		LOGF("ERROR: namespace pointer is NULL in Traits object\n");
+		return "ERROR";
+	}
+
+	if (p_name == NULL)
+	{
+		LOGF("ERROR: name pointer is NULL in Traits object\n");
+		return "ERROR";
+	}
+
+	m_name = ASMultiname::format(p_ns, p_name, false); 
+	return m_name;
+}
+
+
+UINT32* ASTraits::getInit()
+{
+	return (UINT32*)m_traits[m_config->initOffsetInTraits/4];
+}
+
+
+UINT8 ASTraits::getPosType()
+{
+	UINT8* tmp = (UINT8*)m_traits;
+	return tmp[m_config->posTypeOffsetInTraits];
+}
+
+
+UINT32 ASTraits::methodIdToMethodNameIndex(UINT32 method_id)
+{
+	if (m_methodIdToMethodNameIndexPopulated)
+	{
+		if (m_methodIdToMethodNameIndex.find(method_id) == m_methodIdToMethodNameIndex.end())
+		{
+			return -1;
+		}
+		else
+		{
+			return m_methodIdToMethodNameIndex[method_id];
+		}
+	}
+
+	UINT32* traitsPtr = m_traits;
+	UINT8 posType = getPosType();
+	UINT32* traitsPos = (UINT32*)traitsPtr[m_config->traitsPosOffsetOffsetInTraits/4];
+
+	const char* pos = (char*)traitsPos;
+
+	if (posType == TRAITSTYPE_INSTANCE || posType == TRAITSTYPE_INTERFACE)
+	{
+		UINT32 qname = readU30(pos);
+		UINT32 baseTraits = readU30(pos);
+
+		UINT8 flags2 = *pos++;
+		if ((flags2 & 8) != 0)
+		{
+			UINT32 dummy = readU30(pos);
+		}
+
+		UINT32 interfaceCount = readU30(pos);
+		for (UINT32 i=0; i < interfaceCount; i++)
+		{
+			UINT32 dummy = readU30(pos);
+		}
+	}
+
+	if (posType == TRAITSTYPE_INSTANCE || posType == TRAITSTYPE_INTERFACE || posType == TRAITSTYPE_CLASS || posType == TRAITSTYPE_SCRIPT)
+	{
+		UINT32 init_index = readU30(pos);
+	}
+
+	//  AbcParser::parseTraits
+	UINT32 count = readU30(pos);
+	for (UINT32 i=0; i < count; i++)
+	{
+		UINT32 qindex = readU30(pos);
+		UINT8 tag = *pos++;
+		UINT8 kind = tag & 0xf;
+		UINT32 method_index = NULL;
+		UINT32 earlyDispId = 0;
+		UINT32 slot_id = 0;
+		UINT32 typeName = 0;
+
+		switch (kind)
+		{
+			case 1:
+			case 2:
+			case 3:
+				earlyDispId = readU30(pos);
+				method_index = readU30(pos);
+				break;
+			case 4:
+				slot_id = readU30(pos);
+				method_index = readU30(pos);
+				break;
+			case 0:
+			case 6:
+				slot_id = readU30(pos);
+				typeName = readU30(pos);
+				// This is called value_index in original source code
+				method_index = readU30(pos);
+				if (method_index)
+				{
+					pos += 1;
+				}
+				break;
+			default:
+				break;
+		}
+
+		// Metadata?
+		if (tag & 0x40)
+		{
+			UINT32 metadataCount = readU30(pos);
+			for (UINT32 metadata = 0; metadata < metadataCount; ++metadata)
+			{
+				const UINT32 index = readU30(pos);
+			}
+		}
+
+		m_methodIdToMethodNameIndex[method_index] = qindex;
+	}
+
+	m_methodIdToMethodNameIndexPopulated = true;
+	if (m_methodIdToMethodNameIndex.find(method_id) == m_methodIdToMethodNameIndex.end())
+	{
+		return -1;
+	}
+	else
+	{
+		return m_methodIdToMethodNameIndex[method_id];
+	}
+}

ASTraits.h

@@ -0,0 +1,61 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "pin.H"
+
+#include "FlashPlayerConfigBuilder.h"
+#include "ASString.h"
+
+enum TraitsPosType
+{
+	TRAITSTYPE_INSTANCE = 0,
+    TRAITSTYPE_CLASS = 1,
+    TRAITSTYPE_SCRIPT = 2,
+	TRAITSTYPE_CATCH = 3,
+	TRAITSTYPE_ACTIVATION = 4,
+	TRAITSTYPE_NVA = 5,
+	TRAITSTYPE_RT = 6,
+	TRAITSTYPE_INTERFACE = 7
+};
+
+class ASTraits
+{
+public:
+	static ASTraits* create(UINT32* ptr);
+	
+	UINT32 methodIdToMethodNameIndex(UINT32 method_id);
+
+	string getName();
+	UINT32* getInit();
+	UINT8 getPosType();
+
+private:
+	ASTraits(void);
+	ASTraits(UINT32*);
+	ASTraits(ASTraits const&);
+	void operator=(ASTraits const&);
+
+	Config* m_config;
+	UINT32* m_traits;
+	string m_name;
+	bool m_methodIdToMethodNameIndexPopulated;
+	map <UINT32,UINT32> m_methodIdToMethodNameIndex;
+
+	static map<UINT32*,ASTraits*> m_traitsCache;
+};
+

FlashPlayerConfigBuilder.cpp

@@ -0,0 +1,241 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "FlashPlayerConfigBuilder.h"
+
+FlashPlayerConfigBuilder::FlashPlayerConfigBuilder(void)
+{
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].versionStr = "WIN 10,3,181,22";
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].versionStrRVA = 0x453f74;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].setInterpRVA = 0x3F2A46;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].verifyOnCallRVA = 0x3F3131;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].byteArrayVTableRVA = 0x55d698;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].bufferOffsetInByteArray = 0x10;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].dataOffsetInByteArrayBuffer = 0x24;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].countOffsetInByteArrayBuffer = 0x2c;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].stringVTableRVA = 0x55d4f8;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].stringLengthOffset = 0x10;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].stringBufferOffset = 0x8;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].methodInfoOffsetInMethodEnv = 0x4;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].invokerOffsetInMethodInfo = 0x4;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].traitsOffsetInMethodInfo = 0xc;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].poolOffsetInMethodInfo = 0x14;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].abcInfoPosOffsetInMethodInfo = 0x18;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].methodIdOffsetInMethodInfo = 0x1c;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].flagsOffsetInMethodInfo = 0x34;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].initOffsetInTraits = 0x48;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].traitsPosOffsetOffsetInTraits = 0x50;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].posTypeOffsetInTraits = 0x79;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].namespaceOffsetInTraits = 0x3c;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].nameOffsetInTraits = 0x40;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].methodsOffsetInPoolObject = 0x8c;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].methodNameIndicesOffsetInPoolObject = 0x90;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].precompNamesOffsetInPoolObject = 0x50;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].uriOffsetInNamespace = 0x10;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].namespacesOffsetInNamespaceSet = 0x4;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].multinameSize = 0x10;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].precompNamesHeaderSize = 0x8;
+	m_supportedConfigs["10.3.181.23_win_sa_debug"].debugBuild = true;
+
+	m_supportedConfigs["10.3.181.23_win_sa"].versionStr = "WIN 10,3,181,22";
+	m_supportedConfigs["10.3.181.23_win_sa"].versionStrRVA = 0x42a528;
+	m_supportedConfigs["10.3.181.23_win_sa"].setInterpRVA = 0x3D3646;
+	m_supportedConfigs["10.3.181.23_win_sa"].verifyOnCallRVA = 0x3d3c8a;
+	m_supportedConfigs["10.3.181.23_win_sa"].byteArrayVTableRVA = 0x4D73B0;
+	m_supportedConfigs["10.3.181.23_win_sa"].bufferOffsetInByteArray = 0x10;
+	m_supportedConfigs["10.3.181.23_win_sa"].dataOffsetInByteArrayBuffer = 0x24;
+	m_supportedConfigs["10.3.181.23_win_sa"].countOffsetInByteArrayBuffer = 0x2c;
+	m_supportedConfigs["10.3.181.23_win_sa"].stringVTableRVA = 0x4d72d0;
+	m_supportedConfigs["10.3.181.23_win_sa"].stringLengthOffset = 0x10;
+	m_supportedConfigs["10.3.181.23_win_sa"].stringBufferOffset = 0x8;
+	m_supportedConfigs["10.3.181.23_win_sa"].methodInfoOffsetInMethodEnv = 0x4;
+	m_supportedConfigs["10.3.181.23_win_sa"].invokerOffsetInMethodInfo = 0x4;
+	m_supportedConfigs["10.3.181.23_win_sa"].traitsOffsetInMethodInfo = 0xc;
+	m_supportedConfigs["10.3.181.23_win_sa"].poolOffsetInMethodInfo = 0x14;
+	m_supportedConfigs["10.3.181.23_win_sa"].abcInfoPosOffsetInMethodInfo = 0x18;
+	m_supportedConfigs["10.3.181.23_win_sa"].methodIdOffsetInMethodInfo = 0x1c;
+	m_supportedConfigs["10.3.181.23_win_sa"].flagsOffsetInMethodInfo = 0x30;
+	m_supportedConfigs["10.3.181.23_win_sa"].initOffsetInTraits = 0x48;
+	m_supportedConfigs["10.3.181.23_win_sa"].traitsPosOffsetOffsetInTraits = 0x50;
+	m_supportedConfigs["10.3.181.23_win_sa"].posTypeOffsetInTraits = 0x79;
+	m_supportedConfigs["10.3.181.23_win_sa"].namespaceOffsetInTraits = 0x3c;
+	m_supportedConfigs["10.3.181.23_win_sa"].nameOffsetInTraits = 0x40;
+	m_supportedConfigs["10.3.181.23_win_sa"].methodsOffsetInPoolObject = 0x88;
+	m_supportedConfigs["10.3.181.23_win_sa"].methodNameIndicesOffsetInPoolObject = NULL;
+	m_supportedConfigs["10.3.181.23_win_sa"].precompNamesOffsetInPoolObject = 0x50;
+	m_supportedConfigs["10.3.181.23_win_sa"].uriOffsetInNamespace = 0x10;
+	m_supportedConfigs["10.3.181.23_win_sa"].namespacesOffsetInNamespaceSet = 0x4;
+	m_supportedConfigs["10.3.181.23_win_sa"].multinameSize = 0x10;
+	m_supportedConfigs["10.3.181.23_win_sa"].precompNamesHeaderSize = 0x8;
+	m_supportedConfigs["10.3.181.23_win_sa"].debugBuild = false;
+
+	m_supportedConfigs["10.3.181.23_winax"].versionStr = "WIN 10,3,181,23";
+	m_supportedConfigs["10.3.181.23_winax"].versionStrRVA = 0x4CC970;
+	m_supportedConfigs["10.3.181.23_winax"].setInterpRVA = 0x406766;
+	m_supportedConfigs["10.3.181.23_winax"].verifyOnCallRVA = 0x406DAA;
+	m_supportedConfigs["10.3.181.23_winax"].byteArrayVTableRVA = 0x57D038;
+	m_supportedConfigs["10.3.181.23_winax"].bufferOffsetInByteArray = 0x10;
+	m_supportedConfigs["10.3.181.23_winax"].dataOffsetInByteArrayBuffer = 0x24;
+	m_supportedConfigs["10.3.181.23_winax"].countOffsetInByteArrayBuffer = 0x2c;
+	m_supportedConfigs["10.3.181.23_winax"].stringVTableRVA = 0x57CF60;
+	m_supportedConfigs["10.3.181.23_winax"].stringLengthOffset = 0x10;
+	m_supportedConfigs["10.3.181.23_winax"].stringBufferOffset = 0x8;
+	m_supportedConfigs["10.3.181.23_winax"].methodInfoOffsetInMethodEnv = 0x4;
+	m_supportedConfigs["10.3.181.23_winax"].invokerOffsetInMethodInfo = 0x4;
+	m_supportedConfigs["10.3.181.23_winax"].traitsOffsetInMethodInfo = 0xc;
+	m_supportedConfigs["10.3.181.23_winax"].poolOffsetInMethodInfo = 0x14;
+	m_supportedConfigs["10.3.181.23_winax"].abcInfoPosOffsetInMethodInfo = 0x18;
+	m_supportedConfigs["10.3.181.23_winax"].methodIdOffsetInMethodInfo = 0x1c;
+	m_supportedConfigs["10.3.181.23_winax"].flagsOffsetInMethodInfo = 0x30;
+	m_supportedConfigs["10.3.181.23_winax"].initOffsetInTraits = 0x48;
+	m_supportedConfigs["10.3.181.23_winax"].traitsPosOffsetOffsetInTraits = 0x50;
+	m_supportedConfigs["10.3.181.23_winax"].posTypeOffsetInTraits = 0x79;
+	m_supportedConfigs["10.3.181.23_winax"].namespaceOffsetInTraits = 0x3c;
+	m_supportedConfigs["10.3.181.23_winax"].nameOffsetInTraits = 0x40;
+	m_supportedConfigs["10.3.181.23_winax"].methodsOffsetInPoolObject = 0x88;
+	m_supportedConfigs["10.3.181.23_winax"].methodNameIndicesOffsetInPoolObject = NULL;
+	m_supportedConfigs["10.3.181.23_winax"].precompNamesOffsetInPoolObject = 0x50;
+	m_supportedConfigs["10.3.181.23_winax"].uriOffsetInNamespace = 0x10;
+	m_supportedConfigs["10.3.181.23_winax"].namespacesOffsetInNamespaceSet = 0x4;
+	m_supportedConfigs["10.3.181.23_winax"].multinameSize = 0x10;
+	m_supportedConfigs["10.3.181.23_winax"].precompNamesHeaderSize = 0x8;
+	m_supportedConfigs["10.3.181.23_winax"].debugBuild = false;
+
+	m_supportedConfigs["11.1.102.62_win_sa"].versionStr = "WIN 11,1,102,62";
+	m_supportedConfigs["11.1.102.62_win_sa"].versionStrRVA = 0x5E42AC;
+	m_supportedConfigs["11.1.102.62_win_sa"].setInterpRVA = 0x48B9E7;
+	m_supportedConfigs["11.1.102.62_win_sa"].verifyOnCallRVA = 0x48C02D;
+	m_supportedConfigs["11.1.102.62_win_sa"].byteArrayVTableRVA = 0x6AAFF8;
+	m_supportedConfigs["11.1.102.62_win_sa"].bufferOffsetInByteArray = 0x10;
+	m_supportedConfigs["11.1.102.62_win_sa"].dataOffsetInByteArrayBuffer = 0x20;
+	m_supportedConfigs["11.1.102.62_win_sa"].countOffsetInByteArrayBuffer = 0x28;
+	m_supportedConfigs["11.1.102.62_win_sa"].stringVTableRVA = 0x6AAFBC;
+	m_supportedConfigs["11.1.102.62_win_sa"].stringLengthOffset = 0x10;
+	m_supportedConfigs["11.1.102.62_win_sa"].stringBufferOffset = 0x8;
+	m_supportedConfigs["11.1.102.62_win_sa"].methodInfoOffsetInMethodEnv = 0x8;
+	m_supportedConfigs["11.1.102.62_win_sa"].invokerOffsetInMethodInfo = 0x8;
+	m_supportedConfigs["11.1.102.62_win_sa"].traitsOffsetInMethodInfo = 0x10;
+	m_supportedConfigs["11.1.102.62_win_sa"].poolOffsetInMethodInfo = 0x18;
+	m_supportedConfigs["11.1.102.62_win_sa"].abcInfoPosOffsetInMethodInfo = 0x1c;
+	m_supportedConfigs["11.1.102.62_win_sa"].methodIdOffsetInMethodInfo = 0x20;
+	m_supportedConfigs["11.1.102.62_win_sa"].flagsOffsetInMethodInfo = 0x34;
+	m_supportedConfigs["11.1.102.62_win_sa"].initOffsetInTraits = 0x4c;
+	m_supportedConfigs["11.1.102.62_win_sa"].traitsPosOffsetOffsetInTraits = 0x54;
+	m_supportedConfigs["11.1.102.62_win_sa"].posTypeOffsetInTraits = 0x7d;
+	m_supportedConfigs["11.1.102.62_win_sa"].namespaceOffsetInTraits = 0x40;
+	m_supportedConfigs["11.1.102.62_win_sa"].nameOffsetInTraits = 0x44;
+	m_supportedConfigs["11.1.102.62_win_sa"].methodsOffsetInPoolObject = 0x88;
+	m_supportedConfigs["11.1.102.62_win_sa"].methodNameIndicesOffsetInPoolObject = NULL;
+	m_supportedConfigs["11.1.102.62_win_sa"].precompNamesOffsetInPoolObject = 0x50;
+	m_supportedConfigs["11.1.102.62_win_sa"].uriOffsetInNamespace = 0xc;
+	m_supportedConfigs["11.1.102.62_win_sa"].namespacesOffsetInNamespaceSet = 0x8;
+	m_supportedConfigs["11.1.102.62_win_sa"].multinameSize = 0x10;
+	m_supportedConfigs["11.1.102.62_win_sa"].precompNamesHeaderSize = 0xc;
+	m_supportedConfigs["11.1.102.62_win_sa"].debugBuild = false;
+
+	m_supportedConfigs["11.1.102.62_winax"].versionStr = "WIN 11,1,102,62";
+	m_supportedConfigs["11.1.102.62_winax"].versionStrRVA = 0x68443C;
+	m_supportedConfigs["11.1.102.62_winax"].setInterpRVA = 0x4BFD87;
+	m_supportedConfigs["11.1.102.62_winax"].verifyOnCallRVA = 0x4C03CD;
+	m_supportedConfigs["11.1.102.62_winax"].byteArrayVTableRVA = 0x7471E8;
+	m_supportedConfigs["11.1.102.62_winax"].bufferOffsetInByteArray = 0x10;
+	m_supportedConfigs["11.1.102.62_winax"].dataOffsetInByteArrayBuffer = 0x20;
+	m_supportedConfigs["11.1.102.62_winax"].countOffsetInByteArrayBuffer = 0x28;
+	m_supportedConfigs["11.1.102.62_winax"].stringVTableRVA = 0x74711C;
+	m_supportedConfigs["11.1.102.62_winax"].stringLengthOffset = 0x10;
+	m_supportedConfigs["11.1.102.62_winax"].stringBufferOffset = 0x8;
+	m_supportedConfigs["11.1.102.62_winax"].methodInfoOffsetInMethodEnv = 0x8;
+	m_supportedConfigs["11.1.102.62_winax"].invokerOffsetInMethodInfo = 0x8;
+	m_supportedConfigs["11.1.102.62_winax"].traitsOffsetInMethodInfo = 0x10;
+	m_supportedConfigs["11.1.102.62_winax"].poolOffsetInMethodInfo = 0x18;
+	m_supportedConfigs["11.1.102.62_winax"].abcInfoPosOffsetInMethodInfo = 0x1c;
+	m_supportedConfigs["11.1.102.62_winax"].methodIdOffsetInMethodInfo = 0x20;
+	m_supportedConfigs["11.1.102.62_winax"].flagsOffsetInMethodInfo = 0x34;
+	m_supportedConfigs["11.1.102.62_winax"].initOffsetInTraits = 0x4c;
+	m_supportedConfigs["11.1.102.62_winax"].traitsPosOffsetOffsetInTraits = 0x54;
+	m_supportedConfigs["11.1.102.62_winax"].posTypeOffsetInTraits = 0x7d;
+	m_supportedConfigs["11.1.102.62_winax"].namespaceOffsetInTraits = 0x40;
+	m_supportedConfigs["11.1.102.62_winax"].nameOffsetInTraits = 0x44;
+	m_supportedConfigs["11.1.102.62_winax"].methodsOffsetInPoolObject = 0x88;
+	m_supportedConfigs["11.1.102.62_winax"].methodNameIndicesOffsetInPoolObject = NULL;
+	m_supportedConfigs["11.1.102.62_winax"].precompNamesOffsetInPoolObject = 0x50;
+	m_supportedConfigs["11.1.102.62_winax"].uriOffsetInNamespace = 0xc;
+	m_supportedConfigs["11.1.102.62_winax"].namespacesOffsetInNamespaceSet = 0x8;
+	m_supportedConfigs["11.1.102.62_winax"].multinameSize = 0x10;
+	m_supportedConfigs["11.1.102.62_winax"].precompNamesHeaderSize = 0xc;
+	m_supportedConfigs["11.1.102.62_winax"].debugBuild = false;
+
+	m_currentConfig = NULL;
+}
+
+bool FlashPlayerConfigBuilder::isSupportedFlashPlayer(IMG img)
+{
+	UINT32 loadOffset = IMG_LoadOffset(img);
+	UINT32 rdataRVA = 0;
+	UINT32 rdataSize = 0;
+
+	// Find where the .rdata section is
+	bool rdataFound = false;
+	for (SEC sec = IMG_SecHead(img); SEC_Valid(sec); sec = SEC_Next(sec))
+	{
+		if (SEC_Name(sec) == ".rdata")
+		{
+			rdataRVA = SEC_Address(sec) - loadOffset;
+			rdataSize = SEC_Size(sec);
+			rdataFound = true;
+			break;
+		}
+	}
+
+	// If no .rdata, this is not Flash Player
+	if (!rdataFound)
+	{
+		return false;
+	}
+
+	for (map<string,Config>::iterator it = m_supportedConfigs.begin(); it != m_supportedConfigs.end(); ++it)
+	{
+		Config* fc = &it->second;
+
+		// Make sure the address is within .rdata
+		if ((fc->versionStrRVA + fc->versionStr.length() + 1) > (rdataRVA + rdataSize) || (fc->versionStrRVA < rdataRVA))
+		{
+			continue;
+		}
+
+		if (!WINDOWS::IsBadReadPtr((const void*)(fc->versionStrRVA+loadOffset), fc->versionStr.length()+1))
+		{
+			if (strcmp(fc->versionStr.c_str(), (const char*)(fc->versionStrRVA+loadOffset)) == 0)
+			{
+				// Set load offset and IMG values now that we know those
+				fc->img = img;
+				fc->loadOffset = loadOffset;
+				fc->rdataRVA = rdataRVA;
+				fc->rdataSize = rdataSize;
+				m_currentConfig = fc;
+				
+				return true;
+			}
+		}
+	}
+
+	return false;
+}
+
+Config* FlashPlayerConfigBuilder::getConfig(void)
+{
+	return m_currentConfig;
+}

FlashPlayerConfigBuilder.h

@@ -0,0 +1,99 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include <map>
+
+#include "pin.H"
+
+namespace WINDOWS 
+{
+	#include <Windows.h>
+}
+
+typedef struct Config {
+	IMG img;
+	UINT32 loadOffset;
+	UINT32 rdataRVA;
+	UINT32 rdataSize;
+
+	UINT32 setInterpRVA;
+	UINT32 verifyOnCallRVA;
+
+	string versionStr;
+	UINT32 versionStrRVA;
+
+	UINT32 byteArrayVTableRVA;
+	UINT32 bufferOffsetInByteArray;
+	UINT32 dataOffsetInByteArrayBuffer;
+	UINT32 countOffsetInByteArrayBuffer;
+
+	UINT32 stringVTableRVA;
+	UINT32 stringLengthOffset;
+	UINT32 stringBufferOffset;
+	
+	UINT32 methodInfoOffsetInMethodEnv;
+
+	UINT32 invokerOffsetInMethodInfo;
+	UINT32 traitsOffsetInMethodInfo;
+	UINT32 poolOffsetInMethodInfo;
+	UINT32 abcInfoPosOffsetInMethodInfo;
+	UINT32 methodIdOffsetInMethodInfo;
+	UINT32 flagsOffsetInMethodInfo;
+	
+	UINT32 methodsOffsetInPoolObject;
+	UINT32 methodNameIndicesOffsetInPoolObject;
+
+	UINT32 initOffsetInTraits;
+	UINT32 traitsPosOffsetOffsetInTraits;
+	UINT32 posTypeOffsetInTraits;
+	UINT32 namespaceOffsetInTraits;
+	UINT32 nameOffsetInTraits;
+
+	UINT32 precompNamesOffsetInPoolObject;
+
+	UINT32 uriOffsetInNamespace;
+
+	UINT32 namespacesOffsetInNamespaceSet;
+
+	UINT32 multinameSize;
+	UINT32 precompNamesHeaderSize;
+
+	bool debugBuild;
+} Config;
+
+class FlashPlayerConfigBuilder
+{
+public:
+
+	static FlashPlayerConfigBuilder& instance()
+    {
+        static FlashPlayerConfigBuilder instance;
+        return instance;
+    }
+
+	bool isSupportedFlashPlayer(IMG img);
+	Config* getConfig(void);
+
+private:
+	FlashPlayerConfigBuilder(void);
+	FlashPlayerConfigBuilder(FlashPlayerConfigBuilder const&);
+	void operator=(FlashPlayerConfigBuilder const&);
+
+	map<string,Config> m_supportedConfigs;
+	Config* m_currentConfig;
+};

Logger.h

@@ -0,0 +1,45 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include <sstream>
+
+#include "pin.H"
+
+#define LOGF(...) Logger::LOGF(__VA_ARGS__)
+
+class Logger
+{
+public:
+	static void LOGF(char* fmt, ...)
+	{ 
+		va_list args;
+		va_start(args, fmt);
+
+		int len = vsnprintf(NULL, 0, fmt, args) + 1;
+		char* buf = (char*)malloc(len);
+		
+		vsnprintf(buf, len-1, fmt, args);
+		buf[len-1] = 0;
+		
+		LOG(buf);
+
+		free(buf);
+		va_end(args);
+	} ;
+};
+

README.md

@@ -0,0 +1,67 @@
+Sulo
+====
+
+Sulo is a dynamic instrumentation tool for Adobe Flash Player. It is built on [Pin](https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool).
+
+Supported Flash versions
+------------------------
+
+The following Flash Player builds are supported:
+
+* 10.3.181.23 standalone debug
+* 10.3.181.23 standalone non-debug
+* 10.3.181.23 ActiveX
+* 11.1.102.62 standadlone non-debug
+* 11.1.102.62 ActiveX
+
+You can add support for another Flash Player build by specifying some RVAs and offsets in `FlashPlayerConfigBuilder.cpp`.
+
+Limitations
+-----------
+
+Sulo supports ActionScript3 method calls only - AVM1 is not (yet) supported.
+
+Building
+--------
+
+The easiest way to build Sulo is to use the `sulo_vs2010.sln` solution file with Visual Studio 2010.
+
+1. Download [Intel Pin kit for Visual Studio 2010](http://software.intel.com/sites/landingpage/pintool/downloads/pin-2.13-65163-msvc10-windows.zip)
+2. Extract the ZIP
+3. Clone Sulo to `pin-2.13-65163-msvc10-windows\source\tools\Sulo`
+4. Open `sulo_vs2010.sln` and build the solution
+
+Plugins
+-------
+
+Sulo comes with three plugins:
+
+1. Call tracer - logs all ActionScript method calls, including arguments and return values
+2. Flash dumper - dumps Flash objects loaded with Loader.loadBytes() to disk
+3. SecureSWF - logs decrypted strings from secureSWF-protected files
+
+Creating your own plugin is easy: just inherit your class from `ISuloPlugin`, implement the virtual methods, and add the object to `m_plugins` in `SuloPluginManager::init()`.
+
+Instrumenting Flash Player with Sulo
+------------------------------------
+
+```
+pin.exe -t source\tools\sulo\Debug\sulo.dll -- "C:\path\to\Adobe\Flash\Player.exe"
+```
+
+Command-line options
+--------------------
+
+| Option | Default | Plugin | Explanation |
+|--------|---------|--------|--------------|
+|fast | false | General | Enables faster analysis by disabling call trace logging |
+|early_tracing | false | Call tracer | Start logging ActionScript method calls as early as possible (already before any calls from the actual Flash) |
+|tracefile | "calltrace.txt" | Call tracer | Filename for storing the call trace |
+|flash_dump_prefix | "dumped" | Flash dumper | Filename prefix for dumped Flash objects |
+|secureswf | "" | SecureSWF | Name of the string secureSWF decryption method |
+
+
+License
+-------
+
+[Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0)

main.cpp

@@ -0,0 +1,381 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "ASMethodInfo.h"
+#include "FlashPlayerConfigBuilder.h"
+#include "Logger.h"
+#include "SuloPluginManager.h"
+
+#include "pin.h"
+
+#include <iostream>
+#include <map>
+
+
+// Pin uses some base types that conflict with Windows types,
+// see: https://software.intel.com/sites/landingpage/pintool/docs/49306/Pin/html/index.html#namespace
+namespace WINDOWS
+{
+	#include <windows.h>
+}
+
+
+// Flash Player config: all RVAs, data structure offfsets, etc.
+static Config* config = NULL;
+
+// Map of addresses of methods that have been verified
+static map<ADDRINT,bool> verified;
+
+// Whether the return address should be instrumented
+static map<ADDRINT,ADDRINT> returnAddressToInstument;
+
+// Addresses that verified methods are known to return to
+static map<ADDRINT,bool> knownVerifiedMethodReturnAddress;
+
+// Whether to log the return value or not. The last item in the vector is the latest call, the first the oldest
+static map<ADDRINT,vector<bool>*> logReturnValue;
+
+// Fast mode uses these to store the return address that should be instrumented
+ADDRINT interestingReturnAddress = NULL;
+ADDRINT stackPtrInterestingReturnAddress = NULL;
+
+// These are used to help PIN inline some of the analysis call.
+// If the value is true, the method is *potential* for analyzing (i.e. can have false positives)
+#define PRIME (99991)
+static bool potentialVerifiedMethod[PRIME];
+static bool potentialVerifiedMethodReturnAddress[PRIME];
+
+
+// General commandline options
+KNOB<bool> KnobFast(KNOB_MODE_WRITEONCE, "pintool", "fast", "false", "Runs plugins but no call trace generation");
+
+// Commandline options for call tracer plugin
+KNOB<bool> KnobCallTracerEarlyTracing(KNOB_MODE_WRITEONCE, "pintool", "early_tracing", "false", "Start logging before actual Flash code runs?");
+KNOB<string> KnobCallTracerTraceFile(KNOB_MODE_WRITEONCE, "pintool", "tracefile", "calltrace.txt", "Call trace filename");
+	
+// Commandline options for Flash dumper plugin
+KNOB<string> KnobFlashDumperFilePrefix(KNOB_MODE_WRITEONCE, "pintool", "flash_dump_prefix", "dumped", "Filename prefix for dumped Flash objects");
+
+// Commandline options for SecureSWF plugin
+KNOB<string> KnobSecureSWFMethodName(KNOB_MODE_WRITEONCE, "pintool", "secureswf", "", "Name of the string decryption method");
+
+
+// Print help message
+INT32 Usage()
+{
+    cerr << "This Pintool instruments Adobe Flash Player and logs calls to all ActionScript methods." << endl << endl;
+    cerr << KNOB_BASE::StringKnobSummary() << endl;
+    return -1;
+}
+
+
+// Mark the JITed the interpreted method as verified so we know to instrument it
+VOID InterpretedMethodVerified(ADDRINT esi)
+{
+	UINT32* methodInfo = (UINT32*)esi;
+	ADDRINT addr = methodInfo[config->invokerOffsetInMethodInfo/sizeof(UINT32)];
+	verified[addr] = true;
+	potentialVerifiedMethod[addr%PRIME] = true;
+}
+
+
+// Mark the JITed method as verified so we know to instrument it
+VOID JITedMethodVerified(ADDRINT eax)
+{
+	// EAX holds the address of the method
+	verified[eax] = true;
+	potentialVerifiedMethod[eax%PRIME] = true;
+}
+
+
+// This can have false positives, i.e. call is actually not worth analyzing.
+// PIN can inline this code, resulting in better performance
+ADDRINT ShouldCallBeAnalyzed(UINT32* esp, ADDRINT ret_addr, ADDRINT dest)
+{	
+	return (potentialVerifiedMethod[dest%PRIME] + potentialVerifiedMethodReturnAddress[ret_addr%PRIME]);
+}
+
+
+VOID MethodCallAnalysisFast(UINT32* esp, ADDRINT ret_addr, ADDRINT dest)
+{
+	// Perform the necessary checks to filter out ShouldCallBeAnalyzed false positives
+	if (verified.find(dest) == verified.end() && knownVerifiedMethodReturnAddress.find(ret_addr) == knownVerifiedMethodReturnAddress.end())
+	{
+		return;
+	}
+
+	UINT32* methodEnv = (UINT32*)esp[0];
+	UINT32 argc = esp[1];
+	UINT32* argv = (UINT32*)esp[2];
+
+	UINT32* pMethodInfo = (UINT32*)methodEnv[config->methodInfoOffsetInMethodEnv/4];
+	ASMethodInfo* mi = ASMethodInfo::create(pMethodInfo);
+	string fullMethodName = mi->getMethodNameWithTraits();
+	
+	bool shouldLogReturnValue = SuloPluginManager::beforeMethodCall(mi, fullMethodName, argc, argv);
+	if (shouldLogReturnValue)
+	{
+		interestingReturnAddress = ret_addr;
+		stackPtrInterestingReturnAddress = (ADDRINT)esp;
+	}
+}
+
+
+VOID MethodCallAnalysis(UINT32* esp, ADDRINT ret_addr, ADDRINT dest)
+{
+	// Perform the necessary checks to filter out ShouldCallBeAnalyzed false positives
+	if (verified.find(dest) == verified.end() && knownVerifiedMethodReturnAddress.find(ret_addr) == knownVerifiedMethodReturnAddress.end())
+	{
+		return;
+	}
+
+	knownVerifiedMethodReturnAddress[ret_addr] = true;
+	potentialVerifiedMethodReturnAddress[ret_addr%PRIME] = true;
+
+	// This is not a call to verified method...
+	if (verified.find(dest) == verified.end())
+	{
+		// ...but we'e seen calls to verified methods from this same address earlier,
+		// so let's skip the return value
+		if (logReturnValue.find(ret_addr) != logReturnValue.end())
+		{
+			if (logReturnValue[ret_addr] == NULL)
+			{
+				logReturnValue[ret_addr] = new vector<bool>;
+			}
+			logReturnValue[ret_addr]->push_back(false);
+		}
+		return;
+	}
+
+	if (logReturnValue[ret_addr] == NULL)
+	{
+		logReturnValue[ret_addr] = new vector<bool>;
+	}
+	logReturnValue[ret_addr]->push_back(true);
+
+	UINT32* methodEnv = (UINT32*)esp[0];
+	UINT32 argc = esp[1];
+	UINT32* argv = (UINT32*)esp[2];
+
+	UINT32* pMethodInfo = (UINT32*)methodEnv[config->methodInfoOffsetInMethodEnv/4];
+
+	// Read/parse the full method name
+	ASMethodInfo* mi = ASMethodInfo::create(pMethodInfo);
+	string fullMethodName = mi->getMethodNameWithTraits();
+
+	SuloPluginManager::beforeMethodCall(mi, fullMethodName, argc, argv);
+}
+
+
+ADDRINT ShouldReturnAddressBeAnalyzedFast(ADDRINT ret_addr)
+{
+	// This is NULL if we are not interested in logging the return value
+	return interestingReturnAddress;
+}
+
+
+ADDRINT ShouldReturnAddressBeAnalyzed(ADDRINT ret_addr)
+{
+	if (logReturnValue.find(ret_addr) == logReturnValue.end())
+	{
+		return 0;
+	}
+	
+	if (logReturnValue[ret_addr] == NULL)
+	{
+		return 0;
+	}
+
+	if (logReturnValue[ret_addr]->size() == 0)
+	{
+		return 0;
+	}
+
+	return 1;
+}
+
+
+VOID ReturnValueAnalysisFast(ADDRINT ret_addr, UINT32 eax, ADDRINT esp)
+{
+	if (ret_addr != interestingReturnAddress || esp != stackPtrInterestingReturnAddress)
+	{
+		return;
+	}
+
+	interestingReturnAddress = NULL;
+	SuloPluginManager::afterMethodCall(eax);
+}
+
+
+VOID ReturnValueAnalysis(ADDRINT ret_addr, UINT32 eax, ADDRINT esp)
+{
+	bool log = logReturnValue[ret_addr]->back();
+
+	if (log)
+	{
+		SuloPluginManager::afterMethodCall(eax);
+	}
+	
+	logReturnValue[ret_addr]->pop_back();
+}
+
+
+
+// Pin calls this function before a code sequence is executed for the first time
+VOID TraceCalls(INS ins, VOID *v)
+{
+	// If we don't have a proper config, we cannot instrument anything
+	if (config == NULL)
+	{
+		return;
+	}
+
+	ADDRINT addr = INS_Address(ins);
+	IMG img = IMG_FindByAddress(addr);
+	
+	// We are interested only calls from the JITted code. That code is not part of any valid image
+	if (IMG_Valid(img) && img != config->img)
+	{
+		return;
+	}
+
+	// We don't know the origins of the calls (only the targets) so we need to instrument every call
+	if (INS_IsCall(ins))
+	{
+		bool ok = false;
+		
+		if (INS_RegRContain(ins, REG_EAX) || INS_RegRContain(ins, REG_EDX))
+		{
+			ok = true;
+		}
+		else if (INS_IsDirectCall(ins))
+		{
+			ADDRINT target_addr = INS_DirectBranchOrCallTargetAddress(ins);
+			IMG target_img = IMG_FindByAddress(target_addr);
+			if (!IMG_Valid(img) || img == config->img)
+			{
+				ok = true;
+			}
+		}
+
+		if (ok)
+		{
+			// Select which call analysis function to use depending on whether we are in fast mode
+			AFUNPTR analysisFunc = (AFUNPTR)MethodCallAnalysis;
+			if (KnobFast.Value())
+			{
+				analysisFunc = (AFUNPTR)MethodCallAnalysisFast;
+			}
+
+			ADDRINT ret_addr = INS_NextAddress(ins);
+			INS_InsertIfCall(ins, IPOINT_BEFORE, (AFUNPTR)ShouldCallBeAnalyzed, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_ADDRINT, ret_addr, IARG_BRANCH_TARGET_ADDR, IARG_END);
+			INS_InsertThenCall(ins, IPOINT_BEFORE, analysisFunc, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_ADDRINT, ret_addr, IARG_BRANCH_TARGET_ADDR, IARG_END);
+
+			returnAddressToInstument[ret_addr] = true;
+			return;
+		}
+	}
+
+	if (returnAddressToInstument.find(addr) != returnAddressToInstument.end())
+	{
+		// Select which call analysis function to use depending on whether we are in fast mode
+		AFUNPTR analysisFuncIf = (AFUNPTR)ShouldReturnAddressBeAnalyzed;
+		AFUNPTR analysisFuncThen = (AFUNPTR)ReturnValueAnalysis;
+		if (KnobFast.Value())
+		{
+			analysisFuncIf = (AFUNPTR)ShouldReturnAddressBeAnalyzedFast;
+			analysisFuncThen = (AFUNPTR)ReturnValueAnalysisFast;
+		}
+
+		INS_InsertIfCall(ins, IPOINT_BEFORE, analysisFuncIf, IARG_ADDRINT, addr, IARG_END);
+		INS_InsertThenCall(ins, IPOINT_BEFORE, analysisFuncThen, IARG_ADDRINT, addr, IARG_REG_VALUE, REG_EAX, IARG_FUNCARG_CALLSITE_REFERENCE, 0, IARG_END);
+		return;
+	}
+}
+
+
+// This routine is executed for each image
+VOID ImageLoad(IMG img, VOID *v)
+{
+	if (!FlashPlayerConfigBuilder::instance().isSupportedFlashPlayer(img))
+	{
+		return;
+	}
+	
+	LOGF("Found supported Flash Player image: %s (0x%x - 0x%x)\n", IMG_Name(img).c_str(), IMG_LowAddress(img), IMG_HighAddress(img));
+	config = FlashPlayerConfigBuilder::instance().getConfig();
+
+	// config->setInterpRVA needs to be chosen in such way that 
+	// the value of _invoker can be found from [ESI+config->invinvokerOffsetInMethodInfookerOffset]
+	RTN setInterp = RTN_CreateAt(config->loadOffset + config->setInterpRVA, "setInterp");
+			
+	// config->setInterpRVA needs to be chosen in such way that
+	// the value of _implGPR can be found from EAX
+	RTN verifyOnCall = RTN_CreateAt(config->loadOffset + config->verifyOnCallRVA, "verifyOnCall");
+			
+	if (setInterp == RTN_Invalid() || verifyOnCall == RTN_Invalid())
+	{
+		LOGF("Instrumenting Flash Player failed. Check setInterp and verifyOnCall RVAs in config.\n");
+		return;
+	}
+
+	RTN_Open(setInterp);
+	RTN_InsertCall(setInterp, IPOINT_BEFORE, (AFUNPTR)InterpretedMethodVerified, IARG_REG_VALUE, REG_ESI, IARG_END);
+	RTN_Close(setInterp);
+
+	RTN_Open(verifyOnCall);
+	RTN_InsertCall(verifyOnCall, IPOINT_AFTER, (AFUNPTR)JITedMethodVerified, IARG_REG_VALUE, REG_EAX, IARG_END);
+	RTN_Close(verifyOnCall);
+
+	// Register TraceCalls to be called to instrument instructions
+	INS_AddInstrumentFunction(TraceCalls, 0);
+}
+
+
+// This function is called when the instrumented application exits
+VOID Fini(INT32 code, VOID *v)
+{
+	SuloPluginManager::uninit();
+	LOGF("[END]\n");
+}
+
+
+int main(int argc, char* argv[])
+{
+	// This is needed for the RTN_* functions
+	PIN_InitSymbols();
+
+	// Initialize Pin
+    if (PIN_Init(argc,argv))
+    {
+        return Usage();
+    }
+
+	// Now that we have access to commandline parameters, initialize the plugins
+	SuloPluginManager::init();
+
+    // Register ImageLoad to be called when an image is loaded
+    IMG_AddInstrumentFunction(ImageLoad, 0);
+
+	// Register Fini to be called when the application exists
+	PIN_AddFiniFunction(Fini, 0);
+
+	// Start the program, never returns
+    PIN_StartProgram();
+    
+    return 0;
+}

plugins/CallTracerPlugin.cpp

@@ -0,0 +1,136 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "ASString.h"
+#include "ASMethodInfo.h"
+#include "CallTracerPlugin.h"
+#include "Logger.h"
+
+namespace WINDOWS
+{
+	#include <windows.h>
+}
+
+
+// Commandline options for call tracer plugin
+extern KNOB<bool> KnobCallTracerEarlyTracing;
+extern KNOB<string> KnobCallTracerTraceFile;
+
+
+CallTracerPlugin::CallTracerPlugin() :
+	m_traceLoggingEnabled(KnobCallTracerEarlyTracing.Value()),
+	m_callDepth(0)
+{
+	m_traceFile.open(KnobCallTracerTraceFile.Value().c_str());
+}
+
+
+CallTracerPlugin::~CallTracerPlugin()
+{
+	m_traceFile.close();
+}
+
+
+bool CallTracerPlugin::beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv)
+{
+	// Save this so we can check the return value type
+	m_mi = mi;
+
+	m_traceFile << format("\n%s%s ()\n", string(m_callDepth, '\t').c_str(), methodName.c_str());
+
+	// Is call trace logging (already) enabled?
+	if (m_traceLoggingEnabled)
+	{
+		m_traceFile << format("%sthis: 0x%x\n", string(m_callDepth+1, '\t').c_str(), argv[0]);
+		
+		// Get parameter types
+		const vector<string>* parameterTypes = mi->getParameterTypes();
+		string paramType;
+
+		// Print the actual arguments
+		for (UINT32 i=0; i < argc; i++)
+		{
+			if (i >= parameterTypes->size())
+			{
+				paramType = "null";
+			}
+			else
+			{
+				paramType = parameterTypes->at(i);
+			}
+
+			if (paramType == "String")
+			{
+				ASString* s = ASString::create((UINT32*)argv[i+1]);
+				if (s != NULL)
+				{
+					m_traceFile << format("%sarg %d: \"%s\"\n", string(m_callDepth+1, '\t').c_str(), i, s->getString().c_str());
+					continue;
+				}
+			}
+
+			m_traceFile << format("%sarg %d: 0x%x : %s\n", string(m_callDepth+1, '\t').c_str(), i, argv[i+1], paramType.c_str());
+		}
+	}
+	else if (!m_traceLoggingEnabled && methodName == "flash.display::Sprite/constructChildren")
+	{
+		// We can start logging from the next method call
+		m_traceLoggingEnabled = true;
+	}
+
+	m_callDepth++;
+	return false;
+}
+
+
+void CallTracerPlugin::afterMethodCall(UINT32 retVal)
+{
+	m_callDepth--;
+
+	string type = m_mi->getReturnValueType();
+
+	if (type == "String")
+	{
+		ASString* s = ASString::create((UINT32*)retVal);
+		if (s != NULL)
+		{
+			m_traceFile << format("%sReturned: \"%s\" (call depth: %d)\n", string(m_callDepth, '\t').c_str(), s->getString().c_str(), m_callDepth);
+			return;
+		}
+	}
+
+	m_traceFile << format("%sReturned: 0x%x : %s (call depth: %d)\n", string(m_callDepth, '\t').c_str(), retVal, type.c_str(), m_callDepth);
+}
+
+
+string CallTracerPlugin::format(char* fmt, ...)
+{
+	va_list args;
+	va_start(args, fmt);
+
+	int len = vsnprintf(NULL, 0, fmt, args) + 1;
+	char* buf = (char*)malloc(len);
+		
+	vsnprintf(buf, len-1, fmt, args);
+	buf[len-1] = 0;
+		
+	string s(buf);
+
+	free(buf);
+	va_end(args);
+
+	return s;
+}

plugins/CallTracerPlugin.h

@@ -0,0 +1,57 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "ISuloPlugin.h"
+#include "pin.H"
+
+#include <fstream>
+#include <map>
+
+class ASMethodInfo;
+
+class CallTracerPlugin : public ISuloPlugin
+{
+public:
+	CallTracerPlugin();
+	~CallTracerPlugin();
+
+	bool beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv);
+	void afterMethodCall(UINT32 retVal);
+
+private:
+
+	string format(char* fmt, ...);
+
+	typedef struct CallEntry {
+		string name;
+		string params;
+		string retval;
+		vector<CallEntry*>* children;
+	} CallEntry;
+
+	// Log call trace to this stream
+	ofstream m_traceFile;
+
+	// This flag is used to prevent the logging of uninteresting method calls before the actual Flash file runs
+	bool m_traceLoggingEnabled;
+
+	ASMethodInfo* m_mi;
+	int m_callDepth;
+	map<int,vector<vector<CallEntry*>*>*> levelToList;
+};
+

plugins/FlashDumperPlugin.cpp

@@ -0,0 +1,80 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "FlashDumperPlugin.h"
+#include "ASByteArray.h"
+#include "Logger.h"
+
+#include <fstream>
+
+namespace WINDOWS
+{
+	#include <windows.h>
+}
+
+
+// Commandline options for Flash dumper plugin
+extern KNOB<string> KnobFlashDumperFilePrefix;
+
+
+FlashDumperPlugin::FlashDumperPlugin() :
+	m_filePrefix(KnobFlashDumperFilePrefix.Value()),
+	m_dumpedFlashCount(0)
+{
+}
+
+
+bool FlashDumperPlugin::beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv)
+{
+	if (methodName != "flash.display::Loader/loadBytes")
+	{
+		return false;
+	}
+
+	ASByteArray* ba = ASByteArray::create((UINT32*)argv[1]);
+	if (ba == NULL)
+	{
+		return false;
+	}
+
+	UINT8* data = ba->getData();
+	UINT32 nBytes = ba->getDataLength();
+
+	LOGF("Dumping flash from 0x%x, %d bytes\n", data, nBytes);
+
+	char filename[MAX_PATH+1];
+	_snprintf(filename, MAX_PATH, "%s_flash_%u.bin", m_filePrefix.c_str(), m_dumpedFlashCount);
+	m_dumpedFlashCount++;
+	//LOGF("Dumping flash to %s\n", filename);
+	ofstream flashFile(filename, ios::out | ios::binary);
+    flashFile.write((const char*)data, nBytes);
+	flashFile.close();
+
+	LOGF("Dumped flash to %s\n", filename);
+
+	return false;
+}
+
+
+void FlashDumperPlugin::afterMethodCall(UINT32 retVal)
+{
+	return;
+}
+
+
+void FlashDumperPlugin::dumpFlashToDisk(UINT8* data, UINT32 nBytes)
+{
+}

plugins/FlashDumperPlugin.h

@@ -0,0 +1,38 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "ISuloPlugin.h"
+#include "pin.H"
+
+class FlashDumperPlugin : public ISuloPlugin
+{
+public:
+	FlashDumperPlugin();
+
+	bool beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv);
+	void afterMethodCall(UINT32 retVal);
+
+private:
+	void dumpFlashToDisk(UINT8* data, UINT32 nBytes);
+	
+	string m_filePrefix;
+
+	// Running count for numbering the dumped Flash files
+	int m_dumpedFlashCount;
+};
+

plugins/ISuloPlugin.h

@@ -0,0 +1,30 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "pin.H"
+
+class ASMethodInfo;
+
+class ISuloPlugin
+{
+public:
+	virtual ~ISuloPlugin() {};
+	virtual bool beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv) = 0;
+	virtual void afterMethodCall(UINT32 retVal) = 0;
+};
+

plugins/SecureSWFPlugin.cpp

@@ -0,0 +1,88 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "SecureSWFPlugin.h"
+#include "ASMethodInfo.h"
+#include "ASString.h"
+#include "Logger.h"
+
+// General commandline options
+extern KNOB<bool> KnobFast;
+
+// Commandline options for call tracer plugin
+extern KNOB<string> KnobSecureSWFMethodName;
+
+SecureSWFPlugin::SecureSWFPlugin() :
+	m_methodName(KnobSecureSWFMethodName.Value()),
+	m_callDepth(0),
+	m_log(false),
+	m_fast(KnobFast.Value())
+{
+}
+
+
+bool SecureSWFPlugin::beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv)
+{
+	// We need to call depth information only in normal mode
+	if (!m_fast)
+	{
+		m_callDepth++;
+	}
+
+	if (methodName.find(m_methodName) != string::npos && argc == 1)
+	{
+		string returnValueType = mi->getReturnValueType();
+		if (returnValueType == "String")
+		{
+			// Store the ID of the encrypted string so we can print it when
+			// we get the decrypted string
+			m_stringId = (int)argv[1];
+			m_logRetValCallDepth = m_callDepth-1;
+			m_log = true;
+			return true;
+		}
+	}
+	return false;
+}
+
+
+void SecureSWFPlugin::afterMethodCall(UINT32 retVal)
+{
+	// We need to call depth information only in normal mode
+	if (!m_fast)
+	{
+		m_callDepth--;
+	}
+
+	if (!m_log)
+	{
+		return;
+	}
+
+	if (!m_fast && m_callDepth != m_logRetValCallDepth)
+	{
+		return;
+	}
+
+	m_log = false;
+
+	ASString* s = ASString::create((UINT32*)retVal);
+	if (s != NULL)
+	{
+		LOGF("[secureswf] String ID: %d, decrypted string: \"%s\"\n", m_stringId, s->getString().c_str());
+	}
+	return;
+}

plugins/SecureSWFPlugin.h

@@ -0,0 +1,40 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "ISuloPlugin.h"
+#include "pin.H"
+
+class SecureSWFPlugin : public ISuloPlugin
+{
+public:
+	SecureSWFPlugin();
+
+	bool beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv);
+	void afterMethodCall(UINT32 retVal);
+
+private:
+	string m_methodName;
+	int m_callDepth;
+	int m_logRetValCallDepth;
+	bool m_log;
+	int m_stringId;
+
+	// The logic is slightly different in normal and fast mode
+	bool m_fast;
+};
+

plugins/SuloPluginManager.cpp

@@ -0,0 +1,77 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include "SuloPluginManager.h"
+#include "CallTracerPlugin.h"
+#include "FlashDumperPlugin.h"
+#include "SecureSWFPlugin.h"
+
+#include <iostream>
+
+extern KNOB<bool> KnobFast;
+extern KNOB<string> KnobSecureSWFMethodName;
+
+vector<ISuloPlugin*> SuloPluginManager::m_plugins;
+
+void SuloPluginManager::init(void)
+{
+	// Call tracer is disabled in fast mode
+	if (!KnobFast.Value())
+	{
+		m_plugins.push_back(new CallTracerPlugin());
+	}
+
+	if (!KnobSecureSWFMethodName.Value().empty())
+	{
+		m_plugins.push_back(new SecureSWFPlugin());
+	}
+
+	m_plugins.push_back(new FlashDumperPlugin());
+}
+
+
+bool SuloPluginManager::beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv)
+{
+	bool logReturnAddress = false;
+	for (std::vector<ISuloPlugin*>::iterator it = m_plugins.begin(); it != m_plugins.end(); ++it)
+	{
+		bool r = (*it)->beforeMethodCall(mi, methodName, argc, argv);
+		if (r)
+		{
+			logReturnAddress = true;
+		}
+	}
+
+	return logReturnAddress;
+}
+
+
+void SuloPluginManager::afterMethodCall(UINT32 retVal)
+{
+	for (std::vector<ISuloPlugin*>::iterator it = m_plugins.begin(); it != m_plugins.end(); ++it)
+	{
+		(*it)->afterMethodCall(retVal);
+	}
+}
+
+
+void SuloPluginManager::uninit(void)
+{
+	for (std::vector<ISuloPlugin*>::iterator it = m_plugins.begin(); it != m_plugins.end(); ++it)
+	{
+		delete *it;
+	}
+}

plugins/SuloPluginManager.h

@@ -0,0 +1,40 @@
+/*
+Copyright 2014 F-Secure
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#pragma once
+
+#include "ISuloPlugin.h"
+#include "pin.H"
+
+#include <vector>
+
+class ASMethodInfo;
+
+class SuloPluginManager
+{
+public:
+	static void init(void);
+	static bool beforeMethodCall(ASMethodInfo* mi, string methodName, UINT32 argc, UINT32* argv);
+	static void afterMethodCall(UINT32 retVal);
+	static void uninit(void);
+
+private:
+	SuloPluginManager();
+	SuloPluginManager(SuloPluginManager const&);
+	void operator=(SuloPluginManager const&);
+
+	static vector<ISuloPlugin*> m_plugins;
+};

sulo_VS2010.sln

@@ -0,0 +1,26 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sulo", "sulo_VS2010.vcxproj", "{639EF517-FCFC-408E-9500-71F0DC0458DB}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.ActiveCfg = Debug|Win32
+		{639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|Win32.Build.0 = Debug|Win32
+		{639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.ActiveCfg = Debug|x64
+		{639EF517-FCFC-408E-9500-71F0DC0458DB}.Debug|x64.Build.0 = Debug|x64
+		{639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.ActiveCfg = Release|Win32
+		{639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|Win32.Build.0 = Release|Win32
+		{639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.ActiveCfg = Release|x64
+		{639EF517-FCFC-408E-9500-71F0DC0458DB}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

sulo_VS2010.vcxproj

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <ClCompile Include="ASByteArray.cpp" />
+    <ClCompile Include="ASMethodInfo.cpp" />
+    <ClCompile Include="ASMultiname.cpp" />
+    <ClCompile Include="ASString.cpp" />
+    <ClCompile Include="main.cpp" />
+    <ClCompile Include="ASTraits.cpp" />
+    <ClCompile Include="plugins\CallTracerPlugin.cpp">
+      <Filter>plugins</Filter>
+    </ClCompile>
+    <ClCompile Include="plugins\FlashDumperPlugin.cpp">
+      <Filter>plugins</Filter>
+    </ClCompile>
+    <ClCompile Include="plugins\SuloPluginManager.cpp">
+      <Filter>plugins</Filter>
+    </ClCompile>
+    <ClCompile Include="FlashPlayerConfigBuilder.cpp" />
+    <ClCompile Include="plugins\SecureSWFPlugin.cpp">
+      <Filter>plugins</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="ASByteArray.h" />
+    <ClInclude Include="ASMethodInfo.h" />
+    <ClInclude Include="ASMultiname.h" />
+    <ClInclude Include="ASString.h" />
+    <ClInclude Include="ASTraits.h" />
+    <ClInclude Include="FlashPlayerConfigBuilder.h" />
+    <ClInclude Include="Logger.h" />
+    <ClInclude Include="plugins\CallTracerPlugin.h">
+      <Filter>plugins</Filter>
+    </ClInclude>
+    <ClInclude Include="plugins\FlashDumperPlugin.h">
+      <Filter>plugins</Filter>
+    </ClInclude>
+    <ClInclude Include="plugins\ISuloPlugin.h">
+      <Filter>plugins</Filter>
+    </ClInclude>
+    <ClInclude Include="plugins\SuloPluginManager.h">
+      <Filter>plugins</Filter>
+    </ClInclude>
+    <ClInclude Include="plugins\SecureSWFPlugin.h">
+      <Filter>plugins</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <Filter Include="plugins">
+      <UniqueIdentifier>{78ea4d96-4e7c-4593-a751-c6475609c35b}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+</Project>