

There’s even an Analyze feature used to obtain a report of vulnerabilities in the application. In addition its UI is very intuitive, there’s even a tab to display the discovered URLS. Here is my original code: // Display read-only status information private function onNetStatus(event:NetStatusEvent):void mxml source code, these are missing from the SWFScan source.ġst thing to do, removed unused variables from my code! The look and very is very similar to Microsoft’s Application Verifier tool, a tool used to verify SDL compliance in unmanaged applications.įirst thing I noticed, I had unused strings, which the compiler stripped out of the final app. Installation was simple (6MB MSI), then you simply add the path to the SWF in the GUI and hit the “Get” button. This was no surprise given the recent version of the Supergroove application, and the dated Flare tool version. FLR file produced by Flare was some 31 lines of nothing.

– ActionScript III (Flash 9) isn’t supported.

– No images, sounds or text are extracted - ActionScript only. Installation was simple (100K EXE), then it is just a matter of right clicking the SWF file and selecting “Decompile”. Note, my SuperGroove Flash application was built with the latest Adobe Flash Builder 4 compiler, (Flex 4.1 SDK), and requires Flash 10.1 at a minimum in the client’s browser.Īll tests were run on a 圆4 Vista PC. I downloaded the SWF and ran each of the tools on it. The application used is a real world Flash Application for which I have the original code.Īlthough SuperGroove is in its alpha stage of development, now is as good a time as any to use these tools in order to determine:ġ- Which of them works best for pen testers.Ģ- And the tools may provide some insight as to possible issues in my Flash code, which I should fix. This article compares three popular Flash decompilers.
