Use Sulo to analyze Flash Exploit files

In this blog post, i have decided to blog about my experience in using Sulo for analyzing flash exploit. I have played with Sulo for quite sometime now extending it to newer version of flash and used it to analyze few flash exploit(s).

Though Timo has good documentation in the Sulo Github, still i have decided to paste few command(s) here. At least for me whatever in Github documentation is not quite clear.

All traces:
pin.exe -t source\tools\sulo\Debug\sulo.dll — “C:\path\to\Adobe\Flash\Player.exe”

Fast Mode: (no JITed function detailes printed)
pin.exe -t source\tools\sulo\Debug\sulo.dll -logfile “C:\pintool.log” -fast — “C:\path\to\Adobe\Flash\Player.exe”

Decrypt SecureSWF obfuscated strings:
pin.exe -t source\tools\sulo\Debug\sulo.dll -logfile “C:\pintool.log” -secureswf “functionname” — “C:\path\to\Adobe\Flash\Player.exe”

We need to use the Sulo with a Single-process IE browser. Pin has some issue
in injecting the Dll into the multi-process IE browser. In the newer version of IE,
you can disable the multi-process IE browser mode using this registry key.
      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN
      TabProcGrowth: DWORD(32-bit) to 0

By default, Sulo will work with few specific set of flash version(s). If you want to use Sulo with other/newer flash versions/builds then you need to add few configurations in the FlashPlayerConfigBuilder.cpp file. You need to dig into the flash binary and find those offsets. That is the first tedious process in using Sulo. Thanks to Timo, he provided offsets for few of the flash versions/builds. Trick is, you need to first use “Debug” flash binary to find the offsets and “map” it later to the “release” flash binary.

Once you loaded Sulo inside flash/IE, by default it will produce lot of logs/traces. Sometimes it grows upto 3GB. The second problem we need to tackle with Sulo is, flash player will stop processing the scripts after 60 seconds. We need to fix this in flash binary. Without that it is really hard to analyze any new flash exploits using Sulo because the amount of information Sulo emits is so large(because of heap spraying) and the flash player stop processing scripts after 60 seconds. For quick analysis of flash exploits, use “-fast” mode. With “-fast” mode, it will dump any second stage flash objects and continue executing until the end. You will not get any “traces” in the “-fast” mode.

Sulo has some interesting features to work with SecureSWF obfuscated flash files. SecureSWF uses a function to decrypt the strings inside flash. First we need to run Sulo without “-secureswf” option and find the decryption function manually and pass that function name to the “-secureswf” option in the later runs. Once we pass the right SecureSWF decryption function, Sulo will start outputting decrypted strings.

Sulo outputs only functions that are JIT’ed. Few of the basic operations of the ActionScript VM are not executed using JIT’ed functions. So during our analysis using Sulo, we may miss some interesting information’s.

Thanks to Timo for releasing such a wonderful tool.

This entry was posted in Exploit, Exploit Kit, Flash Exploit Analysis and tagged , , . Bookmark the permalink.

8 Responses to Use Sulo to analyze Flash Exploit files

  1. Aaron says:

    Hi, could you share some configurations for the modern version of the flash player? (eg > 11.6 activex non-debug 32bit). Thanks a lot!

  2. Pingback: Defeat initial packers used in flash exploits using Sulo | Source Code Auditing, Reversing, Web Security

    • DBinEx says:

      I want to Use Sulo in the newer flash player. Can you show the way more detailed how to find “versionStrRVA””setInterpRVA””verifyOnCallRVA””byteArrayVTableRVA” in the FlashPlayerConfigBuilder.cpp file.
      the “Debug” flash binary,do you means the debugger version of the Flash Player ?
      Thanks a lot!

    • DBinEx says:

      Sorry about so long time no reply…..I’m targeting on the version
      Can you help me…thanks!

  3. Sangwon Kim says:

    Hi, this post is really helpful to me 🙂
    During testing sulo, I have two questions here.
    1. How to find decryption function name in a sulo execution log of secureSWF obfuscated swf. Could you give me a example of this? I have a malicious sample( obfuscated by secureSWF, so if you want to investigate this sample, let me know.
    2. How to execute flash.exe with IE browser? After installing Flash activeX, I couldn’t find flashplayer.exe file in C:\Windows\System32\Macromed\Flash directory. Would you let me know the line command of how to execute sulo with IE browser?

    Thanks a lot!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s