Use Sulo to analyze Flash Exploit files

In this blog post, i have decided to blog about my experience in using Sulo for analyzing flash exploit. I have played with Sulo for quite sometime now extending it to newer version of flash and used it to analyze few flash exploit(s).

Though Timo has good documentation in the Sulo Github, still i have decided to paste few command(s) here. At least for me whatever in Github documentation is not quite clear.

All traces:
pin.exe -t source\tools\sulo\Debug\sulo.dll — “C:\path\to\Adobe\Flash\Player.exe”

Fast Mode: (no JITed function detailes printed)
pin.exe -t source\tools\sulo\Debug\sulo.dll -logfile “C:\pintool.log” -fast — “C:\path\to\Adobe\Flash\Player.exe”

Decrypt SecureSWF obfuscated strings:
pin.exe -t source\tools\sulo\Debug\sulo.dll -logfile “C:\pintool.log” -secureswf “functionname” — “C:\path\to\Adobe\Flash\Player.exe”

We need to use the Sulo with a Single-process IE browser. Pin has some issue
in injecting the Dll into the multi-process IE browser. In the newer version of IE,
you can disable the multi-process IE browser mode using this registry key.
      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN
      TabProcGrowth: DWORD(32-bit) to 0

By default, Sulo will work with few specific set of flash version(s). If you want to use Sulo with other/newer flash versions/builds then you need to add few configurations in the FlashPlayerConfigBuilder.cpp file. You need to dig into the flash binary and find those offsets. That is the first tedious process in using Sulo. Thanks to Timo, he provided offsets for few of the flash versions/builds. Trick is, you need to first use “Debug” flash binary to find the offsets and “map” it later to the “release” flash binary.

Once you loaded Sulo inside flash/IE, by default it will produce lot of logs/traces. Sometimes it grows upto 3GB. The second problem we need to tackle with Sulo is, flash player will stop processing the scripts after 60 seconds. We need to fix this in flash binary. Without that it is really hard to analyze any new flash exploits using Sulo because the amount of information Sulo emits is so large(because of heap spraying) and the flash player stop processing scripts after 60 seconds. For quick analysis of flash exploits, use “-fast” mode. With “-fast” mode, it will dump any second stage flash objects and continue executing until the end. You will not get any “traces” in the “-fast” mode.

Sulo has some interesting features to work with SecureSWF obfuscated flash files. SecureSWF uses a function to decrypt the strings inside flash. First we need to run Sulo without “-secureswf” option and find the decryption function manually and pass that function name to the “-secureswf” option in the later runs. Once we pass the right SecureSWF decryption function, Sulo will start outputting decrypted strings.

Sulo outputs only functions that are JIT’ed. Few of the basic operations of the ActionScript VM are not executed using JIT’ed functions. So during our analysis using Sulo, we may miss some interesting information’s.

Thanks to Timo for releasing such a wonderful tool.