Using Sulo it is quite easy to defeat the initial packers used in the recent flash exploits. All we need is setting up one VM environment as i mentioned in my previous blog and in Sulo Github page. Once you setup the environment it is just a process of drag & drop. We don’t need to worry about the technique(s) used in the packers. I mean packer means, most of the SWF exploits use Loader.loadBytes() to load the decrypted/decoded second stage SWF exploit file.
For example, i am going to show you how to dump the second stage flash exploit file using the sample (f5458eb4b0d7c18519bbf5fd92437485bff31f9abc6870beb4e8dc327cd24192).
The initial SWF file is decrypting/decoding a second stage SWF file(original exploit) and load it using Loader.loadBytes() as shown in this picture. It will take few hours to analyze it but with Sulo it is quite easy.
We need to start the sulo using “-fast” mode and drag & drop the flash file into IE. Within few seconds you will get the second stage.
Once you allowed IE load the initial flash file, Sulo will dump the second stage flash in the desktop. You can start analyzing the second stage flash file without worrying about the packer. Most interestingly you can use any version of flash Sulo supports.