SWF AS3 string replacing

AS3 constant string is be defined by Constant Pool that is at the head of the ABC binary.
so I think string replacing is easy, and I implemented it powered by PHP.
IO_SWF,  IO_Bit is not used this time.

Program

•  https://github.com/yoya/flashswf
•  https://github.com/yoya/flashswf/blob/master/swfas3strreplace.php
•   ^ Please use it with flashswf.php and as3abc.php in same directory. 

Process

• SWF => SWFHeader(8byte) + SWFMovieHeader + SWFMovie
•  If sig = CWS then zlib uncompress SWFMovie
• SWFMovie => TAG & TAG + ...
• TAG (DoABC) => TagHeader + flag(4byte) + name(string) + ABC
• ABC => version(4 byte) + intList + uintList + doubleList + stringList + etc.
• stringList => strlen(u30) + string(strlen byte) + strlen ...

• replace string!

• overwrite each length field by re-calculated value.

• contatinate all data.

u30 type

ABC primitive type u30 has little complex data structure.

• 0 ～ 2^7-1 => (1byte) 0XXXXXXX
• 2^7 ～ 2^(7+7)-1 => (2byte) 1XXXXXXX 0XXXXXXXX
• 2^(7+7) ～ 2^(7+7+7)-1 => (3byte) 1XXXXXXX 1XXXXXXX 0XXXXXXX
• ...

With MSB as extended bit, variable length field is expressed. (UTF-8 like format)

Usage

You can replace AS3 string by swfas3strreplace.php

yoya@sakura:~/git/flashswf$ php swfas3strreplace.php
Usage: swfas3strreplace.php <swf> # listing
Usage: swfas3strreplace.php <swf> <from> <to> [<from2> <to2> [...]]

 The list of the AS3 character string can be acquired by passing only SWF.

yoya@sakura:~/git/flashswf$ php swfas3strreplace.php topbg.swf
string_count: 34
[0]: (null string)
[1]: madoka_fla
[2]: OP_1
[3]: flash.display
[4]: MovieClip
[5]: madoka_fla:OP_1
[6]:
[7]: mami
[8]: hmhm
[9]: anko
[10]: syk
＜略＞

 Suitable character string (hmhm) to be listing is suitably rewritten.

yoya@sakura:~/git/flashswf$ php swfas3strreplace.php topbg.swf hmhm yoyayoya  > output.swf

 Result

yoya@sakura:~/git/flashswf$ php swfas3strreplace.php output.swf | grep -C 1 yoya
[7]: mami
[8]: yoyayoya
[9]: anko

Reference

You can see strings of Constant Pool also wish swfmill.

• http://swfmill.org/

yoya@sakura:~/git/flashswf$ swfmill swf2xml topbg.swf | grep -A 42 "<DoABCDefine"
      <DoABCDefine flags="1" name="">
        <actions>
          <Action3 minorVersion="16" majorVersion="46">
            <constants>
              <Constants>
                <ints/>
                <uints/>
                <doubles/>
                <strings>
                  <String2 value="madoka_fla"/>
                  <String2 value="OP_1"/>
                  <String2 value="flash.display"/>
                  <String2 value="MovieClip"/>
                  <String2 value="madoka_fla:OP_1"/>
                  <String2 value=""/>
< omit ...>