Problem with decoding AMF

Question

Problem with decoding AMF

emlinhax opened this issue 3 years ago · comments

So there is this ancient game called "woozworld" (woozworld.com).
I looked into their network traffic and saw that they use AMF to encode their packages. I have tried every decoder out there, but all of them are either deprecated or crash when trying to process the data I throw at them.
It might also be a modified version of amf?

Testdata to see for yourself: https://workupload.com/file/A5fXs7t8MEt

Arseny Vakhrushev · Answer 1 · Thu Sep 30 2021 04:58:40 GMT+0800 (China Standard Time)

Well, first off, you failed to explain what issue you're having with php-amf3 in particular.

Your testdata doesn't look like a valid AMF3 right away. But being familiar with other formats, I recognized it as zlib-compressed. Take a look:

$ luarocks install lua-ezlib
$ luarocks install lua-amf3
$ lua -lezlib -e "io.write(ezlib.inflate(assert(io.open('testdata.bin')):read(999)))" | hexdump -C
00000000  00 20 36 66 33 38 64 37  33 39 32 37 34 35 64 63  |. 6f38d7392745dc|
00000010  39 36 33 65 62 64 64 31  38 35 36 37 30 33 36 30  |963ebdd185670360|
00000020  39 35 00 24 39 64 39 64  63 34 32 65 2d 61 33 66  |95.$9d9dc42e-a3f|
00000030  32 2d 34 35 34 33 2d 39  32 65 66 2d 35 39 32 62  |2-4543-92ef-592b|
00000040  34 31 36 32 66 38 64 34  00 24 63 63 36 63 39 36  |4162f8d4.$cc6c96|
00000050  35 64 2d 38 63 31 61 2d  34 64 62 35 2d 62 66 31  |5d-8c1a-4db5-bf1|
00000060  35 2d 34 31 65 34 34 36  32 33 33 37 65 61 00 0e  |5-41e4462337ea..|
00000070  68 6f 6d 65 70 61 67 65  2e 6c 6f 67 69 6e 0a 0b  |homepage.login..|
00000080  01 0b 65 6d 61 69 6c 06  27 61 73 64 73 61 64 61  |..email.'asdsada|
00000090  73 64 40 67 6d 61 69 6c  2e 63 6f 6d 11 70 61 73  |sd@gmail.com.pas|
000000a0  73 77 6f 72 64 06 0d 61  73 64 73 61 64 17 72 65  |sword..asdsad.re|
000000b0  6d 65 6d 62 65 72 5f 6d  65 06 01 01              |member_me...|
000000bc

Now, the beginning (prefix?) isn't AMF3 right out of the box. Four strings prefixed with their lengths (2 bytes, big-endian) are followed by an AMF3 Object (0x0a) at offset 0x007e:

$ lua -lezlib -lamf3 -e "for k,v in pairs(assert(amf3.decode(ezlib.inflate(assert(io.open('testdata.bin')):read(999)):sub(0x007e+1)))) do print(k,v) end"
password	asdsad
remember_me
email	asdsadasd@gmail.com

Hope this helps.🙂

P.S. Obviously, you can run similar commands with PHP/php-amf3 instead of Lua.

Emlin · Answer 2 · Thu Sep 30 2021 18:11:24 GMT+0800 (China Standard Time)

This is a huge help for me. Thanks alot. 👌
The four strings you mentioned are UUID's (I dont know what they are used for, probably identification)
Also, do you have discord? I still have some questions and I would like to talk to you directly 😊

Arseny Vakhrushev · Answer 3 · Fri Oct 01 2021 02:10:21 GMT+0800 (China Standard Time)

You can always contact me via email. Closing...