Problem with decoding AMF
emlinhax opened this issue · comments
So there is this ancient game called "woozworld" (woozworld.com).
I looked into their network traffic and saw that they use AMF to encode their packages. I have tried every decoder out there, but all of them are either deprecated or crash when trying to process the data I throw at them.
It might also be a modified version of amf?
Testdata to see for yourself: https://workupload.com/file/A5fXs7t8MEt
Well, first off, you failed to explain what issue you're having with php-amf3 in particular.
Your testdata doesn't look like a valid AMF3 right away. But being familiar with other formats, I recognized it as zlib-compressed. Take a look:
$ luarocks install lua-ezlib
$ luarocks install lua-amf3
$ lua -lezlib -e "io.write(ezlib.inflate(assert(io.open('testdata.bin')):read(999)))" | hexdump -C
00000000 00 20 36 66 33 38 64 37 33 39 32 37 34 35 64 63 |. 6f38d7392745dc|
00000010 39 36 33 65 62 64 64 31 38 35 36 37 30 33 36 30 |963ebdd185670360|
00000020 39 35 00 24 39 64 39 64 63 34 32 65 2d 61 33 66 |95.$9d9dc42e-a3f|
00000030 32 2d 34 35 34 33 2d 39 32 65 66 2d 35 39 32 62 |2-4543-92ef-592b|
00000040 34 31 36 32 66 38 64 34 00 24 63 63 36 63 39 36 |4162f8d4.$cc6c96|
00000050 35 64 2d 38 63 31 61 2d 34 64 62 35 2d 62 66 31 |5d-8c1a-4db5-bf1|
00000060 35 2d 34 31 65 34 34 36 32 33 33 37 65 61 00 0e |5-41e4462337ea..|
00000070 68 6f 6d 65 70 61 67 65 2e 6c 6f 67 69 6e 0a 0b |homepage.login..|
00000080 01 0b 65 6d 61 69 6c 06 27 61 73 64 73 61 64 61 |..email.'asdsada|
00000090 73 64 40 67 6d 61 69 6c 2e 63 6f 6d 11 70 61 73 |sd@gmail.com.pas|
000000a0 73 77 6f 72 64 06 0d 61 73 64 73 61 64 17 72 65 |sword..asdsad.re|
000000b0 6d 65 6d 62 65 72 5f 6d 65 06 01 01 |member_me...|
000000bc
Now, the beginning (prefix?) isn't AMF3 right out of the box. Four strings prefixed with their lengths (2 bytes, big-endian) are followed by an AMF3 Object (0x0a
) at offset 0x007e
:
$ lua -lezlib -lamf3 -e "for k,v in pairs(assert(amf3.decode(ezlib.inflate(assert(io.open('testdata.bin')):read(999)):sub(0x007e+1)))) do print(k,v) end"
password asdsad
remember_me
email asdsadasd@gmail.com
Hope this helps.
P.S. Obviously, you can run similar commands with PHP/php-amf3 instead of Lua.
This is a huge help for me. Thanks alot.
The four strings you mentioned are UUID's (I dont know what they are used for, probably identification)
Also, do you have discord? I still have some questions and I would like to talk to you directly
You can always contact me via email. Closing...