SWF Signature Format Specification & Recovery Example

SWF Signature Format: Specification & Recovery Example

Adobe Shockwave (former Macromedia) Flash SWF files start with a signature FWS (characters 'F','W','S' or bytes 0x46, 0x57, 0x53) for uncompressed files, or with a signature CWS (characters 'C','W','S' or bytes 0x43, 0x57, 0x53) for compressed files. If Adobe Flash file is compressed, the entire file after the first 8 bytes has been compressed using the open standard ZLIB. File version is one byte at offset 3. File size is defined at offset 4: 4 bytes, little-endian order (lowest byte first).

Let's examine the example

When inspecting example.swf file's binary data using any Hex Viewer, like Active@ Disk Editor we can see it starts with a signature FWS (hex: 46 57 53) which means file is not compressed. Version check confirms that it is a valid SWF archive v. 8 (1 byte at offset 3: 0x08). File size is 76 bytes (4 bytes at offset 4, hex: 4C 00 00 00). Thus reading of all 76 consecutive bytes starting from the position of detected FWS header provide us with all SWF file data.

SWF Signature inspection

More info:

The SWF file header:

offset size description
0 3 signature, must be 46, 57, 53 hex ("FWS") for uncompressed, or 43, 57, 53 hex ("CWS") for compressed data
3 1 version of SWF Adobe Flash file
4 4 size of SWF file in bytes (little-endian order)

Active@ File Recovery Custom Scripting Example

This example does some validation calculations for SWF header's parameters beyond simple file size extraction.
Syntax of the signature definition language you can read here.

[SWF_HEADER]
DESCRIPTION=Adobe Flash SWF
EXTENSION=swf
BEGIN=SWF_BEGIN
SCRIPT=SWF_SCRIPT

[SWF_BEGIN]
FWS=0|0

[SWF_SCRIPT]
	data = read(byte, 3)
	if (data >= 10h) goto exit
	size = read(dword, 4)
	if (size > 8) goto exit
	size = 0