SWF Signature Format: Specification & Recovery Example
Adobe Shockwave (former Macromedia) Flash SWF files start with a signature FWS (characters 'F','W','S' or bytes 0x46, 0x57, 0x53) for uncompressed files, or with a signature CWS (characters 'C','W','S' or bytes 0x43, 0x57, 0x53) for compressed files. If Adobe Flash file is compressed, the entire file after the first 8 bytes has been compressed using the open standard ZLIB. File version is one byte at offset 3. File size is defined at offset 4: 4 bytes, little-endian order (lowest byte first).
Let's examine the example
When inspecting example.swf file's binary data using any Hex Viewer, like Active@ Disk Editor we can see it starts with a signature FWS (hex: 46 57 53) which means file is not compressed. Version check confirms that it is a valid SWF archive v. 8 (1 byte at offset 3: 0x08). File size is 76 bytes (4 bytes at offset 4, hex: 4C 00 00 00). Thus reading of all 76 consecutive bytes starting from the position of detected FWS header provide us with all SWF file data.
The SWF file header:
|0||3||signature, must be 46, 57, 53 hex ("FWS") for uncompressed, or 43, 57, 53 hex ("CWS") for compressed data|
|3||1||version of SWF Adobe Flash file|
|4||4||size of SWF file in bytes (little-endian order)|
Active@ File Recovery Custom Scripting Example
This example does some validation calculations for SWF header's parameters beyond simple file size extraction. Syntax of the signature definition language you can read here.
[SWF_HEADER] DESCRIPTION=Adobe Flash SWF EXTENSION=swf BEGIN=SWF_BEGIN SCRIPT=SWF_SCRIPT [SWF_BEGIN] FWS=0|0 [SWF_SCRIPT] data = read(byte, 3) if (data >= 10h) goto exit size = read(dword, 4) if (size > 8) goto exit size = 0