SWF Signature Format Specification & Recovery Example

SWF Signature Format: Specification & Recovery Example

Adobe Shockwave (former Macromedia) Flash SWF files start with a signature FWS (characters 'F','W','S' or bytes 0x46, 0x57, 0x53) for uncompressed files, or with a signature CWS (characters 'C','W','S' or bytes 0x43, 0x57, 0x53) for compressed files. If Adobe Flash file is compressed, the entire file after the first 8 bytes has been compressed using the open standard ZLIB. File version is one byte at offset 3. File size is defined at offset 4: 4 bytes, little-endian order (lowest byte first).

Let's examine the example

When inspecting example.swf file's binary data using any Hex Viewer, like Active@ Disk Editor we can see it starts with a signature FWS (hex: 46 57 53) which means file is not compressed. Version check confirms that it is a valid SWF archive v. 8 (1 byte at offset 3: 0x08). File size is 76 bytes (4 bytes at offset 4, hex: 4C 00 00 00). Thus reading of all 76 consecutive bytes starting from the position of detected FWS header provide us with all SWF file data.

SWF Signature inspection

More info:

The SWF file header:

offset size description
0 3 signature, must be 46, 57, 53 hex ("FWS") for uncompressed, or 43, 57, 53 hex ("CWS") for compressed data
3 1 version of SWF Adobe Flash file
4 4 size of SWF file in bytes (little-endian order)

Active@ File Recovery Custom Scripting Example

This example does some validation calculations for SWF header's parameters beyond simple file size extraction.
Syntax of the signature definition language you can read here.



	data = read(byte, 3)
	if (data >= 10h) goto exit
	size = read(dword, 4)
	if (size > 8) goto exit
	size = 0