Skip to content

Instantly share code, notes, and snippets.

@KuromeSan
Last active Jan 15, 2022
Embed
What would you like to do?
Removing the timebomb from Adobe Flash Player

In Adobe Flash Player versions newer than 32.0.0.344 they added a "Timebomb" for the EOL. the player would refuse to run any custom flash content after 12/01/2021, instead it would just show this image

So knowing this, Lets crack it!

I acturally started looking into this before the 12/01/2021 hit, but only recently did i acturally discover a way to bypass the killswitch

(also- im aware i was not the first to do this, but i still did do it)

Recon stuffs

First thing i wanted to know was, so where does flash install to anyway? its a browser plugin right, so its not like theres an obvious "Flash.exe" or whatever,

Well it was as simple as googling the answer, this just applies to windows systems but its in C:\Windows\System32\Macromed\Flash (32 bit version in SysWOW64) there are three files it uses for different browsers and apis, the NPAPI Firefox one is NPSWF64.DLL, the Chromium verison is PepFlashPlayer_.dll and the activeX version for Internet Explorer and desktop apps is Flash.OCX,

Oh and google is special and have it in %LocalAppData%\Google\Chrome\User Data\PepperFlash<VERSION>\Pepflashplayer.dll

Reversing it!

There were a few ways i thought it might work but one thing about the kill screen is that it still said "Adobe Flash Player 32" when i right clicked, and had the option for global settings and local settings this made me think that the killscreen really is just a SWF (Flash Movie) file itself, that it'll load instead of whatever is on the site, knowing this i did a very basic search looking for "CWS" the flash movie magic number inside the DLL, and i found a few results: image

so i copied all the bytes until i saw stuff that didnt look like zlib compressed data, and opened it in the standalone flash projector- but no. this is just the settings menu,

image

i still thought that theres a good chance they use a swf for the killscreen, so i just searched again, found another CWS header that appears to be directly after the first one which just appeared to be a white screen, not sure what its for. after going through all the embedded flash SWF's i finally found it, the killscreen swf is the last "CWS" in the NPSWF64 file, located at 0x11B9D58 in the latest version

image

So after this i tried opening NPFLASH64.dll in Ghidra and seeing what references this embededed flash movie swf- turns out it takes ghidra (and ida..) a very long time to anaylize a binary like flash player, its a very big file with thousands of subroutines, after awhile i found that it calls GetSystemTime, and then has there own implementation for converting that into a Unix Epoch time, then just checks if its greater than 1610409600000, theres also some extra checks in there something about "file://" perhaps the killswitch is ignored if its the contents are served locally? and some other stuff i couldnt tell right away, i assume have to do with enterprise versions of flash and if the url is allowed in mms.cfg. but thats just a guess,

anyway perhaps the most interesting thing about this is that time timestamp compared against was acturally a double value, so to bypass the killswitch all i had to do was change it from 1610409600000 to "Infinity", which means it'll always be before the kill date and so it'll never show the killswitch screen- so thats it,

Finally,

to remove the killswitch from flash player you simply have to find and replace 00 00 40 46 3E 6F 77 42 with 00 00 00 00 00 00 FF 7F you have to mess around with windows security settings to get it to allow you to write to the file but thats basically all there is to it.

also the offline installer downloads for flash player are still on adobe server- if you goto the right URL. which means you have a definitey-not-to-be-malware way of installing and using flash, well, atleast until they pull these links offline.. :D

windows: https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player.exe - Firefox / NPAPI https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player_ax.exe - Internet Explorer / ActiveX https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe - Chrome / PPAPI

mac: https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx.dmg - Firefox / NPAPI https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx_ppapi.dmg - Chrome / PPAPI

dont know anywhere to get the linux versions though unfortunately-

TL;DR

to remove the killswitch from flash player you simply have to find 00 00 40 46 3E 6F 77 42 and replace with 00 00 00 00 00 00 FF 7F i also made a patcher program if your lazy and dont want to mess with windows security settings https://github.com/KuromeSan/FlashPatcher/tree/master,

@purifyyourhome
Copy link

purifyyourhome commented Jan 21, 2021

@KuromeSan
Copy link
Author

KuromeSan commented Jan 24, 2021

Great work! I tried the string replacement within /usr/lib/flash-plugin/libflashplayer.so on 64-bit Linux but i couldn't get it to work. Hope to keep tinkering in some free time but here are the links for the Linux versions (while they are still on-line).

64-bit Linux
https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_npapi_linux.x86_64.tar.gz
https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_ppapi_linux.x86_64.tar.gz
RPMs: https://rpm.pkgs.org/universal/adobe-x86_64/

32-bit Linux
https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_npapi_linux.i386.tar.gz
https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_ppapi_linux.i386.tar.gz
RPMs:
https://rpm.pkgs.org/universal/adobe-i386/

image
its right here ... does replacing it not work?

@jamesroberts
Copy link

jamesroberts commented Jan 25, 2021

This is a great write up! Thanks for this!

There's also a simpler solution that doesn't keep Flash "permanently enabled" (useful if you are concerned about security).
When you want to use Flash, just change your system date to anything before 12 January. Flash will then work.
When you are done, just reset your date to the current date.

@KuromeSan
Copy link
Author

KuromeSan commented Jan 25, 2021

This is a great write up! Thanks for this!

There's also a simpler solution that doesn't keep Flash "permanently enabled" (useful if you are concerned about security).
When you want to use Flash, just change your system date to anything before 12 January. Flash will then work.
When you are done, just reset your date to the current date.

Wouldn't that break TLS?

Also pretty much every browser has "click to run" for flash anyway..

@cannfoddr
Copy link

cannfoddr commented Jan 26, 2021

Great solution, tried this on my Mac did the patch but the plugins are code signed so would not load.

@KuromeSan
Copy link
Author

KuromeSan commented Jan 26, 2021

Great solution, tried this on my Mac did the patch but the plugins are code signed so would not load.

try running sudo codesign -f -s - /path/to/flash/dylib in a terminal ..

@bradut
Copy link

bradut commented Jan 27, 2021

Thank you very much,
Used your C# project and it worked like a charm!

@cannfoddr
Copy link

cannfoddr commented Jan 27, 2021

Great solution, tried this on my Mac did the patch but the plugins are code signed so would not load.

try running sudo codesign -f -s - /path/to/flash/dylib in a terminal ..

Thanks for the reply - I am not sure what you mean by /path/to/flash/dylib?

Where might I find this on MacOS - is this something that comes with chrome or do I need to install flash?

@cheriathesummonrr
Copy link

cheriathesummonrr commented Jan 28, 2021

teach me how please so i can play it again

@KuromeSan
Copy link
Author

KuromeSan commented Jan 28, 2021

Great solution, tried this on my Mac did the patch but the plugins are code signed so would not load.

try running sudo codesign -f -s - /path/to/flash/dylib in a terminal ..

Thanks for the reply - I am not sure what you mean by /path/to/flash/dylib?

Where might I find this on MacOS - is this something that comes with chrome or do I need to install flash?

I mean the path to the flash executable that you patched- like pepflashplayer or NPSWF64 . I just assumed it was a *.dylib file since that's MacOS's shared library format .

@KuromeSan
Copy link
Author

KuromeSan commented Jan 28, 2021

teach me how please so i can play it again

If your on Windows you can just use the FlashPatcher program I wrote. It's so easy you just open it and click the "Defuse the bomb!" Button

@Flashplay1
Copy link

Flashplay1 commented Jan 28, 2021

hello, your flash patcher program is detected as Trojan by the Windows defender.

Please tell me weather it's safe or not

@cheriathesummonrr
Copy link

cheriathesummonrr commented Jan 28, 2021

But how

@KuromeSan
Copy link
Author

KuromeSan commented Jan 28, 2021

hello, your flash patcher program is detected as Trojan by the Windows defender.

Please tell me weather it's safe or not

It is- windows av is poopy. Then again it does take ownership of files from TrustedInstaller & edit them. From System32 so I guess it makes sense that AV is mad at me :::

@KuromeSan
Copy link
Author

KuromeSan commented Jan 28, 2021

But how
Yknow u open this https://github.com/KuromeSan/FlashPatcher/releases and click "Defuse the bomb"

@Blinix
Copy link

Blinix commented Jan 28, 2021

I used GOM player to play my .swf, the other day when I wanted to rewatch a flash series called There she is! I discovered that the flash dead icon appeared on my browser and player. I knew of the end of service, but I didn't know they would use such a scummy way to do it, a kill switch. First time I've seen that tactic in a sowftware.

But hey, now thanks to your FlashPatcher, even if I had to do some voodo cuz Norton keep saying it would kill my PC, I can keep watching/playing them. Kudos to you and all the bad things in the world to those who ordered the killswitch.

@KuromeSan
Copy link
Author

KuromeSan commented Jan 29, 2021

I used GOM player to play my .swf, the other day when I wanted to rewatch a flash series called There she is! I discovered that the flash dead icon appeared on my browser and player. I knew of the end of service, but I didn't know they would use such a scummy way to do it, a kill switch. First time I've seen that tactic in a sowftware.

But hey, now thanks to your FlashPatcher, even if I had to do some voodo cuz Norton keep saying it would kill my PC, I can keep watching/playing them. Kudos to you and all the bad things in the world to those who ordered the killswitch.

The only other software I know that is known to have killswitch/timebomv like this is the R4 Flash Cartridges for the Nintnendo DS... I guess you could call it the Adobe Flash Cart.

@cheriathesummonrr
Copy link

cheriathesummonrr commented Jan 31, 2021

I need your instruction with screenshot
send it to me on email

@cheriathesummonrr
Copy link

cheriathesummonrr commented Jan 31, 2021

Bad new I downloaded the flash patcher but its failed can you help me with that

@tranducminh0996
Copy link

tranducminh0996 commented Feb 17, 2021

thanks

@purifyyourhome
Copy link

purifyyourhome commented Feb 23, 2021

just found an alternative patcher that doesn't require .NET: https://github.com/leecher1337/flashpatch
Also, links to directly download flash from Adobe's servers seem to be dead; TechSpot saves the day:
[Windows, MacOS]
https://www.techspot.com/downloads/1127-adobe-flash-player.html

[Linux]
https://www.techspot.com/downloads/5104-adobe-flash-player-for-linux.html

@KuromeSan
Copy link
Author

KuromeSan commented Mar 9, 2021

adobe took the files down- heres some from archive.org:

windows:
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player.exe Firefox / NPAPI
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player_ax.exe Internet Explorer / Desktop Apps / ActiveX
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe Chrome / PPAPI

mac:
https://web.archive.org/web/20210000000000id_/https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx.dmg Firefox / NPAPI
https://web.archive.org/web/20210000000000id_/https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx_ppapi.dmg Chrome / PPAPI

64-bit Linux
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_npapi_linux.x86_64.tar.gz Firefox / NPAPI
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_ppapi_linux.x86_64.tar.gz Chrome / PPAPI
RPMs: https://rpm.pkgs.org/universal/adobe-x86_64/

32-bit Linux
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_npapi_linux.i386.tar.gz Firefox / NPAPI
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_ppapi_linux.i386.tar.gz Chrome / PPAPI
RPMs:
https://rpm.pkgs.org/universal/adobe-i386/

@popov654
Copy link

popov654 commented Mar 11, 2021

Did not work for me (Windows 7 x64, Firefox 62, Flash is the same version as yours)

@leecher1337
Copy link

leecher1337 commented May 12, 2021

Using Infinity may be problematic, see

leecher1337/flashpatch#3
leecher1337/flashpatch@9d2e368

@KuromeSan
Copy link
Author

KuromeSan commented May 12, 2021

Using Infinity may be problematic, see

leecher1337/flashpatch#3
leecher1337/flashpatch@9d2e368

huh really? i thought i was being smart by using letteral "Infinity". and it had no issues till now- i wonder why that happens?
well you could have it like a billion years in the future for much of the same effect so .

@leecher1337
Copy link

leecher1337 commented May 12, 2021

I was able to reproduce it using the stuff given in the ticket.
I guess, as long as calling application like Web Browser catches Floating Point Exceptions ( Set8087CW(0x133f) ), it doesn't harm, but i.e. mentioned ActiveX Runner doesn't handle them and therefore aborts.

@profMastermind
Copy link

profMastermind commented Jun 18, 2021

Worked for me in ubuntu x64 using chromum v65.0 - just need to enable this flag chrome://flags/#ignore-gpu-blacklist in chromium - used infinity
Thanks @KuromeSan for sharing this :)

@Wojtek444214
Copy link

Wojtek444214 commented Jan 15, 2022

It works for me in Chrome Version 87.0.4280.88 (Official Build) (32-bit) and Flash Player 32.0.0.465 after manualy replacing hex 00 00 40 46 3E 6F 77 42 with 00 00 00 00 00 00 FF 7F in C:\Windows\SysWOW64\Macromed\Flash \ FlashUtil64_32_0_0_465_pepper.dll
Browser displays "Adobe Flash Player was blocked because it is out of date" and I have to click "Run this time" button each time I want to use it. Is there any way to bypass it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment