Reverse Engineering AMF

Question

I was asked to crawl a flash website, which appears to be utilizing some kind of server-side call through the AMF protocol. I am completely unfamiliar with this protocol, but found this library (http://www.pyamf.org/index.html).

I can view the payload that is sent to the server, as well as the response. I can make out certain key elements, but overall do not understand the request or the response.

I assume the library would help somehow, but am unsure where to start. Does anybody know of resources or techniques for reverse-engineering an AMF call or can somebody explain why it's not likely?

The AMF itself is a binary Flash file. The call itself returns an AMF file, does it not? — bzlm, Aug 09 '11 at 07:25
AMF is Actionscript Message Format and is a protocol for sending data to Flash. It is not a flash file itself. — Alan Geleynse, Aug 09 '11 at 07:28

score 7 · Accepted Answer · answered Aug 09 '11 at 19:10

As someone who has built a library that can parse AMF (RocketAMF), I would advise that you use one of the existing libraries rather than write your own. Below is a list of some libraries for AMF parsing by language, with many more a simple search away:

Python: PyAMF
Ruby: RocketAMF
Java: BlazeDS
PHP: Zend::AMF

As for understanding how AMF generally works, it's an object serialization format with a remote procedure call (RPC) layer. All RPC calls are composed of a service name and a method to call on that service, as well as a list of parameters. If they are using Flex, there are some additional layers to the RPC process that aren't documented anywhere besides Adobe's open source AMF implementation, BlazeDS, but are supported by all the above libraries.

You might also want to check out Charles, which is capable of deserializing AMF requests that are proxied through it, making reverse engineering a bit easier.

score 4 · Answer 2 · answered Aug 09 '11 at 07:26

The documentation for the AMF protocol is published.

You can find a copy of the AMF 3 specification at: http://opensource.adobe.com/wiki/download/attachments/1114283/amf3_spec_05_05_08.pdf

The AMF 0 protocol, which is an older version of the protocol, has it's specification available at: http://opensource.adobe.com/wiki/download/attachments/1114283/amf0_spec_121207.pdf

It is a pretty long read, but if you reference the code of some of the many libraries that implement it, you should be able to get it.

There is also a nice list of references for the protocol at: http://osflash.org/documentation/amf

Reverse Engineering AMF

2 Answers2