Skip to content

Instantly share code, notes, and snippets.

@LiEnby
Last active November 21, 2024 04:09
Show Gist options
  • Save LiEnby/56d8b724c0696b54f9f81994ae3591d1 to your computer and use it in GitHub Desktop.
Save LiEnby/56d8b724c0696b54f9f81994ae3591d1 to your computer and use it in GitHub Desktop.
Removing the timebomb from Adobe Flash Player

In Adobe Flash Player versions newer than 32.0.0.344 they added a "Timebomb" for the EOL. the player would refuse to run any custom flash content after 12/01/2021, instead it would just show this image

So knowing this, Lets crack it!

I acturally started looking into this before the 12/01/2021 hit, but only recently did i acturally discover a way to bypass the killswitch

(also- im aware i was not the first to do this, but i still did do it)

Recon stuffs

First thing i wanted to know was, so where does flash install to anyway? its a browser plugin right, so its not like theres an obvious "Flash.exe" or whatever,

Well it was as simple as googling the answer, this just applies to windows systems but its in C:\Windows\System32\Macromed\Flash (32 bit version in SysWOW64) there are three files it uses for different browsers and apis, the NPAPI Firefox one is NPSWF64.DLL, the Chromium verison is PepFlashPlayer_.dll and the activeX version for Internet Explorer and desktop apps is Flash.OCX,

Oh and google is special and have it in %LocalAppData%\Google\Chrome\User Data\PepperFlash<VERSION>\Pepflashplayer.dll

Reversing it!

There were a few ways i thought it might work but one thing about the kill screen is that it still said "Adobe Flash Player 32" when i right clicked, and had the option for global settings and local settings this made me think that the killscreen really is just a SWF (Flash Movie) file itself, that it'll load instead of whatever is on the site, knowing this i did a very basic search looking for "CWS" the flash movie magic number inside the DLL, and i found a few results: image

so i copied all the bytes until i saw stuff that didnt look like zlib compressed data, and opened it in the standalone flash projector- but no. this is just the settings menu,

image

i still thought that theres a good chance they use a swf for the killscreen, so i just searched again, found another CWS header that appears to be directly after the first one which just appeared to be a white screen, not sure what its for. after going through all the embedded flash SWF's i finally found it, the killscreen swf is the last "CWS" in the NPSWF64 file, located at 0x11B9D58 in the latest version

image

So after this i tried opening NPFLASH64.dll in Ghidra and seeing what references this embededed flash movie swf- turns out it takes ghidra (and ida..) a very long time to anaylize a binary like flash player, its a very big file with thousands of subroutines, after awhile i found that it calls GetSystemTime, and then has there own implementation for converting that into a Unix Epoch time, then just checks if its greater than 1610409600000, theres also some extra checks in there something about "file://" perhaps the killswitch is ignored if its the contents are served locally? and some other stuff i couldnt tell right away, i assume have to do with enterprise versions of flash and if the url is allowed in mms.cfg. but thats just a guess,

anyway perhaps the most interesting thing about this is that time timestamp compared against was acturally a double value, so to bypass the killswitch all i had to do was change it from 1610409600000 to "Infinity", which means it'll always be before the kill date and so it'll never show the killswitch screen- so thats it,

Finally,

to remove the killswitch from flash player you simply have to find and replace 00 00 40 46 3E 6F 77 42 with 00 00 00 00 00 00 FF 7F you have to mess around with windows security settings to get it to allow you to write to the file but thats basically all there is to it.

also the offline installer downloads for flash player are still on adobe server- if you goto the right URL. which means you have a definitey-not-to-be-malware way of installing and using flash, well, atleast until they pull these links offline.. :D

windows: https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player.exe - Firefox / NPAPI https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player_ax.exe - Internet Explorer / ActiveX https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe - Chrome / PPAPI

mac: https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx.dmg - Firefox / NPAPI https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx_ppapi.dmg - Chrome / PPAPI

dont know anywhere to get the linux versions though unfortunately-

TL;DR

to remove the killswitch from flash player you simply have to find 00 00 40 46 3E 6F 77 42 and replace with 00 00 00 00 00 00 FF 7F i also made a patcher program if your lazy and dont want to mess with windows security settings https://github.com/KuromeSan/FlashPatcher/tree/master,

@LiEnby
Copy link
Author

LiEnby commented Jan 25, 2021

This is a great write up! Thanks for this!

There's also a simpler solution that doesn't keep Flash "permanently enabled" (useful if you are concerned about security).
When you want to use Flash, just change your system date to anything before 12 January. Flash will then work.
When you are done, just reset your date to the current date.

Wouldn't that break TLS?

Also pretty much every browser has "click to run" for flash anyway..

@cannfoddr
Copy link

Great solution, tried this on my Mac did the patch but the plugins are code signed so would not load.

@LiEnby
Copy link
Author

LiEnby commented Jan 26, 2021

Great solution, tried this on my Mac did the patch but the plugins are code signed so would not load.

try running sudo codesign -f -s - /path/to/flash/dylib in a terminal ..

@bradut
Copy link

bradut commented Jan 27, 2021

Thank you very much,
Used your C# project and it worked like a charm!

@cannfoddr
Copy link

Great solution, tried this on my Mac did the patch but the plugins are code signed so would not load.

try running sudo codesign -f -s - /path/to/flash/dylib in a terminal ..

Thanks for the reply - I am not sure what you mean by /path/to/flash/dylib?

Where might I find this on MacOS - is this something that comes with chrome or do I need to install flash?

@cheriathesummonrr
Copy link

teach me how please so i can play it again

@LiEnby
Copy link
Author

LiEnby commented Jan 28, 2021

Great solution, tried this on my Mac did the patch but the plugins are code signed so would not load.

try running sudo codesign -f -s - /path/to/flash/dylib in a terminal ..

Thanks for the reply - I am not sure what you mean by /path/to/flash/dylib?

Where might I find this on MacOS - is this something that comes with chrome or do I need to install flash?

I mean the path to the flash executable that you patched- like pepflashplayer or NPSWF64 . I just assumed it was a *.dylib file since that's MacOS's shared library format .

@LiEnby
Copy link
Author

LiEnby commented Jan 28, 2021

teach me how please so i can play it again

If your on Windows you can just use the FlashPatcher program I wrote. It's so easy you just open it and click the "Defuse the bomb!" Button

@Flashplay1
Copy link

hello, your flash patcher program is detected as Trojan by the Windows defender.

Please tell me weather it's safe or not

@cheriathesummonrr
Copy link

But how

@LiEnby
Copy link
Author

LiEnby commented Jan 28, 2021

hello, your flash patcher program is detected as Trojan by the Windows defender.

Please tell me weather it's safe or not

It is- windows av is poopy. Then again it does take ownership of files from TrustedInstaller & edit them. From System32 so I guess it makes sense that AV is mad at me :::

@LiEnby
Copy link
Author

LiEnby commented Jan 28, 2021

But how
Yknow u open this https://github.com/KuromeSan/FlashPatcher/releases and click "Defuse the bomb"

@Blinix
Copy link

Blinix commented Jan 28, 2021

I used GOM player to play my .swf, the other day when I wanted to rewatch a flash series called There she is! I discovered that the flash dead icon appeared on my browser and player. I knew of the end of service, but I didn't know they would use such a scummy way to do it, a kill switch. First time I've seen that tactic in a sowftware.

But hey, now thanks to your FlashPatcher, even if I had to do some voodo cuz Norton keep saying it would kill my PC, I can keep watching/playing them. Kudos to you and all the bad things in the world to those who ordered the killswitch.

@LiEnby
Copy link
Author

LiEnby commented Jan 29, 2021

I used GOM player to play my .swf, the other day when I wanted to rewatch a flash series called There she is! I discovered that the flash dead icon appeared on my browser and player. I knew of the end of service, but I didn't know they would use such a scummy way to do it, a kill switch. First time I've seen that tactic in a sowftware.

But hey, now thanks to your FlashPatcher, even if I had to do some voodo cuz Norton keep saying it would kill my PC, I can keep watching/playing them. Kudos to you and all the bad things in the world to those who ordered the killswitch.

The only other software I know that is known to have killswitch/timebomv like this is the R4 Flash Cartridges for the Nintnendo DS... I guess you could call it the Adobe Flash Cart.

@cheriathesummonrr
Copy link

I need your instruction with screenshot
send it to me on email

@cheriathesummonrr
Copy link

Bad new I downloaded the flash patcher but its failed can you help me with that

@tranducminh0996
Copy link

thanks

@purifyyourhome
Copy link

just found an alternative patcher that doesn't require .NET: https://github.com/leecher1337/flashpatch
Also, links to directly download flash from Adobe's servers seem to be dead; TechSpot saves the day:
[Windows, MacOS]
https://www.techspot.com/downloads/1127-adobe-flash-player.html

[Linux]
https://www.techspot.com/downloads/5104-adobe-flash-player-for-linux.html

@LiEnby
Copy link
Author

LiEnby commented Mar 9, 2021

adobe took the files down- heres some from archive.org:

windows:
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player.exe Firefox / NPAPI
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player_ax.exe Internet Explorer / Desktop Apps / ActiveX
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/pub/flashplayer/latest/help/install_flash_player_ppapi.exe Chrome / PPAPI

mac:
https://web.archive.org/web/20210000000000id_/https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx.dmg Firefox / NPAPI
https://web.archive.org/web/20210000000000id_/https://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx_ppapi.dmg Chrome / PPAPI

64-bit Linux
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_npapi_linux.x86_64.tar.gz Firefox / NPAPI
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_ppapi_linux.x86_64.tar.gz Chrome / PPAPI
RPMs: https://rpm.pkgs.org/universal/adobe-x86_64/

32-bit Linux
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_npapi_linux.i386.tar.gz Firefox / NPAPI
https://web.archive.org/web/20210000000000id_/https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.465/flash_player_ppapi_linux.i386.tar.gz Chrome / PPAPI
RPMs:
https://rpm.pkgs.org/universal/adobe-i386/

@popov654
Copy link

Did not work for me (Windows 7 x64, Firefox 62, Flash is the same version as yours)

@leecher1337
Copy link

Using Infinity may be problematic, see

leecher1337/flashpatch#3
leecher1337/flashpatch@9d2e368

@LiEnby
Copy link
Author

LiEnby commented May 12, 2021

Using Infinity may be problematic, see

leecher1337/flashpatch#3
leecher1337/flashpatch@9d2e368

huh really? i thought i was being smart by using letteral "Infinity". and it had no issues till now- i wonder why that happens?
well you could have it like a billion years in the future for much of the same effect so .

@leecher1337
Copy link

I was able to reproduce it using the stuff given in the ticket.
I guess, as long as calling application like Web Browser catches Floating Point Exceptions ( Set8087CW(0x133f) ), it doesn't harm, but i.e. mentioned ActiveX Runner doesn't handle them and therefore aborts.

@profMastermind
Copy link

profMastermind commented Jun 18, 2021

Worked for me in ubuntu x64 using chromum v65.0 - just need to enable this flag chrome://flags/#ignore-gpu-blacklist in chromium - used infinity
Thanks @KuromeSan for sharing this :)

@Wojtek444214
Copy link

It works for me in Chrome Version 87.0.4280.88 (Official Build) (32-bit) and Flash Player 32.0.0.465 after manualy replacing hex 00 00 40 46 3E 6F 77 42 with 00 00 00 00 00 00 FF 7F in C:\Windows\SysWOW64\Macromed\Flash \ FlashUtil64_32_0_0_465_pepper.dll
Browser displays "Adobe Flash Player was blocked because it is out of date" and I have to click "Run this time" button each time I want to use it. Is there any way to bypass it ?

@91to
Copy link

91to commented Feb 11, 2022

At first, uninstall completely all flash player in your system (programs and components). Then download archive from this url: https://disk.yandex.ru/d/JgVvwbSr7JNgUw
Click the "exe" file and thats all! Process of installing will not displayed, but it install to you all 3 types: active x, PPAPI, NPAPI! You can check the result in "installed programs" in your system. It will be displayed as "Adobe Flash Player ActiveX & Plugin 64 - bit". And every of type will be 32.0.0.293 version. After that, MPC WILL BE WORK WITH SWF!! Unbelievable, but this program i found absolutely accidentally, and this exe from 2016 year. (if you can't download it, you can find me at my youtube channel: www.youtube.com/channel/UCeUBlU6orRsvEiWXOSHB6yg just write comment about it in any of my videos, and i'll reload this file)

@Fay0324
Copy link

Fay0324 commented May 11, 2022

At first, uninstall completely all flash player in your system (programs and components). Then download archive from this url: https://disk.yandex.ru/d/JgVvwbSr7JNgUw Click the "exe" file and thats all! Process of installing will not displayed, but it install to you all 3 types: active x, PPAPI, NPAPI! You can check the result in "installed programs" in your system. It will be displayed as "Adobe Flash Player ActiveX & Plugin 64 - bit". And every of type will be 32.0.0.293 version. After that MPC WILL BE WORK WITH SWF!! Unbelievable, but this program i found absolutely accidentally, and this exe from 2016 year. (if you can't download it, you can find me at my youtube channel: www.youtube.com/channel/UCeUBlU6orRsvEiWXOSHB6yg just write comment about it in any of my videos, and i'll reload this file)

Hello! I made an account here just to express my gratitude. I've been trying to solve this issue since 2020 but couldn't find a possible solution. I've already tried so many versions of the app, yet nothing worked. Your file helped a lot. I can now use my Encarta kids software! Thank you so much!!!!

Copy link

ghost commented Jun 6, 2022

is their a way to download the version you did?

@leecher1337
Copy link

is their a way to download the version you did?

https://github.com/leecher1337/flashpatch/releases/tag/20210512

If you mean flash patch with TS far-far away instead of inifinity

@Arnav30-web
Copy link

Bro Minecraft Education Pointer paths are not coming pls help me :( U really helped me pls this time also ,, it took ages to find u after the vanishing of the page pls help me my friends 17.32 has came now :((
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment