Reverse Engineering SSF2 Beta v1.1
A new version of Super Smash Flash 2 has obfuscated some things!
2018·08·24 · modding
I run a Sonic Battle Hacking Discord Server, filled with a bunch of people who like modding Sonic Battle for the GBA. Somebody in this Discord Server asked me to check out Super Smash Flash 2 Beta v126.96.36.199 because their old modding tools didn’t work for it.
The SSF2 developers have had a strong stance against modding, which I personally thing is poor considering they’re making a non-profit game. That of course didn’t stop me from digging into the game.
I used the JPEXS Flash decompiler to inspect the code. SSF2 is written in ActionScript, which is very similar to other OOP languages. The first thing I noticed was that nothing was obfuscated, which made it easy to find some things, except some of the core resource loading was obfuscated (manually?).
The resource files are in a “hidden”
ssf format. The files in the resources
folder are named
DAT3.ssf, etc. These files are “encrypted”
SWF files. All we need is to figure out how do decode these into the SWF format
and have JPEXS do the rest.
ssfs shows us a couple things:
- They’re ZLIB compressed
- There’s a mystery header before the SWF header
- Modifying this header breaks loading the resource
This tells us something in the code has to be decompressing them.
I disassembled the game using JPEXS and grepped the code for
Instantly had one hit in
The code containing the string is:
Let’s disect this code a bit.
- At the beginning,
bis our resource file that is loaded into a
- A new
c, is constructed to obfuscate things
bis decompressed using ZLIB
- The beginning two ints in
bare stored in
- We then read
nints out of
- The bytes in
[b.position, l)are copied to
bis set to the bytes we just copied to
b, truncating the original array to
What’s really going on here?
b starts off with the length of the SWF data (
and the length of the mystery header (
n). This mystery header doesn’t actually
contain any information, it’s skipped right over!
Here’s what a decompressed
.ssf file contains:
- 4 bytes to indicate the size of the SWF in bytes
- 4 bytes to indicate the size of the garbage data in bytes
- Any number of random, useless bytes, as indicated by #2
- The SWF itself prefixed by the typical SWF header,
What’s next? Write a tool to generate the headers!
I chose to write in in Kotlin since it is a language I enjoy. The GUI code doesn’t matter much, only the compressing / decompressing.
Here’s the pseudocode to compress a
Pretty simple! Here’s the pseudocode to decompress a
And that’s it! We’ve got an SSF2 resource (de)compresser! There are other things
encrypted in the code, like what characters / stages are in what
but I’ll probably get to that soon.
Here’s an example mod that changes Pichu’s name.
The code is available on GitHub. I made it in one night, so I didn’t take time to make it look good or anything, but it works.
Thanks to the other SSF2 modders who introduced me to the game!