In a twist that epitomizes developer curiosity, Doug McCune recently documented his journey to decompile Nemo 440—an Adobe AIR application that disassembles SWF files into ActionScript Byte Code (ABC)—only to discover the tool actively prevents introspection of its own code. His investigation exposes fascinating layers of reverse-engineering recursion and the technical gymnastics required to bypass self-protection mechanisms.

The Meta-Problem: A Decompiler That Hides From Itself

Nemo 440, created by Vadim Melnik, enables developers to inspect SWF/SWC files by listing classes, methods, and detailed ABC bytecode instructions like:

0       getlocal0     
1       pushscope     
2       getlex        http://www.adobe.com/2006/flex/mx/internal::layoutObject
5       getlocal1     
6       setproperty   direction

When McCune loaded Nemo 440 into itself for analysis, however, the tool’s core classes were conspicuously absent. Suspicious, he turned to the Sothink Decompiler and uncovered a deliberate obfuscation tactic: a _checkName() method filtering out any package containing "docsultant" or "nemo440".

private function _checkName(param1:String) : Boolean
{
   if (param1 != null)
   {
      if (param1.indexOf("docsultant") >= 0)
      {
         return false;
      }
      if (param1.indexOf("nemo440") >= 0)
      {
         return false;
      }
   }
   return true;
}

Bypassing the Barrier

McCune spent six hours reconstructing Nemo 440’s disassembly logic using Sothink’s output, cross-referencing the SWF specification and AVM2 documentation. His rebuilt AIR app successfully disassembled Nemo 440 itself—revealing Flex libraries, Flexlib components, and the ABC bytecode Melnik’s tool initially concealed.

Why This Matters

  • Tool Transparency: Tools for code analysis shouldn’t be black boxes. McCune’s experiment highlights ethical tensions around proprietary disassemblers that resist scrutiny.
  • Bytecode Literacy: Understanding ABC remains valuable for Flash-era legacy systems, security audits, and historical preservation.
  • Recursive Debugging: The ordeal underscores a developer’s relentless drive to "see how the sausage is made," even when met with anti-inspection measures.

McCune’s recursive decompilation adventure—prompted by what he calls "meta-geekiness"—exemplifies the intellectual thrill of reverse engineering. While he refrains from publishing his rebuilt tool without Melnik’s approval, the technical feat stands as a testament to SWF’s enduring complexity and the universal itch to unravel secrets.

Source: Doug McCune’s Blog