Appendix A: Flash Uncovered
A simple .swf file and it’s
below the line representation
At some point along your journey to write your own .swf files, you are going to have to be able to read and understand the raw bits and bytes. I created a one frame flash movie that contained only a rectangle and saved it as Rectangle.swf. Let’s take a look at the way the file is represented in its .swf format. Below is the hexadecimal representation of Rectangle.swf. Let’s take a closer look…
000000 46 57 53 03 4F 00 00 00 78 00 05 5F 00 00 0F A0
000010 00 00 0C 01 00 43 02 FF FF FF BF 00 23 00 00 00
000020 01 00 70 FB 49 97 0D 0C 7D 50 00 01 14 00 00 00
000030 00 01 25 C9 92 0D 21 ED 48 87 65 30 3B 6D E1 D8
000040 B4 00 00 86 06 06 01 00 01 00 00 40 00 00 00
Every .swf file has two parts, the header block and a series of tagged data blocks. Let’s begin with the header.
HEADER
The header is always the first 21 bytes of the .swf file (true?). It describes the file version(1,2, or 3), length of the file in bytes, the frame size in TWIPS, frame rate in frames per second, and the frame count.
Here is the “SWF File Reference’ description of the header:
Field |
Type |
Comment |
|
Signature |
UI8 |
Signature byte always ‘F’ |
|
Signature |
UI8 |
Signature byte always ‘W’ |
|
Signature |
UI8 |
Signature byte always ‘S’ |
|
Version |
UI8 |
Single byte file version |
|
File Length |
UI32 |
Length of entire file in bytes |
|
Frame Size |
RECT |
Frame size in TWIPS |
|
Frame Rate |
UI16 |
Frame delay in 8.8 fixed number of frames per second |
|
Frame Count |
UI16 |
Total number of frames in movie |
The first three bytes are the standard signature for all .swf files. They are the ASCII values of the characters ‘F’, ‘W’, and ‘S’ in that order. The fourth byte indicates the version of the file. Although a file can be of version 1, 2, or 3, we will always be creating version 3 files so this value will also be fixed.
0x46 ‘F’
0x57 ‘W’ 0x53 ‘S’
0x03 3
The next 4 bytes represent an unsigned 32-bit integer indicating the file size. Here’s where it starts getting tricky and machine architecture gets involved! The next 4 bytes are 0x4F000000 so that would imply that the file length is 1325400064 bytes, a very large number which doesn’t make sense. What we failed to do is swap all the bytes.
In .swf files, bytes are swapped whenever reading words and dwords such that a 32 bit value B1B2B3B4 is written as B4B3B2B1, and a 16 bit value B1B2 is written as B2B1. Single bytes are written unchanged since there is NO bit-swapping. The reason for this is the differences in storage and retrieval between the Mac and PC processors.
Reversing the bytes we can read the 4 bytes correctly and see that file is 79 bytes long.
0x4F000000 0x0000004F
79
The next 9 bytes represent a data structure used in the .swf format called a Rectangle. Here is the file description of a rectangle:
Field |
Type |
Comment |
|
Nbits |
nBits = UB[5] |
Bits in each rect value field |
|
Xmin |
SB[nBits] |
X minimum
position for rect |
|
Xmax |
SB[nBits] |
X maximum
position for rect |
|
Ymin |
SB[nBits] |
Y minimum
position for rect |
|
Ymax |
SB[nBits] |
Y maximum position for rect |
To understand these bytes, we need to look at the individual bits.
78 00 05 5F 00 00 0F A0 00
0111 1000 0000 0000 0000 0101 0101 1111
0000 0000
0000
0000 0000 1111 1010
0000 0000 0000
There are five fields in a rectangle structure: nBits, xmin, xmax, ymin, ymax. The unsigned nBits field occupies the first five bits of the rectangle and indicates how long the next four signed fields are.
Here’s where we hit another subtle point about the .swf file representation. Reading and writing bits is different from reading and writing words and dwords. There is no swapping at all! This is because when Flash is reading an n-bit field, it reads a byte at a time until it has read all n bits. You don’t do any swapping inside of bytes so there is no swapping at all. So the next five bits are read in order and evaluate to 15. Although the nBit field usually varies, it appears fixed in the header so that header has a fixed size (It may just be because the movie dims are usually the same).
01111 15
What if nBit has a value of sixteen? This is exactly the size of a word so do we read the following fields as words and swap bytes? No. Fields described by bit size are always read a byte at a time. No swapping, just read the next n bits in that order.
000000000000000 0
= xmin
010101011111000 11000 = xmax
000000000000000 0 = ymin
001111101000000 8000 = ymax
For the header, the rectangle is used to store the movie dimensions with xmax corresponding to the movie width and ymax corresponding to the movie height, both in TWIPS. “What’s this TWIPS thing?” you ask. According to whatis.com :
A twip (twentieth of a point) is a measure used in
laying out space or defining objects on a page or other area that is to be
printed or displayed on a computer screen. A twip is 1/1440th of an inch or
1/567th of a centimeter. That is, there are 1440 twips to an inch or 567 twips
to a centimeter. The twip is 1/20th of a point, a traditional measure in
printing. A point is approximately 1/72nd of an inch.
For Flash a point corresponds to a pixel, so if we convert from TWIPS to pixels, we see that our movie is 550 x 400.
Now we have looked at all of the fields of the rectangle and evaluated them, but what about those last seven bits which are all 0’s. Well, they were just “filled.”
0000000 = filled bits
After the end of any structure, if the structure does not completely fill up its last byte, then that last byte is filled with 0’s to keep the next item byte aligned. So if the next item is a word or dword, you can read it as such and not worry about being in the middle of a byte. In this case, only 1 bit in the last byte is used so the last 7 bits are filled with 0’s.
Next in the header is the frame rate, which is kind of weird. It is supposed to be stored as a 16bit integer, but the first byte (or last depending on how you look at it) is completely ignored. So the frame rate is 12 fps.
0x000C
0x0C00 0x0C 12 = frame
rate
Next is the frame count, which is also a 16-bit integer. So the frame count is 1.
0x0100
0x0001(byte swapping)
1 = frame count
Now we are done with the header. After the header is a series of tagged data blocks. Here is the file description of a tag:
Short Tag
|
Field |
Type |
Comment |
|
Tag |
UB[10] |
Tag id |
|
Length |
UB[6] |
Length of tag |
Long Tag
|
Field |
Type |
Comment |
|
Tag |
UB[10] |
Tag id |
|
Long Header Flag |
UB[6] |
Always 0x3F |
|
Length |
UI32 |
Length of tag |
There are 2 types of tags. They are the short and long data header. Regardless of which case you have, you begin by looking at the first word.
0x4302 0x0243
0000 0010 0100 0011
The first 10 bits of the tag are the unsigned tag ID. The tag ID indicates what type of data is to follow in the body of the data block to follow. In this case the value of the tag ID is 9 which corresponds to a setBackgroundColor block. (APPENDIX SHOULD HAVE ALL ID MEANINGS). The last 6 unsigned bits of the tag indicate the length of the data block to follow if it is 62 bytes or less. If the length of the data block is more than 62 bytes, then this field has all 1’s and the length is indicated in the following dword. In this situation though the field does not have all 1’s so the field does indicate the actual length which is 3 bytes.
0000001001 = 9 = setBackgroundColor 000011 = 3 = body length
Since we know that the length of the body is 3 bytes, let’s take a look at it. A setBackgroundColor block only contains the 3 byte rgb color description so we evaluate it as such. A color is its own 3 byte data type so there is no byte swapping.
0XFFFFFF = white
The next tag is a long tag and is a defineShape tag.
0xBF00
0x00BF 0000 0000 1011 1111
0000000010 = 3 = defineShape 111111 = body length (so we have to look at the
next dword)
0x23000000
0x00000023 35 = body length
Here is the file description of defineShape:
|
Field |
Type |
Comment |
|
Header |
RECORDHEADER |
Tag ID = 2 |
|
ShapeId |
UI16 |
ID for this character |
|
ShapeBounds |
RECT |
Bounds of the shape |
|
Shapes |
SHAPEWITHSTYLE |
Shape information |
The body of a defineShape is composed of an unsigned 16-bit character ID, a rectangle defining the bounds for the shape, and a ShapeWithStyle structure which contains shape information.
0x0100 0x0001 1 = shape ID
Now the Rect which defines the boundaries:
70 FB 49 97 0D 0C 7D 50
0111 0000 1111 1011 0100
1001 1001 0111 0000
1101 0000 1100 0111 1101 0101 0000
01110 = 14 = nBits
00011111011010 = 2010 = xmin /20 to covert to pixels from TWIPS 100.5
01001100101110 = 4910 = xmax 245.5
00011010000110 = 1670 = ymin 83.5
00111110101010 = 4010 = ymax 200.5
000 = fill bits
The ShapeWithStyle structure has five parts. A fill style array, a line style array, a nFillBits field, a nLineBits field, and an array of shape records. Here is the file description:
|
Field |
Type |
Comment |
|
FillStyles |
FILLSTYLEARRAY |
Array of fill styles |
|
LineStyles |
LINESTYLEARRAY |
Array of line styles |
|
NumFillBits |
nFillBits = UB[4] |
Number of fill index bits |
|
NumLineBits |
nLineBits = UB[4] |
Number of line index bits |
|
ShapeRecords |
SHAPEREC[one or more] |
Shape records - see below |
A fill style array itself has three fields. The first field is an 8 bit integer count which indicates how many fill styles are in the array. This count works similar to the tag’s length field in that if it is all 1’s, you have to look at the next 16-bits to get the actual length. Here is the file description:
|
Field |
Type |
Comment |
|
FillStyleCount |
count = UI8 |
Count of fill styles |
|
FillStyleCountExtended |
If count = 0xFF count = UI16 |
Extended count of fill styles. Supported only for Shape2
and Shape3. |
|
FillStyles |
FILLSTYLE[count] |
Array of fill styles |
In this case, the 8 bit count is equal to 0 so there is nothing to follow it.
0x00 = 0 = count This is the end of the fill style array because it has no
elements
A line style array is exactly the same as a fill style array except it stores line styles. Here is the file description:
|
Field |
Type |
Comment |
|
LineStyleCount |
count = UI8 |
Count of line styles |
|
LineStyleCountExtended |
If count = 0xFF count = UI16 |
Extended count of line styles |
|
LineStyles |
LINESTYLE[count] |
Array of line styles |
0x01 = 1 = count So there is one line style in the array.
A line style has two parts, an unsigned 16-bit integer indicating the width of a line in TWIPS, and a color. Here is the file description:
|
Field |
Type |
Comment |
|
Width |
UI16 |
Width of line in twips |
|
Color |
RGB (Shape1 or Shape2) |
Color value including alpha channel information for
Shape3s |
The color in this case is a 24-bit RGB, but if we were doing a defineShape3, it would be a 32-bit RGBA where alpha is the transparency of the color.
0x1400 0x0014 = 20 =
width = 1 pixel
0x000000 = RGB = black
Back to the ShapeWithStyle, the nFillBits field is 4 bits, as is the nLineBits.
0x0 = 0 = nFillBits 0x1 = 1 = nLineBits
Now for the array of shape records. There are three types of shape records. Here are the file descriptions:
Shape Record Type 0
|
Field |
Type |
Comment |
|
TypeFlag |
UB[1] = 0 |
Non-edge record flag |
|
EndOfShape |
UB[5] = 0 |
End of shape flag |
Shape Record Type 1
|
Field |
Type |
Comment |
|
TypeFlag |
UB[1] = 0 |
Non-edge record flag |
|
StateNewStyles |
newStyles = UB[1] |
New styles flag. Used by DefineShape2 and DefineShape3
only. |
|
StateLineStyle |
lineStyle = UB[1] |
Line style change flag |
|
StateFillStyle0 |
fillStyle0 = UB[1] |
Fill style 0 change flag |
|
StateFillStyle1 |
fillStyle1 = UB[1] |
Fill style 1 change flag |
|
StateMoveTo |
moveTo = UB[1] |
Move to flag |
|
MoveBits |
If moveTo nMoveBits = UB[5] |
Move bit count |
|
MoveDeltaX |
If moveTo UB[nMoveBits] |
Delta X value |
|
MoveDeltaY |
If moveTo UB[nMoveBits] |
Delta Y value |
|
Fill0Style |
If fillStyle0 UB[nFillBits] |
Fill 0 Style |
|
Fill1Style |
If fillStyle1 UB[nFillBits] |
Fill 1 Style |
|
LineStyle |
If lineStyle UB[nLineBits] |
Line Style |
|
FillStyles |
If newStyles FILLSTYLEARRAY |
Array of fill styles |
|
LineStyles |
If newStyles LINESTYLEARRAY |
Array of line styles |
Shape Record Type 2
|
Field |
Type |
Comment |
|
TypeFlag |
UB[1] = 1 |
This is an edge record |
|
EdgeRecord |
EDGERECORD |
Line or curve edge record |
Type 0 defines the end of the shape record array. Type 1 defines changes in line style, fill style, position, or a new set of styles. Type 2 defines a straight or curved edge. The first bit in a shape record is a type flag. A 0 corresponds to a non-edge record, and a 1 corresponds to an edge record. Looking at the first bit of our first shape record, we see that it is not an edge record. Now we must look at the next 5 bits which are all flags which tell us what is to follow. If all of the 5 bits are 0, then that is a type0 shape record and defines the end of the array of shape records.
25 C9 92 0D 21
0010 0101 1100
1001 1001 0010 0000
1101 0010 0001
0 = 0 = non edge record
01001 = 5 flags line style flag is true, and move to flag is true
Since the move to flag is true, the next 5 bits are the nMoveToBits field. This value is 14 so the next two fields which are the moveDeltaX, and the moveDeltaY are of size 14. These are unsigned numbers.
01110 = nMoveToBits
01001100100100 = 4900 (TWIPS) = 245 pixels = moveDeltaX
00011010010000 = 1680 = 84 pixels = moveDeltaY
Since the line style flag is true,
the next field is a nLineBits = 1 bit field representing the line style. This field is equal to 1. What exactly does this mean? It means
that the line style for the line to follow is the first one in the line style
array.
1 = 1 = line style
Now for the rest of the shape records:
ED 48 87 65 30 3B 6D E1 D8 B4 00 00
1110 1101 0100 1000 1000 0111 0110 0101 0011 0000 0011 1011 0110 1101 1110 0001 1101 1000 1011 0100 0000 0000 0000 0000
The next shape record begins with a 1 so it is an edge record. There are two types of edge records. Here are the file descriptions:
Edge Record Type 0 (Curved)
|
Field |
Type |
Comment |
|
EdgeFlag |
UB[1] = 0 |
Curved edge - always 0 |
|
NumBits |
nBits = UB[4] + 2 |
Number of bits per value |
|
ControlDeltaX |
SB[nBits] |
X control point change |
|
ControlDeltaY |
SB[nBits] |
Y control point change |
|
AnchorDeltaX |
SB[nBits] |
X anchor point change |
|
AnchorDeltaY |
SB[nBits] |
Y control point change |
Edge Record Type 1 (Straight)
|
Field |
Type |
Comment |
|
EdgeFlag |
UB[1] = 1 |
Straight edge - always 1 |
|
NumBits |
nBits = UB[4] + 2 |
Number of bits per value |
|
GeneralLineFlag |
lineFlag = UB[1] |
General Line equals 1 |
|
DeltaX |
If lineFlag = 1 SB[nBits] |
X delta |
|
DeltaY |
If lineFlag = 1 SB[nBits] |
Y delta |
|
VertLineFlag |
If lineFlag = 0 vertFlag = SB[1] |
Vertical Line equals 1 |
|
DeltaX |
If vertFlag = 0 SB[nBits] |
X delta |
|
DeltaY |
If vertFlag = 1 SB[nBits] |
Y delta |
The next bit indicates if it is a straight or curved edge. It is a 1 which stands for a straight edge. The next 4 bits indicate the size of any delta fields which follow. The formula for the nbits value is 2 + whatever the value of that 4 bit field. In this case, the value of nbits is 13. Following the nbit field is a 1-bit line flag. This indicates whether the line being described is a general line or horizontal/vertical line. The value of 0 corresponds to a hor/vert line, so the next bit is a vertFlag field and indicates whether the line is horizontal or vertical. The value of the bit is 1 which corresponds to a vertical line. The next field for a vertical line is the signed DeltaY field which is nbits = 13 bits long. The value corresponds to 116 pixels. That is the end of the shape record.
1 = 1 = edge record
1 = 1 = straight edge
1011 = 11 + 2 = 13 = nbits
0 = 0 = hor/vert line
1 = 1 = vertical line
0100100010000 = 2320 TWIPS = 116 pixels = DeltaY
The next three records are very similar to the last one:
1 = 1 = edge record
1 = 1 = straight edge
1011 = 11 + 2 = 13 = nbits
0 = 0 = hor/vert line
0 = 0 = horizontal line
1010011000000 = -2880 TWIPS (2’s complement number) = -144 pixels = DeltaX
1 = 1 = edge record
1 = 1 = straight edge
1011 = 11 + 2 = 13 = nbits
0 = 0 = hor/vert line
1 = 1 = vertical line
1011011110000 = -2320 TWIPS = -116 pixels = DeltaY
1 = 1 = edge record
1 = 1 = straight edge
1011 = 11 + 2 = 13 = nbits
0 = 0 = hor/vert line
0 = 0 = horizontal line
0101101000000 = 2880 TWIPS = 144 pixels = DeltaX
Finally, the last shape record begins with a 0 which means it is not an edge record. Furthermore all of it’s flag bits are equal to 0 which means that it is the last shape record and we are through with our shape record array.
0 = 0 = non-edge record
000000 = flags (since they are all 0, this is the end of the shape record array
Since we are done with our structure, we must now fill our last byte with 0’s to keep byte aligned.
000000 = filled 0’s
We are also done with our shape with style since the shape record array is the last element of the shape with style. Since we are already byte aligned, we can go on to our next tagged data block.
The tag ID of the block is equal to 26 which corresponds to a placeObject2. The length field has a value of 6 so the length of the data block is 6 bytes.
0x8606 0x0686 0000 0110 1000 0110
0000011010 = 26 = tag ID = placeObject2
000110 = 6 = length
06 01 00 01 00 00
0000
0110 0000
0001 0000 0000 0000 0001 0000 0000 0000 0000
Here is the file description of the placeObject2:
|
Field |
Type |
Comment |
|
Header |
RECORDHEADER |
Tag ID = 26 |
|
PlaceFlagsReserved |
UB[2] |
Reserved Flags |
|
PlaceFlagHasName |
UB[1] |
Has name |
|
PlaceFlagHasRatio |
UB[1] |
Has ratio |
|
PlaceFlagHasColorTransform |
UB[1] |
Has color transform |
|
PlaceFlagHasMatrix |
UB[1] |
Has matrix |
|
PlaceFlagHasCharacter |
UB[1] |
Places a character |
|
PlaceFlagMove |
UB[1] |
|
|
Depth |
UI16 |
Depth of character |
|
CharacterId |
If PlaceFlagHasCharacter = 1 UI16 |
ID of character to place |
|
Matrix |
If PlaceFlagHasMatrix = 1 MATRIX |
Transform matrix data |
|
ColorTransform |
If PlaceFlagHasColorTransform = 1 CXFORM |
Color transform data |
|
Ratio |
If PlaceFlagHasRatio = 1 UI16 |
|
|
Name |
If PlaceFlagHasName = 1 STRING |
Name of character |
The first 8 bits of the body are all flags indicating what is to follow. A 1 in the 6th bit indicates that the body has a transform matrix, and the 1 in the 7th bit indicates that the object to be placed has a character ID.
00000110
body has a transform matrix and object has a character ID
Following the flags is a 16-bit unsigned integer which indicates the depth of the character. In this case the depth is 1 which makes sense since the rectangle is the only object in the movie.
0x0100 0x0001 depth = 1
Since the object has a character ID, the next field in the body is the unsigned 16-bit ID. Being the only object in the movie, the ID of the rectangle is 1.
0x0100
0x0001 character ID = 1
The final field for this placeObject2 is the transform matrix. Here is the file description:
Field |
Type |
Comment |
|
HasScale |
hasScale = UB[1] |
Has scale values if equal to 1 |
|
NscaleBits |
If hasScale nScaleBits =UB[5] |
Bits in each scale value field |
|
ScaleX |
If hasScale FB[nScaleBits] |
X scale value |
|
ScaleY |
If hasScale FB[nScaleBits] |
Y scale value |
|
HasRotate |
hasRotate = UB[1] |
Has rotate and skew values if equal to 1 |
|
NrotateBits |
If hasRotate nRotateBits = UB[5] |
Bits in each rotate value field |
|
RotateSkew0 |
If hasRotate FB[nRotateBits] |
First rotate and skew value |
|
RotateSkew1 |
If hasRotate FB[nRotateBits] |
Second rotate and skew value |
|
NtranslateBits |
nTranslateBits = UB[5] |
Bits in each translate value field |
|
TranslateX |
SB[nTranslateBits] |
X translate value |
|
TranslateY |
SB[nTranslateBits] |
Y translate value |
Since this shape has no transform information, the matrix is empty. All of its flag bits have values of zero. This is not super efficient but it is valid.
0x00 completely
empty matrix with leftover bits filled
Since we are done with our placeObject2, let’s take a look at our next tag.
0x4000 0x0040 0000 0000 0100 0000
tag ID = 1 = showFrame
length = 0
We see that the tag is an instruction to show the frame. A showFrame has no body. Its length is 0, so we move on to the next tag.
0x0000
0x0000 0000 0000 0000 0000
tag ID = 0 = end
length = 0
We have reached the end tag which signals the end of our .swf file!!!!!!!!!!