Dynamic instrumentation tool for Adobe Flash Player built on Intel Pin
C++ C
Switch branches/tags
Nothing to show
Latest commit 2e7eef2 Aug 5, 2014 @timhir timhir First release



Sulo is a dynamic instrumentation tool for Adobe Flash Player. It is built on Pin.

Supported Flash versions

The following Flash Player builds are supported:

  • standalone debug
  • standalone non-debug
  • ActiveX
  • standadlone non-debug
  • ActiveX

You can add support for another Flash Player build by specifying some RVAs and offsets in FlashPlayerConfigBuilder.cpp.


Sulo supports ActionScript3 method calls only - AVM1 is not (yet) supported.


The easiest way to build Sulo is to use the sulo_vs2010.sln solution file with Visual Studio 2010.

  1. Download Intel Pin kit for Visual Studio 2010
  2. Extract the ZIP
  3. Clone Sulo to pin-2.13-65163-msvc10-windows\source\tools\Sulo
  4. Open sulo_vs2010.sln and build the solution


Sulo comes with three plugins:

  1. Call tracer - logs all ActionScript method calls, including arguments and return values
  2. Flash dumper - dumps Flash objects loaded with Loader.loadBytes() to disk
  3. SecureSWF - logs decrypted strings from secureSWF-protected files

Creating your own plugin is easy: just inherit your class from ISuloPlugin, implement the virtual methods, and add the object to m_plugins in SuloPluginManager::init().

Instrumenting Flash Player with Sulo

pin.exe -t source\tools\sulo\Debug\sulo.dll -- "C:\path\to\Adobe\Flash\Player.exe"

Command-line options

Option Default Plugin Explanation
fast false General Enables faster analysis by disabling call trace logging
early_tracing false Call tracer Start logging ActionScript method calls as early as possible (already before any calls from the actual Flash)
tracefile "calltrace.txt" Call tracer Filename for storing the call trace
flash_dump_prefix "dumped" Flash dumper Filename prefix for dumped Flash objects
secureswf "" SecureSWF Name of the string secureSWF decryption method


Apache License, Version 2.0