Didier Stevens

Monday 14 October 2013

Update: XORSearch Version 1.9.2

Filed under: Forensics,My Software,Update — Didier Stevens @ 5:00

I’ve been asked many times to support 32-bit keys with my XORSearch tool. But the problem is that a 32-bit bruteforce attack would take too much time.

Now I found a solution that doesn’t take months or years: a 32-bit dictionary attack.

I assume that the 32-bit XOR key is inside the file as a sequence of 4 consecutive bytes (MSB or LSB).

If you use the new option -k, XORSearch will perform a 32-bit dictionary attack to find the XOR key. The standard bruteforce attacks are disabled when you choose option -k.

XORSearch will extract a list of keys from the file: all unique sequences of 4 consecutive bytes (MSB and LSB order). Key 0x00000000 is excluded. Then it will use this list of keys to perform an XOR dictionary attack on the file, searching for the string you provided. Each key will be tested with an offset of 0, 1, 2 and 3.

It is not unusual to find the 32-bit XOR key inside the file itself. If it is a self-decoding executable, it can contain an XOR x86 instruction with the 32-bit key as operand. Or if the original file contains a sequence of 0x00 bytes (4 consecutive 0x00 bytes at least), then the encoded file will also contain the 32-bit XOR key.

Here is a test where XORSearch.exe searches a 0xDEADBEEF XOR encoded copy of itself. With only 74KB, there are still 100000+ keys to test, taking almost 10 minutes on my machine:

20131013-233829

XORSearch_V1_9_2.zip (https)
MD5: BF1AC6CAA325B6D1AF339B45782B8623
SHA256: 90793BEB9D429EF40458AE224117A90E6C4282DD1C9B0456E7E7148165B8EF32

Monday 30 September 2013

Bugfix virustotal-submit.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 13:12

This is a bugfix for my virustotal-submit.py program.

I fixed a bug in the error handling code for unreadable ZIP files.

virustotal-submit_V0_0_2.zip (https)
MD5: 1152A8507FE7A668DCDF5C44DEAD11DF
SHA256: D5A4E5C3E80F98D4A82A128D8C9DBA395C2B9CDFE9F37E2B0882904D47673CE5

Thursday 25 July 2013

Update: Lookup Tools

Filed under: My Software,Networking,Update — Didier Stevens @ 20:11

It looks like I didn’t release this update to my lookup tools.

lookup-hosts.py has a new argument: -R. This does a reverse lookup of the IP addresses (thus after it resolved the hostname).

20130725-220124

And now you can also use letters as a counter: test-[a-z].com

lookup-tools_V0_0_2.zip (https)
MD5: 310904722F900FA34C567FC38634124E
SHA256: 85626574A99BF4D2AB786D8C2FF5B8F6649F1FC7410F1786A24EF0201AAF64AA

Thursday 18 July 2013

Update: js-unicode-unescape.1sc

Filed under: 010 Editor,My Software,Update — Didier Stevens @ 18:36

Because I had to use a workaround in my js-unicode-unescape.1sc script to copy an array of bytes to the clipboard, I asked the 010 Editor developers if they could add a function that does exactly this.

They included this new function, CopyBytesToClipboard, in their new version 5.0.

Here is a new version that uses this function:
js-unicode-unescape_v0_0_2.zip (https)
MD5: 6200C4F235CA527E8C0DCD5076CB1C09
SHA256: 2CACC9EE1BB1D1BC4C9FABC6EC3B3440CFF304AA560966B0B531279C369549BB

Wednesday 3 July 2013

Update: virustotal-search.py

Filed under: My Software,Update — Didier Stevens @ 20:09

Mark Woan reported an issue with virustotal-search.py: sometimes VirusTotal returns a JSON object that the json parser can’t parse.

That’s something I didn’t expect. I’ve added error handling for this case.

virustotal-search_V0_0_9.zip (https)
MD5: FECD02796889CDFE9FA67287F2DE567C
SHA256: 0CE06CBAFC6341835EB8A62377F5C4EB067747EE28E7ED8BB25FD69A4B99FA97

Friday 3 May 2013

VirusTotal: Searching And Submitting

Filed under: Malware,My Software,Update — Didier Stevens @ 8:47

This is an update for virustotal-search.py and a release of a new tool: virustotal-submit.py. I created this new tool because I needed to submit a sample stored in a password protected ZIP-file (not the ZIP-file), without extracting the sample to disk.

To submit a file to VirusTotal, you just run virustotal-submit.py sample.exe.

If you submit a ZIP file, virustotal-submit.py will extract the first file to memory and submit that to VirusTotal. The ZIP file can be password protected with password “infected”. To submit the ZIP file itself, use option -z.

To submit a batch of samples, create a textfile with the name of the files to submit and use option -f.

virustotal-submit.py supports proxies too (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy).

Python module poster is required for this tool.

virustotal-submit_V0_0_1.zip (https)
MD5: 8793C3276822DDE36BA0804D3390AD4D
SHA256: F17B9EEC408833039AE63FCED9F6114F99AADFBE9D547AE88B2C3A6E54AE91B4

Updates to virustotal-search.py:

  • uses json or simplejson module
  • proxies are supported (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy)
  • option -g forces virustotal-search.py to use the local database in the same directory as the program

virustotal-search_V0_0_8.zip (https)
MD5: 011C88A9C9026A32DA473187A64E880C
SHA256: 30711202BB0CD01A17AFA7BB8BBFE1545B6A840BDB91D83C7753300EF7E71A8F

Thursday 21 March 2013

Update: PDFiD Version 0.1.2

Filed under: My Software,PDF,Update — Didier Stevens @ 9:05

This new version is a bugfix version for Python 3 plus I added a new name in the default report: /XFA

pdfid_v0_1_2.zip (https)
MD5: 60FC17757201F014A6ADA0744B74A740
SHA256: 1CF36C50427A2206275C322A8C098CD96A844CAF6077B105ADE9B1974789856F

Wednesday 13 March 2013

Update: pdf-parser Version 0.4.1

Filed under: My Software,PDF,Update — Didier Stevens @ 21:24

From version 0.4.1 on, you can also pass a URL or a ZIP file as argument to pdf-parser:

pdf-parser.py http://example.com/doc.pdf
pdf-parser.py maldoc.zip

When you pass a URL as argument, pdf-parser will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.

Passing a ZIP file as argument instructs pdf-parser to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, pdf-parser will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.

Further changes are: bug fixes, performance improvement and option –content. This option allows you to view the content of an object without stream or with stream but without filters.

pdf-parser_V0_4_1.zip (https)
MD5: A0314C0CD8AAE376C7448E74D4A7472C
SHA256: 633B7400015B2C936103CC64C37435FB333B0F2634B2A6CD3A8949EAB1D18E9B

Thursday 7 March 2013

Update: PDFiD Version 0.1.0

Filed under: My Software,PDF,Update — Didier Stevens @ 5:00

A month before my PDF training at HITB, it’s time to release new versions of my pdf tools.

I start with PDFiD. From version 0.1.0 on, you can also pass a URL or a ZIP file as argument to PDFiD:

pdfid.py http://example.com/doc.pdf
pdfid.py maldoc.zip

When you pass a URL as argument, PDFiD will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.

Passing a ZIP file as argument instructs PDFiD to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, PDFiD will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.

pdfid_v0_1_0.zip (https)
MD5: 6A5FF56C22EF2745C3D78C8FD8ACA01F
SHA256: D72FE8555DC89808EE7BFC9F791AD819A465106A95801C09C31B0FD2644B3977

Wednesday 20 February 2013

Update XORSearch V1.8.0: Shifting

Filed under: My Software,OSX,Reverse Engineering,Update — Didier Stevens @ 21:32

This new version of XORSearch comes with a new operation: shifting left.

It comes in handy to reverse engineer protocols like TeamViewer’s remote access protocol.

Here’s an example. When you run TeamViewer, your machine gets an ID:

20-02-2013 22-11-39

We capture some TeamViewer traffic with Wireshark, and then we use XORSearch to search for TeamViewer ID 441055893 in this traffic:

20130216-231230

And as you can see, XORSearch finds this ID by left-shifting the content of the pcap file with one bit.

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 251 other followers