Didier Stevens

Sunday 2 August 2020

Videos: Defective USB Cable

Filed under: Hardware,video — Didier Stevens @ 0:00

When I had issues with my portapack, it took me some time to remark that these issues only happened with a particular USB cable.

The SDR would work fine, and then when I would try to record or playback, the screen would turn dark.

You can see this in the following video:

What is happening, is that this particular USB cable is electrically defective: the voltage drop is too large, due to the abnormally high resistance of the cable. The portapack doesn’t receive enough power, and starts to malfunction.

In the following 2 videos, I perform various tests with that defective cable:

Videos on my video blog (with some info on the devices I used):

Saturday 1 August 2020

Overview of Content Published in July

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in July:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Thursday 30 July 2020

Update: pecheck.py Version 0.7.11

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bugfix version

pecheck-v0_7_11.zip (https)
MD5: D3B69575F0A08377D1A08886D34230FD
SHA256: 2B59F745377EABDF81118997CA70F5F4DBC1CE927370F02C6E0262869F988FA9

Tuesday 28 July 2020

Update: InteractiveSieve 0.9.1

Filed under: My Software,Update — Didier Stevens @ 0:00

There are many new features in this update to InteractiveSieve (I neglected to publish updates).

InteractiveSieve is a C# tool I developed to help me visualize and sift through logs (CSV files).

I want to record a couple of videos to show what this tool can do.

Here is a list of updates:

  • Added Remember and >= <= popup menu commands
  • Added Paste to Sift dialog
  • Added separator option None
  • Added choice for Pivot table: matrix, list and uniques
  • Fixed Reveal all bug, thanks Bart Vanautgaerden for reporting
  • Added Hide colored lines and Hine uncolored lines; Added Info and Set as index column
  • Bugfix DataGridViewEx
  • Added Load sieve and Save sieve
  • Added m:n to pivot table
  • Added Invert
  • Added bookmarks
  • Added Previous and Next Bookmark toolbar buttons
  • Bugfix SaveSieve for bookmarks
  • Added Comment…
  • Added header when saving
  • Fix for header when loading with filter
  • Added load with lookup
  • Added Treeview
  • Added drag and drop; automatic and colon separator; invert with load filter
  • Added Copy for row
  • Pivot table list and uniques: Added support for Hide and Color buttons
  • Added Sift… value
  • Added Transform (regex) and restore
  • Added Reload

InteractiveSieve_V_0_9_1_0.zip (https)
MD5: C8B5B3E768FB62B7508F055122453594
SHA256: 063A83D9DBA900C8B245532D510E822A305B258C9A3DD05F19F4F0ED2753B6E1

Monday 27 July 2020

Update: zipdump.py Version 0.0.20

Filed under: My Software,Update — Didier Stevens @ 0:00

I added detection of data descriptor records (PK 0x07 0x08) to option -f L (list all ZIP records found inside the provided file).

zipdump_v0_0_20.zip (https)
MD5: A0A826BB92805997ED3D9793C8B24385
SHA256: AC626299A6048FA4A7E8BE2993411870F77B4B89F647B6C4264E0CC22E180999

Sunday 26 July 2020

Update: oledump.py 0.0.52

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py brings support for AES encrypted ZIP files via Python module pyzipper (Python 3 only). If module pyzipper is not installed, oledump will fall back to builtin module zipfile.


And plugin plugin_vbaproject.py does now a small dictionary attack on the extracted hash to try to recover the password.

I use the same dictionary as in zipdump.py, a dictionary that is the public domain, default wordlist used by John the Ripper, extended with a couple of passwords: infected, P@ssw0rd and VelvetSweatshop.

oledump_V0_0_52.zip (https)
MD5: 2528824D8A7CD2BE98615B1B1AE8C61A
SHA256: C47A9CC658571FF23E70264B4DD4F8F47D244708E7110EA0A28128F175CF80F5

Saturday 25 July 2020

ndisasm 2.15 stdin Bug Fix

Filed under: Shellcode — Didier Stevens @ 0:00

I like to pipe commands together, especially when doing malware analysis.

ndisasm is the disassembler of NASM. I like to use it, because it’s a single executable (for major operating systems) and accepts input from stdin.

But there was an issue with Windows versions: stdin was opened in text mode, and not in binary mode. This can result in disassembly errors, like in the following example. I send 7 bytes to ndisasm via stdin, and the 4th byte is 0x1A (CTRL-Z): this is the end-of-file marker for Windows text files:

As can be seen, only the first 3 bytes are disassembled, and all bytes from 0x1A on are ignored.

I filled a bug fix with code the fix the issue, and this was integrated in version 2.15:






Monday 20 July 2020

Cracking VBA Project Passwords

Filed under: Encryption,maldoc — Didier Stevens @ 0:00

VBA projects can be protected with a password. The password is not used to encrypt the content of the VBA project, it is just used as protection by the VBA IDE: when the password is set, you will be prompted for the password.

Tools like oledump.py are not hindered by a VBA password, they can extract VBA code without problem, as it is not encrypted.

The VBA password is stored as the DPB value of the PROJECT stream:

You can remove password protection by replacing the values of ID, CMG, DPB and GC with the values of an unprotected VBA Project.

Thus a VBA password is no hindrance for staticanalysis.

However, we might still want to recover the password, just for the fun of it. How do we proceed?

The password itself is not stored inside the PROJECT stream. In stead, a hash is stored: the SHA1 hash of the password (MBCS representation) + 4 byte salt.

Then, this hash is encrypted (data encryption as described in MS-OVBA and the hexadecimal representation of this encrypted hash is the value of DPB.

This data encryption is done according to an algorithm that does not use a secret key. I wrote an oledump.py plugin (plugin_vbaproject.py) to decrypt the hash and display it in a format suitable for John the Ripper and Hashcat:

The SHA1 of a password + salt is a dynamic format in John the Ripper: dynamic_24.

For Hashcat, it is mode 110 and you also need to use option –hex-salt.

Remark that the password passed as argument to the SHA1 function is represented in Multi Byte Character Set format. This means that ASCII characters are represented as bytes, but that non-ASCII characters might be represented with more than one byte, depending on the VBA project’s code page.


Sunday 19 July 2020

Update: oledump.py Version 0.0.51

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bugfix update to oledump.py, and a feature update for plugins.

plugin_biff.py has a new -S (–statistics) option:

This option can be combined with option -c (–csv).

And there is a new plugin for VBA projects: plugin_vbaproject.py. More info in tomorrow’s blog post.


oledump_V0_0_51.zip (https)
MD5: 9A55FC37AD0C4C2F3D08F252C72C1A82
SHA256: 071D1605D520A4BABBE2CDA461866C349628FE4B428AC54823492A6CD89EA487

Saturday 18 July 2020

Update XORSearch Version 1.11.4

Filed under: My Software,Update — Didier Stevens @ 10:08

This is a small bug fix version of XORSearch: fixing some printf format strings for Linux, thanks to Lenny Zeltser for reporting.

Because of Google, I can no longer host this tool on my website.

You have to get it from my FalsePositives GitHub repository.

MD5: E66290D1EB15D9394C8D1264A09ECFE6

Next Page »

Blog at WordPress.com.