Didier Stevens

Friday 26 April 2013

Howto: Add a Digital Signature to a PDF File – Free Software

Filed under: Encryption,PDF — Didier Stevens @ 12:58

This is an update to my post Howto: Add a Digital Signature to a PDF File, but this time I found free software.

Again we use our certificate which we install (open the .p12 file). Install the free JSignPdf software.

Select the PDF file to sign and select an output file (if you don’t want to overwrite your original):

20130426-140107

Push Sign It:

20130426-141230

And then you can check the signature with Adobe Reader:

20130426-141337

If you get the following error, make sure you change your PDF version from %PDF-1.1 to %PDF-1.4:

Choosen configuration requires PDF version update, but it’s not possible in the “append” signature mode.

Sunday 21 April 2013

js-unicode-unescape.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the sixth one.

This script does the opposite of js-unicode-escape.1sc: a Unicode escape encode string is decode to bytes.

js-unicode-unescape_v0_0_1.zip (https)
MD5: E4FF29FB631142AC995636EED4CFB2AB
SHA256: C5659BCED1C6A7F92C2F7F9058DAA5807D2907283041E4F9DD1E4B6F318F2BBD

Saturday 20 April 2013

js-unicode-escape.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fifth one.

010 Editor has a different functions to copy bytes from a file. As raw bytes, as hex, as base64, …

This script copies the selected bytes to the clipboard as a Unicode escape encoded string for JavaScript: %u3421%u9a0d…

js-unicode-escape_v0_0_3.zip (https)
MD5: B86B7E73D93C5A4C086384C2FF89303C
SHA256: 81F26C328FD67FB7512CD60485481D7FFD8B7FE5ACE95455D45F4F635EADF81C

Friday 19 April 2013

pecheck.py

Filed under: My Software,Reverse Engineering — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fourth one.

pecheck.py is a wrapper for pefile, but this version has a new feature: check a PE file stored in a (password protected) ZIP file (password infected).

pecheck_v0_3_0.zip (https)
MD5: C2AC9FED3C7F1787854C8D0E651B2591
SHA256: 3CDEBADA4C594DD3622E234747C6AABD41573C94087C0554CBA65D0472F6B413

Thursday 18 April 2013

search-and-replace-with-wildcards.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the third one.

010 Editor has a search feature with wildcards (like FC 01 * 10 CF), but no search and replace with wildcards (like FC 01 * 10 CF -> FD 02 * 20 DF). This scripts implements such a feature.

search-and-replace-with-wildcards_v0_0_1.zip (https)
MD5: 7D620E8BEFFD4ED5563D9944C9B0B859
SHA256: B7F074304660A8DBF7AB2261D8619FFFFD461EFB5EE4C6E42880C87A3C1A4AB7

Wednesday 17 April 2013

fuzzer.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the second one.

fuzzer.1sc is a 010 Editor script that implements a simple fuzzer. It overwrites bytes in a file or selection. A selection is particularly useful combined with a template. For example, with a couple of clicks you can fuzz the control structures of a JPEG image.

4 parameters (number of fuzz sequences to overwrite, minimum length and maximum length of a sequence, and the fuzz character) allow you to control the random overwriting process.

fuzzer_v0_0_1.zip (https)
MD5: E9B7114952E81A504C7CF3B06B99B5CF
SHA256: CF399EE2D86B6039236608F4FE882E579D7DCFED1DA980B4124ED06FD0C5807A

Tuesday 16 April 2013

shift.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the first one.

shift.1sc is a 010 Editor script that allows you to shift bytes in a file or selection.

shift_v0_0_1.zip (https)
MD5: 0E98DD182D12839FD86A30E696414E0A
SHA256: 07D849E9E898AFA705E57474FADFF001C9CAF9DB1D51AD8C9EB7E9A2A765D714

Monday 15 April 2013

New Tool: XORStrings

Filed under: Forensics,My Software,Reverse Engineering — Didier Stevens @ 0:00

XORStrings is best described as the combination of my XORSearch tool and the well-known strings command.

XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length. The report is sorted by the number of strings found, but can also be sorted by the maximum string length (use option -m). By default, the string terminator is 0x00, but you can provide your own with option -t, like the space character (0x20) in this example:

20130308-213053

I’ve used XORStrings to identify the encoding used in TeamViewer traffic.

There are more options than the ones I mentioned here. I’ll create a dedicated page for this tool, but for now, I invite you to discover the options yourself.

XORStrings_V0_0_1.zip (https)
MD5: 27DA0B3BC5296179CB58181BDFF99F8D
SHA256: 5EA7E063A41E38E9E6277F1CD73FCEA2AEF50C33C44D75C226900314FF84A1B5

Blog at WordPress.com.