Didier Stevens

Friday 30 September 2016

Quickpost: Enhancing Radare2 Disassembly Listing

Filed under: My Software,Quickpost — Didier Stevens @ 9:00

I threw a program together to add information to Radare2 disassembly listings: radare2-listing.py. I’m putting it in beta, because I hope there is another way to do this in Radare2 (e.g. without a program). So if you know of a better way to do this, please post a comment.

The tool looks for text pushed on the stack, and then adds a comment with the string build up on the stack.

Before:

20160930-104507

After:

20160930-104558

 

Wednesday 28 September 2016

decoder-search.py Beta

Filed under: Beta,My Software — Didier Stevens @ 0:00

I’ve been developing a new Python program similar to XORSearch. decoder-search.py does brute-forcing and searching of a file like XORSearch, but it stead of simple operations like XOR, ROL, …, it can handle more complex translations. Templates for these translations have to be provided in a configuration file, for example like this:

expression ((byte + %i1:1-10%) ^ %i2:1-32%) % 0x100

This template specifies a translation expression that adds a number to each byte in the file, and then XORs the sum. The first integer added to each byte is brute-forced from 1 to 10 (%i1:1-10%), and the second integer used for the XOR operation is brute-forced from 1 to 32 (%i2:1-32%). Such an encoding has been used in the last hancitor maldoc samples.

Here is the result on a sample that contains an encoded EXE:
20160927-201559

And here is the result on a sample that contains encoded URLs:

20160927-201914

For me this tool is still in beta phase, because I might change the format of the configuration file in later versions, without providing backwards compatibility. You can find it in my GitHub Beta repository.

Monday 19 September 2016

Update: translate.py Version 2.3.1

Filed under: My Software,Update — Didier Stevens @ 0:00

I needed to decompress the content of a Flash file (.swf). I thought of using my translate.py program with a command to inflate (zlib) the content (minus the header of 8 bytes): lambda b: zlib.decompress(b[8:])

Quite simple, but the problem is that translate.py doesn’t import zlib. I have to do that, but that can’t be done in a lambda function. So I added option -e (execute) to execute extra statements:

20160918-222119

translate_v2_3_1.zip (https)
MD5: A3C30A3534DC96B28C1C18B425E2A82D
SHA256: BBD24406BC3038620807E8C4116B325BE6124BE92D041173A8E4BAB56D06C7E2

Sunday 18 September 2016

Overview of Content Published In August

Filed under: Announcement — Didier Stevens @ 18:35

Here is an overview of content I published in August:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Blog at WordPress.com.