Didier Stevens

Tuesday 30 January 2018

Update: translate.py Version 2.5.2

Filed under: My Software,Update — Didier Stevens @ 0:00

Yesterday I had to analyze a malicious document, carrying embedded PowerShell scripts with Gzip compression. I use translate.py to do the Gzib decompression as I explained in this blog post.

But it’s still not that practical, copying that onliner from my blog post, so I’m releasing a new version of translate.py where I defined function GzipD as that onliner (and I also defined ZlibD).

Here is how I use build-in function GzipD to decompress the malicious payload:

translate_v2_5_2.zip (https)
MD5: 1499C7D9C03928F2CE90BAA813A982DA
SHA256: 34451966781CA9821CD66AEF54379A3B47576CD4FCE8CBEFD9EFA3DA06E49CE9

Blog at WordPress.com.