Didier Stevens

Thursday 21 June 2018

Validating Your Downloads

Filed under: Announcement,My Software — Didier Stevens @ 0:00

Occasionally, a comment is posted on my blog to report that the posted hash of a file doesn’t match the hash of the downloaded file. Often, it’s because the reader calculated the hash of my program, and not the hash of the downloaded ZIP file, containing the program.

Let’s clarify this. Here is an example of download details I use in my blog posts:

hash_V0_0_5.zip (https)
MD5: 2A4D61F692D935E27E4BECA642F19D97
SHA256: 5DA5B59EBC6EB0FADEA868E631057BF14C29486405F75D8183C48FE4631B81A2

First you have the HTTP download link to the file, and then you have the HTTPS download link of the same file.

Next, you have the MD5 hash and SHA256 hash of the hosted file, e.g. the ZIP file.

The links and hashes are served by one host (blog.didierstevens.com), and the file is served by another host (didierstevens.com).

To validate that the file you downloaded has not been tampered with, or corrupted during the download, you have to calculate the hash of the downloaded file (if it’s a ZIP file, calculate the hash of the ZIP file, not of the archived files) and compare this with the hash I published.

If you don’t have a tool to do this, you can use my hash.py tool like this:

Wednesday 20 June 2018

Update: hash.py version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds option -v to validate hashes, and an indicator when archive files are decompressed.



hash_V0_0_5.zip (https)
MD5: 2A4D61F692D935E27E4BECA642F19D97
SHA256: 5DA5B59EBC6EB0FADEA868E631057BF14C29486405F75D8183C48FE4631B81A2

Tuesday 19 June 2018

Update: cut-bytes.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This too is a minor update for #e# expressions.

More details in this video:

cut-bytes_V0_0_7.zip (https)
MD5: 95CF8E5D2BC2790B25101FC2BFF769FB
SHA256: F1112C96872D15C2CD3F6AF9828C7E39F5EB115D20FB62AAD1C1357D75E3485B

Monday 18 June 2018

Update: translate.py Version 2.5.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a minor update for #e# expressions.

More details in this video:

translate_v2_5_4.zip (https)
MD5: C07B37F7AFA0386315843E6A493721C1
SHA256: A2203C643FC8BC64A98DCA3EE1F9444BE16F5D5C2036AC0200A6BA657786C5EC

Friday 15 June 2018

Update: jpegdump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update to jpegdump.py, my tool to analyze the structure of jpeg files.

The man page (option -m) has been updated.

jpegdump_V0_0_5.zip (https)
MD5: D7157E7FDEEA4257220F60E0081EE138
SHA256: D6940A82CDECEB9D1FB27561E7B748837D666568FC857AEB6680E135D08E897C

Thursday 14 June 2018

“Here Files” and my Tools

Filed under: My Software,Update — Didier Stevens @ 0:00

Several of my tools, that accept more than one filename as arguments, also accept a “here file” (cfr. here documents). A here file is a text file with a list of filenames, one per line. My tools recognize a here file by prefixing the filename of the here file with character @.

Let’s take for example a text file with filename list.txt and following content:


When using this file (list.txt) in the following command:

hash.py @list.txt

hash.py will calculate the hashes of the following files: sample-1.bin, sample-5.bin and sample-7.bin.

A here file can also be provided via stdin. Just type character @ (without filename) as argument to hash.py and provide a list of files via stdin, like in this example:

I will explain this any many more features of my tools in a workshop at BruCON. During this workshop, I will provide the templates I use to create my tools.
This is BruCON’s 10th edition, and I’m happy I’ll do my 10th workshop for this anniversary edition.

hash_V0_0_4.zip (https)
MD5: 6DAC25432338BEA40B9141A791B8A958
SHA256: D66BF64B91B1BCBA5EA99EA03439A12835C5427BB1C447E6B515F94D9F468137

Tuesday 12 June 2018

Update: pecheck.py Version 0.7.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version handles errors in PEiD’s userdb files better.

pefile does not support the full syntax used by PEiD, hence errors might occur, like this:

pecheck-v0_7_3.zip (https)
MD5: 480C9AC4BEE09CAAFB1593E214A39832
SHA256: 359A44751BAA34450B2DA92539AB425507EBB90F8F57CF50E561CCE111809637

Thursday 7 June 2018

Encrypted OOXML Documents

Filed under: Encryption,maldoc — Didier Stevens @ 0:00

The Office Open XML format introduced with MS Office 2007, is essentially composed of XML files stored inside a ZIP container.

When an OOXML file (like a .docx file) is protected with a password for reading, it is encrypted. The encrypted OOXML file is stored inside a Compound File Binary Format file, or what I like to call an OLE file. This is the “old” MS Office file format (like .doc), the default file format used before MS Office 2007.

This is how an encrypted .docx file looks like, when analyzed with oledump:

Stream EncryptedPackage contains the encrypted document, and stream EncryptionInfo contains information necessary to help with the decryption of stream EncryptedPackage.

The structure of stream EncryptedPackage is simple:

First there’s an integer with the size of the encrypted document, followed by the encrypted document. If we decode the binary data for the integer with format-bytes.py, we get the size 11841:

The EncryptionInfo stream starts with binary data, the version format, and is then followed by more binary data, or XML data, depending on the version:

The first bytes specify the major and minor version used for the EncryptionInfo stream. This example is mostly XML:

Which can be further parsed with xmldump.py:

To help identifying what version is used, I developed an oledump plugin named plugin_office_crypto:

Depending on the version, different tools can be used to decrypt office documents.

Python program msoffcrypto-tool can only decrypt agile encryption (for the moment, it’s a work in progress).

C program msoffice-crypt can decrypt standard, extended and agile encryption.


Sometimes, malicious documents will be encrypted to try to avoid detection. The victim will have to enter the password to open the document. There is one exception though: Excel documents encrypted with password VelvetSweatshop.


Wednesday 6 June 2018

Quickpost: John & Dummy Hashes

Filed under: Quickpost — Didier Stevens @ 0:00

I knew you could use dummy hashes with John the Ripper (to test rules, for example), I’ve seen it mentioned in the help. It took me some time however to figure out the exact format of a dummy hash.

It’s like this:


48336c6c30 is the hexadecimal representation of string H3ll0.

The hexadecimal string following $dummy$ has to use lowercase letters. If you use uppercase letters, you’ll get the dreaded “No password hashes loaded (see FAQ)”.

Here is an example using l33t rules:


Quickpost info

Tuesday 5 June 2018

Overview of Content Published In May

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in May:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Blog at WordPress.com.