Didier Stevens

Sunday 26 January 2020

Update: format-bytes.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 0:00

As announced in my previous blog post, this new version of format-bytes.py adds a pack expression (#p#) and other features and (Python 3) bug fixes.

A pack expression is another “here filename”, like #h# for hexadecimal data (which now accepts spaces too).

When format-bytes.py is given a filename as argument, the content of that file is read and processed.

File arguments that start with character # have special meaning. These are not processed as actual files on disk (except when option –literalfilenames is used), but as file arguments that specify how to “generate” the file content. Generating the file content with a # file argument means that the file content is not read from disk, but generated in memory based on the characteristics provided via the file argument. For example, file argument #ABCDE specifies a file containing exactly 5 bytes: ASCII characters A, B, C, D and E.

File arguments that start with #p# are a notational convention to pack a Python expression to generate data (using Python module struct): a “pack expression”.
The string after #p# must contain 2 expressions separated by a # character, like #p#I#123456.
The first expression (I in this example) is the format string for the Python struct.pack function, and the second expression (123456 in this example) is a Python expression that needs to be packed by struct.pack.
In this example, format string I represents an unsigned, 32-bit, little-endian integer, and thus #p#I#123456 generates byte sequence 40E20100 (hexadecimal).
Remark that the Python expression is evaluated with Python’s eval function: this can be abused to achieve arbitrary code execution. Don’t use this in a situation where you have no control over arguments.

I introduced “pack expressions” because I had an IPv4 number represented as a decimal integer, and I needed the dotted quad representation. format-bytes.py will represent 4 bytes as a dotted quad, but I still had to convert a decimal integer to 4 bytes. Hence the introduction of pack expressions (#p#).

For example, number 3232235786 is IPv4 address 192.168.1.10.

Pack expression #p#>I#3232235786 converts number 3232235786 to 4 bytes: >I is the struct format specifier for a big-endian, unsigned 32-bit integer. Remark that I enclose this pack expression in double-quotes (“), as most shells will interpret character > as file redirection if not escaped.

Because of CVE-2020-0601, I also introduced Object Identifier aka OID (DER) decoding. In DER encoding, an OID starts with byte 6 (excluding flags) followed by one byte indicating the length of the bytes representing the OID.

Hexadecimal sequence “06 07 2a 86 48 ce 3d 01 01” is the DER value for OID 1.2.840.10045.1.1.

I also added support for environment variable DSS_DEFAULT_HASH_ALGORITHMS to let you choose your favorite hashing algorithm, in case it is no longer MD5 🙂 .

And last, some (Python 3) bug fixes.

 

format-bytes_V0_0_11.zip (https)
MD5: D73D5FA410F882F03176CF5FD3E0D90A
SHA256: 34B37CA4E45E4EF0F36F5460CAD429343C0AE993297C104AA8A29C2EE4E7904F

2 Comments »

  1. […] Update: format-bytes.py Version 0.0.11 […]

    Pingback by Week 4 – 2020 – This Week In 4n6 — Sunday 26 January 2020 @ 8:08

  2. […] format-bytes.py, pecheck.py, file-magic.py, […]

    Pingback by Stego & Cryptominers – Didier Stevens Videos — Sunday 2 February 2020 @ 13:07


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.