Didier Stevens

Monday 31 October 2022

Quickpost: BruCON Travel Charger

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

In my BruCON speaker goodie bag, I found a travel adapter & USB charger:

I already have a similar travel adapter, but this BruCON travel adapter has one extra important feature for me: a USB C port.

As I still had my setup ready for testing the electrical energy consumption of devices, I quickly tested the standby power of this charger.

It’s average standby electrical power consumption is 236,46 mW. Standby means: I plug the adapter into an electrical outlet (230V) without connecting any device for charging.

I imagine that for a travel adapter, standby consumption is not that important, as one would use it only occasionally.

Quickpost info

Friday 28 October 2022

The Making Of: qa-squeaky-toys.docm

Filed under: Hacking — Didier Stevens @ 0:00

qa-squeaky-toys.docm is a challenge I made for CSCBE 2022.

It’s a Word document with VBA code. But the VBA code has been “cleaned” by an anti-virus.

I was inspired by a real maldoc cleaned by a real anti-virus: “Maldoc Cleaned by Anti-Virus“.

Here is how I made this challenge.

I created a .docm file with the following vba code:

I extracted the vbaProject.bin file from the OOXML file (.docm).

First, I removed all the compiled VBA code from stream 3. -s 3c selects the compiled code stored in VBA stream 3.

I open a copy of vbaProject.bin with a binary editor, and search for the bytes of the compiled code. And I set them all to 0x00.

Then at position 0x40 inside that stream, I write this ASCII test: “Cleaned by your favorite anti-virus!”.

Next I will shorten the compressed VBA source code. This is the compressed VBA source code (selected with 3v):

Value F4B0 is a little-endian integer: 0xB0F4. B are some flags, F4 is the length of the chunk of compressed VBA code. F4 hexadecimal is 244 decimal. I shorten this by 206 bytes. Thus I replace F4 with 26 (with a binary editor).

The result is that now, only the first line is readable, followed by some gibberish:

And to get rid of the gibberisch, I also shorten the length of the stream. It is 1380 bytes long:

That’s 64 05 00 00 (representation for a 32-bit little-endian unsigned integer).

I subtract 204, thus 1380 – 204 = 1176. Or 98 04 00 00. I use again the binary editor to make this change.

Result:

How did I find the values to subtract? Educated guessing and trial and error. Why 2 different subtractions? Because that was also the case in the original sample that inspired me.

Monday 24 October 2022

Update: byte-stats.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of byte-stats.py, my tool to generate statistics for (binary) data, comes with an update to report the longest:

  • printable string (ASCII bytes between 0x20 and 0x7E included)
  • hexadecimal string (ASCII hexadecimal digits, not checking if the length is an even number)
  • BASE64 strings (ASCII BASE64 digits without padding character =, not checking if the length is a multiple of 4)
byte-stats_V0_0_9.zip (http)
MD5: 9187073EB63DE78BDACA1A3AB096DD19
SHA256: 6BC1F8A6FDAA4E8484B6C86E38E214BCBF24AB20F80C92D8AEE3C5EA402D2F0C

Saturday 22 October 2022

Quickpost: Testing A Lemon Battery

Filed under: Hardware,Quickpost — Didier Stevens @ 21:59

In a chat with my colleagues, we were joking about charging smartphones with a lemon battery.

And I actually wanted to know what magnitude of electrical energy we were talking about.

So I connected a lemon battery to an electronic load:

I took a lemon, inserted a zinc and copper piece of metal (a couple centimeters deep) and connected an electronic load to draw 1 mA of current.

I let it run for a couple of hours until no more measurable current flowed.

The electronic load dissipated 0,034 Wh of electrical energy over that period. Hence, we can assume that the lemon battery delivered 0,034 Wh.

I’m sure the lemon battery could deliver more energy, by “resetting” it: cleaning the electrodes, inserting them in another place in the lemon, …

After a bit of searching through the web, I’m going to assume that a typical smartphone nowadays has a battery of 10 Wh. So we would need 294 times (10 Wh / 0,034 Wh) the electrical energy delivered by my lemon battery to charge a smartphone.

Except that, the 0,9 V that the lemon battery does deliver, is by far not enough to be able to charge via the USB interface. We need 5V, so, 5,555… lemon batteries connected in series.

On the screenshot above, you can also see that 37 mAh was measured. Notice that you can not compare this to the mAh rating of a (smartphone) battery, because both values involve different voltages.

Comparing this to a button cell like a CR2032 (Dutch Wikipedia article, because there’s no English Wikipedia article): the CR2032 has a 225 mAh electrical charge (on average) and a 2.0 discharge voltage. That’s 225 mAh * 2.0 V = 450 mWh. Or 13 times more than my lemon battery (34 mWh).

Here are more pictures of the lemon after the experiment (one week later):

Quickpost info

Update: rtfdump.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 11:35

This version adds support for ZIP files encrypted with AES, via the pyzipper module.

rtfdump_V0_0_12.zip (http)
MD5: C3D4F69908A49265E3877D4338462534
SHA256: A40CC2744DE2D4C5956F5FD306357E7E105EC693B8BEA6E7E006C48EC78055BB

Thursday 13 October 2022

Update: base64dump.py Version 0.0.24

Filed under: My Software,Update — Didier Stevens @ 19:02

This is a small update, to add extra statistical information for decoded items.

base64dump_V0_0_24.zip (http)
MD5: 47FDC47A9235CEF2DF95D1FC12BC166E
SHA256: FAF376E267CE6937BAB7544EA4AF9DD40499886992E7DA3855C16C73C02276B1

Saturday 8 October 2022

Quickpost: Standby Power Consumption Of An Old Linear Power Supply

Filed under: Hardware,Quickpost — Didier Stevens @ 11:41

In my blog post “Quickpost: Standby Power Consumption Of My USB Chargers (120V vs 230V)“, I looked at the power consumption of several of my USB chargers in standby mode (e.g., not connected to a device to be charged).

These are switched-mode power supplies.

They consume considerably less standby power than linear power supplies, like this one:

These contain a transformer to go from a high voltage (AC) to a low voltage (AC), and then contain some electronic components, for example a diode bridge and capacitors, to convert the low voltage AC electricity into DC.

I tested this old power supply I had lying around, and it consumed 1.6836 Wh when tested with my power meter during one hour:

That’s 14,75 kWh for a year. Which is about 10 times more than my worst switched power supply tested here.

So, if you are planning to follow the advice of energy experts here in Europe (and watch out, quite a few are not experts at all, just echo chambers) to reduce your electric energy consumption and save money, consider the following points (their idea is to unplug chargers you don’t use).

  1. Start with your linear power supplies, they consume the most (a tip to recognize them: they are heavy compared to the switched-mode ones, because of the transformer; and they are old)
  2. If you are going to do this daily, take into account mechanical wear and tear. Like on the pins of the power plug, the cables …
  3. To avoid that extra wear and tear, you can plug your power supplies into a power-strip with a switch
  4. I have a laptop power brick that regularly cause the power plug to spark when I plug it into a socket. That’s also something you want to avoid.
Quickpost info

Friday 7 October 2022

Overview of Content Published in September

Filed under: Announcement — Didier Stevens @ 16:42
Here is an overview of content I published in September:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries:

Blog at WordPress.com.