Didier Stevens

This small update brings support for ZIP 2.0 via the pyzipper module.

strings_V0_0_10.zip (http)
MD5: F98C9D646A83322BC9226673D79FFE2D
SHA256: 7C062616C95DE5DDF0792A8CE9CA0CCA14FF43A8786DCED043193B729361BB59

This is a post for version updates 0.0.8 and 0.0.9.

Added command officeprotection and option -j for pretty.

xmldump_V0_0_9.zip (http)
MD5: 6EC24845F61FE3F9AC111BFEC69B53C7
SHA256: B1F3F6B153367AEF83C42B8002E7EA8A650B7E7092D97ACA288F2B62A93D4B9D

This small update brings support for ZIP 2.0 via the pyzipper module and fixes a /ObjStm parsing bug.

pdf-parser_V0_7_10.zip (http)
MD5: 2EB627850B215F3B9D1532880DA4E8DB
SHA256: 17F9EA0B4CADF0143AA52E1406EEC7769DA1B860375440D8492ADC113300CDFD

This small update brings support for ZIP 2.0 via the pyzipper module.

pdfid_v0_2_9.zip (http)
MD5: 57C5AE391116B79E1F90FFF7BBB36331
SHA256: 1FC540C9EB9722C1E430262DFF64F39606A7B4838DDE9F70EE3C56526EDEF5FF

–prefix and –suffix can now also be filenames.

cut-bytes_V0_0_17.zip (http)
MD5: 86D0692C6303248639A740E7A2AC4525
SHA256: D4FCFBD2305D7E5E97AB993741DF95B4565A882B0CD7DBA061D09578A1DDADA7

This is an update for plugin plugin_biff.py.

Protected xls files (workbook protection, sheet protection) are protected with a password, but are not encrypted.

The password is hashed to a 16-bit hash called verifier, such a short hash gives ample opportunity for hash collisions.

I calculated passwords for all possible hash values (32768, or 0x8000) mostly with letters and digits, some with special characters (verifier table). This verifier table is not a rainbow table, because the table contains all possible hash values and a corresponding password.

If a verifier can not be cracked with a provided password list, the password will be taken from the verifier list.

Example: this spreadsheet has a sheet protected with password azeqsdwxc, which is not in the embedded password list (obtained from John The Ripper); thus the password from the verifier table is taken (bbbbhz):

Passwords azeqsdwxc and bbbbhz both hash to the same verifier value (0xd9b1), thus there is a hash collision, and both passwords can be used to unprotect the sheet.

oledump_V0_0_77.zip (http)
MD5: CC8E3BB7BFA8D6312F8371DADE414EE4
SHA256: 08A097FB2491072043BFD4032BEBC4B2994AEF94B99F3C68EFAEB56004AE7ECE

This is a bugfix release for @files.

hash_V0_0_13.zip (http)
MD5: 43419BBB95FC1321EC6098AE369DEC26
SHA256: 88BD3A7B71BB2C8579F49E76E8069E7A5A4B23DCF1DB1716E5E2C9F78BFF6D5B

This small update for emldump adds support for UTF8 files that start with a BOM.

emldump_V0_0_14.zip (http)
MD5: 6DBA97A55A9BE0D94131F1F381868236
SHA256: 99E1254011C6738FC44E559B4A29A8D40C79822A946F853D12EF23E035CEE97B

New option -O allows to use a function that receives a object per line as argument.

Like option -n, option -O is used to invoke a single Python function taking one argument, but this time the argument is an object in stead of a string. The object has several properties: item is the line (string), left is the previous line, right is the next line, index is equal to the line counter – 1.

python-per-line_V0_0_12.zip (http)
MD5: 16ADE95E968CAE357D1725659224FA0B
SHA256: 1B8D1D8B27A5F5D66FBAB5BACD0594B6A08E96EC03D0BAE08C616A3C172BFD0B