Didier Stevens

This small update brings support for ZIP 2.0 via the pyzipper module and fixes a /ObjStm parsing bug.

pdf-parser_V0_7_10.zip (http)
MD5: 2EB627850B215F3B9D1532880DA4E8DB
SHA256: 17F9EA0B4CADF0143AA52E1406EEC7769DA1B860375440D8492ADC113300CDFD

This small update brings support for ZIP 2.0 via the pyzipper module.

pdfid_v0_2_9.zip (http)
MD5: 57C5AE391116B79E1F90FFF7BBB36331
SHA256: 1FC540C9EB9722C1E430262DFF64F39606A7B4838DDE9F70EE3C56526EDEF5FF

–prefix and –suffix can now also be filenames.

cut-bytes_V0_0_17.zip (http)
MD5: 86D0692C6303248639A740E7A2AC4525
SHA256: D4FCFBD2305D7E5E97AB993741DF95B4565A882B0CD7DBA061D09578A1DDADA7

This is an update for plugin plugin_biff.py.

Protected xls files (workbook protection, sheet protection) are protected with a password, but are not encrypted.

The password is hashed to a 16-bit hash called verifier, such a short hash gives ample opportunity for hash collisions.

I calculated passwords for all possible hash values (32768, or 0x8000) mostly with letters and digits, some with special characters (verifier table). This verifier table is not a rainbow table, because the table contains all possible hash values and a corresponding password.

If a verifier can not be cracked with a provided password list, the password will be taken from the verifier list.

Example: this spreadsheet has a sheet protected with password azeqsdwxc, which is not in the embedded password list (obtained from John The Ripper); thus the password from the verifier table is taken (bbbbhz):

Passwords azeqsdwxc and bbbbhz both hash to the same verifier value (0xd9b1), thus there is a hash collision, and both passwords can be used to unprotect the sheet.

oledump_V0_0_77.zip (http)
MD5: CC8E3BB7BFA8D6312F8371DADE414EE4
SHA256: 08A097FB2491072043BFD4032BEBC4B2994AEF94B99F3C68EFAEB56004AE7ECE

This is a bugfix release for @files.

hash_V0_0_13.zip (http)
MD5: 43419BBB95FC1321EC6098AE369DEC26
SHA256: 88BD3A7B71BB2C8579F49E76E8069E7A5A4B23DCF1DB1716E5E2C9F78BFF6D5B

This small update for emldump adds support for UTF8 files that start with a BOM.

emldump_V0_0_14.zip (http)
MD5: 6DBA97A55A9BE0D94131F1F381868236
SHA256: 99E1254011C6738FC44E559B4A29A8D40C79822A946F853D12EF23E035CEE97B

New option -O allows to use a function that receives a object per line as argument.

Like option -n, option -O is used to invoke a single Python function taking one argument, but this time the argument is an object in stead of a string. The object has several properties: item is the line (string), left is the previous line, right is the next line, index is equal to the line counter – 1.

python-per-line_V0_0_12.zip (http)
MD5: 16ADE95E968CAE357D1725659224FA0B
SHA256: 1B8D1D8B27A5F5D66FBAB5BACD0594B6A08E96EC03D0BAE08C616A3C172BFD0B

This new version adds a new post processing function to extract the longest string from the decoded payload (ExtractLongestString). Post processing functions take the decoded content, and replace it with the processed content. To view to original decoded content, the select option -s now supports suffix o. For example, to select the original decoded content of entry 5, use option -s 5o.

And there is now a –sort option to sort the entries based on payload, decoded content, length, …

base64dump_V0_0_25.zip (http)
MD5: 5A193C98658FF26ED680130E61F62D0F
SHA256: 002517F56484A7017E12D3D9BE0667E9E907F1EBD9B9091647F4336615D494E1

I added option -j –jsonoutput to my pdf-parser.py tool.

This option produces JSON output with the content of all of the streams, unfiltered.

To have the filtered stream content as JSON output, include option -f.

pdf-parser_V0_7_9.zip (http)
MD5: E435A374A233C9DFEDA8A4E16887FB99
SHA256: 99F50D4F030A5B3E9F9CBA20A7BB8C51FBA368526077CCA3466C784DA39D42DB