Didier Stevens

Sunday 27 November 2016

Update: xor-kpa.py Version 0.0.4

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.

xor-kpa_V0_0_4.zip (https)
MD5: FCE75B6125104D8AFC56A67B65FF75C0
SHA256: 3DCCA479D4C8CAC9B248B24F799184A69D0F10403593CB002248DD35CCE60FD4

Sunday 20 November 2016

Update: zipdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.

zipdump_v0_0_4.zip (https)
MD5: 64EE6575309654B6671554D0A4DA50E5
SHA256: C323C0580E95F87406A72A542A7FBF5DE39EBEF7CAFC970A7C428CA1E870F9CF

Saturday 19 November 2016

Update: byte_stats.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.

byte-stats_V0_0_4.zip (https)
MD5: B53CE5444618DCA78C46C7F72E356D8D
SHA256: 81EFED375FF666BFFDDB82D094ECE17074182F5016FE3BFA4D1CA33DE838754C

Friday 18 November 2016

Update: shellcode2vba.py Version 0.5

Filed under: My Software,Shellcode,Update — Didier Stevens @ 0:00

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:

Option –suffix allows you to instruct the program to add a suffix to the VBA function names.

shellcode2vba_v0_5.zip (https)
MD5: BAD6684A6887F9E90FF755609B4CA2D5
SHA256: C403CD8196593F2ADD6BED40E9E7A14E49DB48909788DE8BB27A95D71E58A13A

Sunday 23 October 2016

Update: virustotal-search.py Version 0.1.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of virustotal-search.py accepts input from stdin.

virustotal-search_V0_1_4.zip (https)
MD5: 867D6272792965D11317BFB6308E20A9
SHA256: 8C033B3C46767590C54C191AEEDC0162B3B8CCDE0D7B75841A6552CA9DE76044

Saturday 22 October 2016

Update: cut-bytes.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 9:49

I added dumps to this new version of cut-bytes.py:

20161022-114024

cut-bytes_V0_0_4.zip (https)
MD5: A44D8BBE9BAB9309E732F8995CB5C7BB
SHA256: F95453DE1CC5855C320AB947D9AE354BE8E3ABFA52418C0CF623351A9DBF6344

Monday 17 October 2016

Update: oledump.py Version 0.0.25

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version has a couple of new options (–decoderdir and –plugindir) and a bugfix.

oledump_V0_0_25.zip (https)
MD5: CED1602AEF505AE0388DB95414F9C00A
SHA256: 54510A54264E4EA3C4559545B5CE43A20D8AB290B4EDDA7B57983AD1396E29FC

Monday 19 September 2016

Update: translate.py Version 2.3.1

Filed under: My Software,Update — Didier Stevens @ 0:00

I needed to decompress the content of a Flash file (.swf). I thought of using my translate.py program with a command to inflate (zlib) the content (minus the header of 8 bytes): lambda b: zlib.decompress(b[8:])

Quite simple, but the problem is that translate.py doesn’t import zlib. I have to do that, but that can’t be done in a lambda function. So I added option -e (execute) to execute extra statements:

20160918-222119

translate_v2_3_1.zip (https)
MD5: A3C30A3534DC96B28C1C18B425E2A82D
SHA256: BBD24406BC3038620807E8C4116B325BE6124BE92D041173A8E4BAB56D06C7E2

Tuesday 2 August 2016

rtfdump: Update And Videos

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

I made a small update to rtfdump and added new rules to rtf.yara.

This video is an intro to rtfdump:

This is a video on an RTF maldoc (MD5 07884483f95ae891845caf0d50ce507f) that contains an exploit for MS12-027 CVE-2012-0158:

This is a video on an RTF maldoc (MD5 4483ad299158eb54f6ff58b5346a36ee) that contains an exploit for MS10-087 CVE-2010-3333:

rtfdump_V0_0_3.zip (https)
MD5: 59DC23EE55F76C065A2A718DDFDB0E4E
SHA256: 46F9D768C6976AD5D4018EFDFD35DAE4212FEAE57871434A33CAEF028CB4CBA2

Sunday 31 July 2016

Update: re-search Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update for re-search.py to properly handle binary files.

re-search_V0_0_2.zip (https)
MD5: FC921EAF48774B6E113FAE76867B69E1
SHA256: B07BF53FE476E6FC4D5B568BA2B0B70DD3BC037478A2CBF3A08A1AA6CCDD402C

Next Page »

Blog at WordPress.com.