This new version supports searching for UNICODE strings: u’…’.
Example: [u’Programmé’]:0x100l
cut-bytes_V0_0_9.zip (https)
MD5: 3D11868F238AF4369372CA083303716D
SHA256: AB3EA61B0F519AB99E659F73C263A0F4C2C9DB851314C49C5DA5A5F434E0CA4E
Sunday 17 February 2019
Update: cut-bytes.py Version 0.0.9
Saturday 26 January 2019
Update: msoffcrypto-crack.py Version 0.0.3
This is a bug fix update: for agile encryption, Python module msoffcrypto does not throw an exception in method load_key when an invalid password is provided. It throws an exception when an attempt is made to decrypt the file.
I added a call to method decrypt to handle this case.
msoffcrypto-crack_V0_0_3.zip (https)
MD5: 45BAB81D744DA62182EC58A8F2E05BFE
SHA256: CF9DE02C72C07C07786BE09551CD17F6DBB83BCEF2A1C5435E06A695D7C6770E
Monday 7 January 2019
Update: msoffcrypto-crack.py Version 0.0.2
In this update of msoffcrypto-crack.py, two new options were added:
-e takes a text file and extracts all words from this text file to be used in the dictionary attack. Words are strings delimited by space characters. Words between single or double quotes, and words after string “password” are put at the beginning of the list for the dictionary attack.
The idea for option -e, is that you give it the content of an email message that contains the password of the encrypted attachment(s).
-c takes the password to decrypt the document. You use this option after the password was recovered (with option -p or -e for example), and need to run the tool again to decrypt the document. You can run the password cracking each time when you need to decrypt the document, but if this takes too long, then you just run it once and from then on provide the recovered password with option -c.
Password VelvetSweatshop was added to the embedded password list.
msoffcrypto-crack_V0_0_2.zip (https)
MD5: 010B7FA68FCF9CE84427815EFDFE1C42
SHA256: 6B368E40EEE8A907D444A49963B37F456A3645991201CE06F0E46A0F2E188A74
Sunday 30 December 2018
Update: format-bytes.py Version 0.0.7
In this update, I added support for “run-length encoded” ASCII dump (-A), and X and S representation for strings:
format-bytes_V0_0_7.zip (https)
MD5: 58D3380B48593B3497AD04ACB1719CF3
SHA256: 8E07C1462AE88416CF8D5218A70BCFAE34F89B284684BFD0AC6B943A39E3CA8E
Friday 28 December 2018
Update: numbers-to-string.py Version 0.0.7
In this update, I added option -T. This is an alternative for option -t (table for number to character conversion). In stead of providing the full table with option -t, now you can provide a partial table with option -T, provided the table is present in the input.
This is often the case in DOSfuscated scripts:
In this example, the table starts with MkBMMM. Hence I use option -T MkBMMM, in stead of option -t with the full table: -t MkBMMMdkGLKIEzzjzlJJanhzSNf7,Y9x@bm(/5Hqo6 +8wri)$;uv{-QtgOUP}C:\VDFW.=y’AsRe0cp
numbers-to-string_v0_0_7.zip (https)
MD5: C23E49A24B54365F469BB35CCDA12701
SHA256: 3E9E7DF84359BEB4A054FC82E73C3E94219FC85E462FFBE3676C16E115F61AB3
Thursday 27 December 2018
Update: XORSearch Version 1.11.2
This update for XORSearch brings new features and bug fixes.
Starting with this version, XORSearch accepts input from stdin. Use filename – to read data from stdin:
Option -S will print out all strings found using all decoders supported by XORSearch. Strings are sequences of printable characters, ASCII and UNICODE, at least 4 characters long.
As option -S brings many of the functionalities of XORStrings to XORSearch, I’m no longer developing XORStrings.
Last new option is -r. You can use option -r to reverse the file before searching.
I’m also including more compiled versions (look inside the ZIP file).
XORSearch_V1_11_2.zip (https)
MD5: 2B76F6C730BAC6324E92A731F42FEB74
SHA256: 4206B843AC2B9417A85A4B5381023EC4613C5B5095A6A0A19A072C21C66DE93F
Wednesday 19 December 2018
Update:oledump.py Version 0.0.40
This new version adds option –password to use a different password than infected for samples inside password protected ZIP files.
And plugin_biff adds support for MS Excel 4.0 macros:
oledump_V0_0_40.zip (https)
MD5: 4013CC3A01D4CAE481EAA099A080B07F
SHA256: C5EC0B7B1EFA69D9EB6572F61D866ECEA7952FEADA06943377F8178C7A252E70
Saturday 15 December 2018
Update: numbers-to-string.py Version 0.0.6
This new version of numbers-to-string.py has a new option: -t (table).
With this option, you can use another table for number-to-character conversion than ASCII. Just provide the table as a string (a sequence of characters):
And I made a change to option –end: now it will select up to the last string occurrence provided, no longer the first one.
numbers-to-string_v0_0_6.zip (https)
MD5: 283003C9B328A3DB79BC83AD3C3B0FB1
SHA256: E96417C26EA1231748C6A5DE2F12F56D816F2F875795ED7412ED5D6458CF7B93
Monday 10 December 2018
Update: rtfdump.py Version 0.0.9
This new version (actually, 0.0.8 and 0.0.9) brings the following changes:
All items can be selected now with -s a.
A warning is displayed when option -s (selecting) does not result in the selection of an item.
Option -A does a run-length encoded ASCII dump (cfr. -a).
JSON output is possible with option –jsonoutput.
Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).
And offsets in a cut expression can now be hexadecimal too (prefix 0x).
rtfdump_V0_0_9.zip (https)
MD5: 26BE358EC8D42BB7532B6C0C1EBAD1F2
SHA256: 3F6410AC7880116CDDE4480367D3F5AA534CCA3047B75FEA0F4BA1F5EAA97B07
Thursday 6 December 2018
Update: oledump.py Version 0.0.39
This new version of oledump brings several new features.
When option -i is used without selecting a stream, the overview will contain the size of the compiled code and the source code for all modules:
Selecting just the compiled code from a module stream can be done with suffix c: oledump.py -s A4c sample.xlsm.
Suffix s is to be used to select source code only: oledump.py -s A4s sample.xlsm.
A warning is displayed when option -s (selecting) does not result in the selection of a stream.
Option -A does a run-length encoded ASCII dump (cfr. -a).
Option -T does a head & tail: select the first 10 and last 10 lines of the output.
Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).
And offsets in a cut expression can now be hexadecimal too (prefix 0x).
oledump_V0_0_39.zip (https)
MD5: 5C9A1D94E1BC857877116E425D80A197
SHA256: DF7FFA0C707C8D66C0E0FBEE583286DBA9970824782C6B7AB6BFDC30A85BB419
