Didier Stevens

This is a bugfix version

pecheck-v0_7_11.zip (https)
MD5: D3B69575F0A08377D1A08886D34230FD
SHA256: 2B59F745377EABDF81118997CA70F5F4DBC1CE927370F02C6E0262869F988FA9

There are many new features in this update to InteractiveSieve (I neglected to publish updates).

InteractiveSieve is a C# tool I developed to help me visualize and sift through logs (CSV files).

I want to record a couple of videos to show what this tool can do.

Here is a list of updates:

• Added Remember and >= <= popup menu commands
• Added Paste to Sift dialog
• Added separator option None
• Added choice for Pivot table: matrix, list and uniques
• Fixed Reveal all bug, thanks Bart Vanautgaerden for reporting
• Added Hide colored lines and Hine uncolored lines; Added Info and Set as index column
• Bugfix DataGridViewEx
• Added Load sieve and Save sieve
• Added m:n to pivot table
• Added Invert
• Added bookmarks
• Added Previous and Next Bookmark toolbar buttons
• Bugfix SaveSieve for bookmarks
• Added Comment…
• Added header when saving
• Fix for header when loading with filter
• Added load with lookup
• Added Treeview
• Added drag and drop; automatic and colon separator; invert with load filter
• Added Copy for row
• Pivot table list and uniques: Added support for Hide and Color buttons
• Added Sift… value
• Added Transform (regex) and restore
• Added Reload

InteractiveSieve_V_0_9_1_0.zip (https)
MD5: C8B5B3E768FB62B7508F055122453594
SHA256: 063A83D9DBA900C8B245532D510E822A305B258C9A3DD05F19F4F0ED2753B6E1

I added detection of data descriptor records (PK 0x07 0x08) to option -f L (list all ZIP records found inside the provided file).

zipdump_v0_0_20.zip (https)
MD5: A0A826BB92805997ED3D9793C8B24385
SHA256: AC626299A6048FA4A7E8BE2993411870F77B4B89F647B6C4264E0CC22E180999

This new version of oledump.py brings support for AES encrypted ZIP files via Python module pyzipper (Python 3 only). If module pyzipper is not installed, oledump will fall back to builtin module zipfile.

And plugin plugin_vbaproject.py does now a small dictionary attack on the extracted hash to try to recover the password.

I use the same dictionary as in zipdump.py, a dictionary that is the public domain, default wordlist used by John the Ripper, extended with a couple of passwords: infected, P@ssw0rd and VelvetSweatshop.

oledump_V0_0_52.zip (https)
MD5: 2528824D8A7CD2BE98615B1B1AE8C61A
SHA256: C47A9CC658571FF23E70264B4DD4F8F47D244708E7110EA0A28128F175CF80F5

This is a bugfix update to oledump.py, and a feature update for plugins.

plugin_biff.py has a new -S (–statistics) option:

This option can be combined with option -c (–csv).

And there is a new plugin for VBA projects: plugin_vbaproject.py. More info in tomorrow’s blog post.

oledump_V0_0_51.zip (https)
MD5: 9A55FC37AD0C4C2F3D08F252C72C1A82
SHA256: 071D1605D520A4BABBE2CDA461866C349628FE4B428AC54823492A6CD89EA487

This is a small bug fix version of XORSearch: fixing some printf format strings for Linux, thanks to Lenny Zeltser for reporting.

Because of Google, I can no longer host this tool on my website.

You have to get it from my FalsePositives GitHub repository.

XORSearch_V1_11_4.zip
MD5: E66290D1EB15D9394C8D1264A09ECFE6
SHA256: BF20A1D76AAD83FC3AABEDC6DDC7F96B655DC94BEC3FA276A50AF6046EBB554C

This new version of base64dump.py adds the following new features:

• encoding zxc (0x4D,0x5A,0x90,…)
• update for YARA rules
• update for –cut option
• option -A: run-length encoded HEX/ASCII dump
• warning when no encoding was selected
• environment variable to set hash algorithm (DSS_DEFAULT_HASH_ALGORITHMS)
• option –jsonoutput
• option -T: headtail
• option -p: process encodings
• Python 3 support

base64dump_V0_0_12.zip (https)
MD5: 834B0D2DB5915ECE1C2F016B9E8462D1
SHA256: 952A5009C945AF350DB0875E8F025E3B5D271FB54AC60BE7569CFBD949DD7B77

This is a small Python 3 bugfix version.

translate_v2_5_8.zip (https)
MD5: 677BD5D6007F264A05D23A9A01B3DD13
SHA256: 977D7A87F771F5E86A6B57D2B565D7C789A7AC7696599E8B7412E9051D66DCFF

XORSelection is a 010 Editor script I wrote some time ago, and it is included in the 010 Editor script repository. You provided it with an XOR key (ASCII or HEX), and then it will XOR-encode the file open in 010 Editor (or a selection of that file).

This new version brings options.

The input box of XORSelection can still be used to provide an ASCII key (e.g. Secret) or an HEX key (e.g. 0x536563726574), and the program will behave like before.

But if you provide no input and click OK, a second input box will be displayed, to input options (prior versions display an error message).

If you type h, you’ll get a simple help dialog, and then the program will terminate:

The options you can enter are r, l and/or s.

Use option r (reverse key) if the key has to be reversed before being used. Example: Secret -> terceS.

I introduced this option because I regularly need to use little-endian 4-byte XOR keys.

Use option l (literal key) if you need to use an ASCII key that starts with 0x (otherwise this key will be parsed as an HEX key).

Option s (shift) can be used to shift the key.

Here is an example to explain the shift option: assume the key is Secret, and that you want to decode a selection of an encrypted file. That selection will most likely not align with the key (e.g. the first byte of the selection was not encoded with the first byte of the key): lets assume you need to start decoding from the 3rd byte of the key: then you need a shift to the right of 2 positions, e.g. option s2. Remark that you can also shift to the left, then you use a negative integer, for example s-1.

XORSelection_V5_0.zip (https)
MD5: 0C2776C7E02235C4949A81AAEF079F66
SHA256: 4F82BC180264FC21802A43E2E5B078EDA7B24FC655815A37948317E8F043A5CA