Didier Stevens

Thursday 9 April 2020

Update XORSearch Version 1.11.3

Filed under: My Software,Update — Didier Stevens @ 0:00

A small change in this new version of XORSearch: option -n now also takes a negative value (output characters left of keyword) or an explicit positive value (output characters right of keyword).

XORSearch_V1_11_3.zip (https)
MD5: 39A5799EC4C77E894A56B215A7E20409
SHA256: 50D1CDF5FE93E29E1D7FCB3CF2256CEAC0034CBD887E4DAC1CB897E14B28BC16

Tuesday 31 March 2020

Update: msoffcrypto-crack.py Version 0.0.5

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of msoffcrypto-crack.py, a tool to crack encrypted MS Office documents, comes with a new option to generated a password dictionary based on the filename of the document.

Option -p allows the user to provide a dictionary file. Use value #f to generate a dictionary based on the filename: This will generate a dictionary of all possible substrings of the filename.

I had to analyze an encrypted spreadsheet yesterday, and the password was in the name, like this:

msoffcrypto-crack_V0_0_5.zip (https)
MD5: 1514DA367DCFF7051AB117266CE65BD3
SHA256: FEEFDD89134083EA19936494C8FCBD05804B3B9C0D4C5FBAFE06578D466B50AE

Sunday 29 March 2020

Update: oledump.py Version 0.0.49

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump comes with an update to plugin_biff by @JohnLaTwC to improve formula parsing.

oledump_V0_0_49.zip (https)
MD5: 1EF0B466A80C034F10770F8A235EBE7B
SHA256: BD8CAD9EDB99B6063A9A36B8B83EB3416484CEC244A01CA2F08BB032402FF147

Friday 27 March 2020

Carving PE Files With pecheck.py

Filed under: My Software,Update — Didier Stevens @ 0:00

I added a feature to my tool pecheck.py to help extract embedded PE files from any host file: -l –locate.

pecheck.py expects a PE file as input, but if you use option -l P, it will read any file an look for embedded PE files by searching for a DOS header (MZ) followed by a PE header, that can then be parsed by pefile without errors.

Like in this example, where I created a PNG file with a 32-bit and a 64-bit DLL appended:

One PE file can then be selected for further analysis:

Or for extraction:

Here is a video with more details:

Sunday 15 March 2020

pecheck.py Version 0.7.10

Filed under: My Software,Update — Didier Stevens @ 9:12

In this new version of pecheck.py, a tool to analyze PE files, overlay offset calculations are improved when a digital signature is present, and the output has changed slightly:

  1. the name of the export DLL is included (right before the list of exported functions)
  2. lists of relocation addresses are dropped
  3. TLS callbacks are reported

No TLS data:

TLS data present, but no callbacks:

One TLS callback:

pecheck-v0_7_10.zip (https)
SHA256: 0E57A50590D59321CCD0BECE0936CF9523668F86516F56F5B2A21B9DCA9B4788

Saturday 14 March 2020

Update: cmd.dll Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 15:24

I noticed that I didn’t post the latest version of my cmd.dll program.

And I looked into moving this code to the new ReactOS builder, but that still does not offer 64-bit builds, thus I’m postponing this migration.

cmd-dll_v0_0_5.zip (https)
MD5: 9BDBB368CDB576BDC05DDE76BC30702F
SHA256: 4757333DD509C77504E3FFCD1B01A2FFC6EC80AE518AE9CD787E80BF1281806D

Tuesday 10 March 2020

Update: oledump.py Version 0.0.48

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py brings an update to plugin_biff (improved formula parsing) and fixes for Python 3.


oledump_V0_0_48.zip (https)
MD5: B869EC84DB4F10596212A2B67CF2C684
SHA256: 0E66E3EA42D5761301E0643A27D892B3C4531CCC2E4C95373ECE9B7AD7E6DAC6

Sunday 8 March 2020

Update: oledump.py Version 0.0.47

Filed under: My Software,Update — Didier Stevens @ 22:22

This new version of oledump.py brings Root Entry listing with option –storages and %CLDISDESC% extra parameter.

plugin_biff.py is updated to be faster and has new options -X and -d (pure hexadecimal dump and binary dump).

plugin_clsid.py is a new plugin.

More details in coming blog posts and ISC diary entries.


oledump_V0_0_47.zip (https)
MD5: E851ED7240C08E9E9E3EBA4A412A46A4
SHA256: F35997537D5C4596E413D08C35A83EBD55CAF587D2D9898DAA9285BC83CAF287

Sunday 23 February 2020

Update: Python Templates Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

Here is an update to my Python templates (binary and text files).

I’ll explain the updates to each template in upcoming blog posts.

python-templates_V0_0_2.zip (https)
MD5: 082812485D24AD0E3D12F1618BC44367
SHA256: 98DE8BEC508C7E678D294DD630466DA175524D4180C1E8C3A6C06EE11587981E

Saturday 22 February 2020

Update: translate.py Version 0.2.7

Filed under: My Software,Update — Didier Stevens @ 20:29

This update for translate.py, a tool to “Translate bytes according to a Python expression”, adds a new function for XOR multy-byte-key encoding/decoding.

translate_v2_5_7.zip (https)
MD5: 886C1B4C518EA58F972F87980994B976
SHA256: 01E4239E050DE4853AC53020CCE44C9804003A4A2C195974B5B16AEDD1B8E1B1

Next Page »

Blog at WordPress.com.