A small change in this new version of XORSearch: option -n now also takes a negative value (output characters left of keyword) or an explicit positive value (output characters right of keyword).
XORSearch_V1_11_3.zip (https)
MD5: 39A5799EC4C77E894A56B215A7E20409
SHA256: 50D1CDF5FE93E29E1D7FCB3CF2256CEAC0034CBD887E4DAC1CB897E14B28BC16
This new version of msoffcrypto-crack.py, a tool to crack encrypted MS Office documents, comes with a new option to generated a password dictionary based on the filename of the document.
Option -p allows the user to provide a dictionary file. Use value #f to generate a dictionary based on the filename: This will generate a dictionary of all possible substrings of the filename.
I had to analyze an encrypted spreadsheet yesterday, and the password was in the name, like this:
msoffcrypto-crack_V0_0_5.zip (https)
MD5: 1514DA367DCFF7051AB117266CE65BD3
SHA256: FEEFDD89134083EA19936494C8FCBD05804B3B9C0D4C5FBAFE06578D466B50AE
This new version of oledump comes with an update to plugin_biff by @JohnLaTwC to improve formula parsing.
oledump_V0_0_49.zip (https)
MD5: 1EF0B466A80C034F10770F8A235EBE7B
SHA256: BD8CAD9EDB99B6063A9A36B8B83EB3416484CEC244A01CA2F08BB032402FF147
I added a feature to my tool pecheck.py to help extract embedded PE files from any host file: -l –locate.
pecheck.py expects a PE file as input, but if you use option -l P, it will read any file an look for embedded PE files by searching for a DOS header (MZ) followed by a PE header, that can then be parsed by pefile without errors.
Like in this example, where I created a PNG file with a 32-bit and a 64-bit DLL appended:
One PE file can then be selected for further analysis:
Or for extraction:
Here is a video with more details:
In this new version of pecheck.py, a tool to analyze PE files, overlay offset calculations are improved when a digital signature is present, and the output has changed slightly:
No TLS data:
TLS data present, but no callbacks:
One TLS callback:
pecheck-v0_7_10.zip (https)
MD5: D0C4332B1BD231AA131FBCDCD3BBBA33
SHA256: 0E57A50590D59321CCD0BECE0936CF9523668F86516F56F5B2A21B9DCA9B4788
I noticed that I didn’t post the latest version of my cmd.dll program.
And I looked into moving this code to the new ReactOS builder, but that still does not offer 64-bit builds, thus I’m postponing this migration.
cmd-dll_v0_0_5.zip (https)
MD5: 9BDBB368CDB576BDC05DDE76BC30702F
SHA256: 4757333DD509C77504E3FFCD1B01A2FFC6EC80AE518AE9CD787E80BF1281806D
This new version of oledump.py brings an update to plugin_biff (improved formula parsing) and fixes for Python 3.
oledump_V0_0_48.zip (https)
MD5: B869EC84DB4F10596212A2B67CF2C684
SHA256: 0E66E3EA42D5761301E0643A27D892B3C4531CCC2E4C95373ECE9B7AD7E6DAC6
This new version of oledump.py brings Root Entry listing with option –storages and %CLDISDESC% extra parameter.
plugin_biff.py is updated to be faster and has new options -X and -d (pure hexadecimal dump and binary dump).
plugin_clsid.py is a new plugin.
More details in coming blog posts and ISC diary entries.
oledump_V0_0_47.zip (https)
MD5: E851ED7240C08E9E9E3EBA4A412A46A4
SHA256: F35997537D5C4596E413D08C35A83EBD55CAF587D2D9898DAA9285BC83CAF287
Here is an update to my Python templates (binary and text files).
I’ll explain the updates to each template in upcoming blog posts.
python-templates_V0_0_2.zip (https)
MD5: 082812485D24AD0E3D12F1618BC44367
SHA256: 98DE8BEC508C7E678D294DD630466DA175524D4180C1E8C3A6C06EE11587981E
This update for translate.py, a tool to “Translate bytes according to a Python expression”, adds a new function for XOR multy-byte-key encoding/decoding.
translate_v2_5_7.zip (https)
MD5: 886C1B4C518EA58F972F87980994B976
SHA256: 01E4239E050DE4853AC53020CCE44C9804003A4A2C195974B5B16AEDD1B8E1B1
