Didier Stevens

This new version of oledump.py brings some fixes and an update to plugin plugin_vbaproject to decode and display the password for plaintext passwords:

oledump_V0_0_66.zip (http)
MD5: 20D89F0477ED7B533C2B0C6D27EC4255
SHA256: F67051EF2FA3FD42206C5ADFAC807C94ECD5F7F0F6427433B366217F675D3195

This new version of oledump.py brings a new plugin (plugin_metadata) and Python 3 fixes for 2 plugins (plugin_msi and plugin_ppt).

The new plugin is actually an old unpublished plugin, that I updated recently.

This plugin parses Office document metadata as defined in document [MS-OLEPS].

I started to write this in 2015 to parse the metadata of Word documents, but soon I figured out that this functionality was already present in olefile, and I introduced option -M to call this functionality.

But recently, I had to parse metadata that isn’t (yet) parsed by olefile, so I updated and released plugin_metadata.

oledump_V0_0_65.zip (http)
MD5: 319894D211E0C6F41DCEBD5DBBBE3D33
SHA256: 35786C01AC74BE8604E96B528B7EB8EEFBB0D63407D3C78CC31D058528EF20D7

This is a Python3 stdin fix for re-search.py, my tool to search with regular expressions.

re-search_V0_0_19.zip (http)
MD5: 4007A3E5540871221B55591B50E2239B
SHA256: 263236ABE75B93F1F999474D690A9EB2575EBE42CED8F369FF98B349A5116D11

This new version of 1768.py brings option -H to include file hashes, introduces shellcode type detection and has updated statistics.

1768_v0_0_13.zip (http)
MD5: F7E85586045AA76C573E010E6FF5F701
SHA256: 33B43A5AB059556C17083E824D407891CD14544B5CA416223020076C5878D310

This new version of cut-bytes.py adds access to the read data for Python expressions in prefix and suffix options.

cut-bytes_V0_0_14.zip (http)
MD5: EC3434DAAEE06C6F35BD57B77F86833F
SHA256: BCCCE7A73C921BD2CC195155A3A709FBAD7ADC0A267288A4F7F58695A2F103D1

This new version of oledump brings option -u. This option is used to look for data past the end of the streams.

oledump_V0_0_64.zip (http)
MD5: D2FE33398A2BA85A760518972C0207D3
SHA256: C44F11D31CDCFDE0E7207363A9F35ED07A98A69A4A4228A8CA49292BA8EE9683

I included a new Cobalt Strike 4.5 private key in this released, shared with me by a user.

Further, ZIP files with AES encryption are supported. And a few other bug fixes

1768_v0_0_12b.zip (https)
MD5: C1675CD1CD5E817BDBC4B10D8850D6DD
SHA256: 0694F52EFA2332E8FCFFA739AD123ABF4A75F20ACB5DE3174376FE5D816DE071

This is a bug fix update for oledump.py.

It fixes a bug that occurred when you calculated the hash of decompressed VBA code:

oledump_V0_0_63.zip (https)
MD5: 52440972347843FF56B8F754910BFE4A
SHA256: F92660FFA0F484B46A14944A8B7B475C3D34E80D9C197FA1E99C444CA9ED533B

This new version of jpegdump.py adds option -E to display extra info for each segment.

This extra data is a hash of the segment’s data: md5, sha1, sha256.

jpegdump_V0_0_9.zip (https)
MD5: 1736DA65F7355308DC698E29DE8F5432
SHA256: 1E5AE79BB060F59D255999DBD74786F8A8A45DDB2C5F9C85A6FB2FA04CFD4D6C

This new version brings a new encoding: zxcn

zxcn stands for “zero x comma no-leading zero”, and is very similar to zxc encoding (zero x comma).

Example of zxc: 0x90,0x0A,0x4D,0x5A

Remark the leading zero for value 0x0A (values smaller than 0x10).

With zxcn encoding, there is no leading zero for values smaller than 0x10.

Thus the example for zxcn becomes: 0x90,0xA,0x4D,0x5A

base64dump_V0_0_20.zip (https)
MD5: 10E130F7B989EDDBF03092B8AA0585E1
SHA256: BD7ADF465CA89B10D0591A6D73E6E97DA3EF313EA7C28C90DD59F0A5CBBEB9CD