Didier Stevens

Friday 22 May 2020

Update: oledump.py Version 0.0.50

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 0:00

This new version brings updates to plugin plugin_biff.py.

This plugin can now produce a CSV list of cell values and formulas (option -c) or a JSON file of values and formulas (option -j).

Cell references are in RC format (row-column), but can also be produced in letters-numbers format (LN, option -r LN).

CSV or JSON output can be piped into my ad-hoc decoding programs.


oledump_V0_0_50.zip (https)
MD5: 30EB6A0E0924E72350B268ADDE4E4EC7
SHA256: 870167AE5576B169EB52572788D04F1FFCEC5C8AFDEBCC59FE3B8B01CBDE6CD9

Monday 11 May 2020

Update: XORSelection.1sc Version 5.0

Filed under: My Software,Update — Didier Stevens @ 0:00

XORSelection is a 010 Editor script I wrote some time ago, and it is included in the 010 Editor script repository. You provided it with an XOR key (ASCII or HEX), and then it will XOR-encode the file open in 010 Editor (or a selection of that file).

This new version brings options.

The input box of XORSelection can still be used to provide an ASCII key (e.g. Secret) or an HEX key (e.g. 0x536563726574), and the program will behave like before.

But if you provide no input and click OK, a second input box will be displayed, to input options (prior versions display an error message).

If you type h, you’ll get a simple help dialog, and then the program will terminate:

The options you can enter are r, l and/or s.

Use option r (reverse key) if the key has to be reversed before being used. Example: Secret -> terceS.

I introduced this option because I regularly need to use little-endian 4-byte XOR keys.

Use option l (literal key) if you need to use an ASCII key that starts with 0x (otherwise this key will be parsed as an HEX key).

Option s (shift) can be used to shift the key.

Here is an example to explain the shift option: assume the key is Secret, and that you want to decode a selection of an encrypted file. That selection will most likely not align with the key (e.g. the first byte of the selection was not encoded with the first byte of the key): lets assume you need to start decoding from the 3rd byte of the key: then you need a shift to the right of 2 positions, e.g. option s2. Remark that you can also shift to the left, then you use a negative integer, for example s-1.

XORSelection_V5_0.zip (https)
MD5: 0C2776C7E02235C4949A81AAEF079F66
SHA256: 4F82BC180264FC21802A43E2E5B078EDA7B24FC655815A37948317E8F043A5CA

Thursday 30 April 2020

Update: zipdump.py Version 0.0.19

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of zipdump uses module pyzipper in stead of build-in module zipfile.

pyzipper supports AES encryption. It is not a built-in module, and needs to be installed (with pip for example). pyzipper does not support Python 2.

If module pyzipper is not installed, zipdump will fall back to module zipfile.

zipdump_v0_0_19.zip (https)
MD5: 6DDE072811D4B44B15D0B8EE4E7B4C03
SHA256: EB38D57E63B12EFAC531B4F0BA866BF47CAEC7F64E0C3CCF4557476FFF1C6226

Monday 20 April 2020

Update: python-per-line.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of python-per-line.py, a utility to execute a Python expression for every line in its input text files(s), adds option –encoding to handle encodings like Unicode (Python 3.7 required).

python-per-line_V0_0_7.zip (https)
MD5: 1AF491C2AD45E7ADB83F121B40F60BFB
SHA256: 5CB1E7C17EE359090E9E7168692CF00347E9815DC47CCCA14A2B4C974832510B

Sunday 19 April 2020

Update: hex-to-bin.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of hex-to-bin.py, a tool to convert hexadecimal data to binary data, has a new option to ignore al characters/bytes that are not hexadecimal digits: -H –hexonly.

This option can be used to parse obfuscated, hexadecimal dumps of PE files, for example:

And there are also options if you want to take only lowercase hexadecimal digits into account (–loweronly) or uppercase hexadecimal digits (–upperonly).

hex-to-bin_V0_0_5.zip (https)
MD5: 6247279785AB80F4B0A91E0316D8695C
SHA256: C55246D653F1804DFB2C2EBEC0471AF42A89E9F080DCC87DC673BC9FEAD1949D

Saturday 18 April 2020

Update: xmldump.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of xmldump.py, a tool to analyze XML files, has a new command to extract cells from an .xlsx/.xlsm spreadsheet: celltext.

And also an option to provide the encoding of input files, like utf8 (Python 3.7 and later): –encoding.

xmldump_V0_0_6.zip (https)
MD5: 74BE27A8F45F1814341DCB7AEF6AE8BC
SHA256: 1767C27D9907FDDF88015D938EFF47782C06547CEEF0493F67D85FF4A06656DA

Tuesday 14 April 2020

Update: zipdump.py Version 0.0.18

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version op zipdump.py adds option -i (info), to be used to obtain more info on PKZIP records.

Example:

In next blog post, I’ll explain how to use zipdump to analyze malformed ZIP files.

zipdump_v0_0_18.zip (https)
MD5: 34DC469E8CD4E5D3E9520517DEFED888
SHA256: 270B26217755D7ECBCB6D642FBB349856FAA1AE668DB37D8D106B37D062FADBB

Monday 13 April 2020

Update: zipdump.py Version 0.0.17

Filed under: My Software,Update — Didier Stevens @ 0:00

This version includes a couple of bug fixes.

zipdump_v0_0_17.zip (https)
MD5: E61843BC5B42F4129A4664CD0A5FF93C
SHA256: 72C8AA31F143575E7F77027A7C186484E810F8E400285B6D3785C33C0408F4BF

Thursday 9 April 2020

Update XORSearch Version 1.11.3

Filed under: My Software,Update — Didier Stevens @ 0:00

A small change in this new version of XORSearch: option -n now also takes a negative value (output characters left of keyword) or an explicit positive value (output characters right of keyword).

XORSearch_V1_11_3.zip (https)
MD5: 39A5799EC4C77E894A56B215A7E20409
SHA256: 50D1CDF5FE93E29E1D7FCB3CF2256CEAC0034CBD887E4DAC1CB897E14B28BC16

Tuesday 31 March 2020

Update: msoffcrypto-crack.py Version 0.0.5

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of msoffcrypto-crack.py, a tool to crack encrypted MS Office documents, comes with a new option to generated a password dictionary based on the filename of the document.

Option -p allows the user to provide a dictionary file. Use value #f to generate a dictionary based on the filename: This will generate a dictionary of all possible substrings of the filename.

I had to analyze an encrypted spreadsheet yesterday, and the password was in the name, like this:

msoffcrypto-crack_V0_0_5.zip (https)
MD5: 1514DA367DCFF7051AB117266CE65BD3
SHA256: FEEFDD89134083EA19936494C8FCBD05804B3B9C0D4C5FBAFE06578D466B50AE

« Previous PageNext Page »

Blog at WordPress.com.