Didier Stevens

After adding support for password lists in zipdump, I decided to add an internal password list to zipdump, based on John’s public domain password list.

This internal password list (a few thousand passwords) can be used by providing filename . (a single dot) to options -P and –passwordfilestop.

zipdump_v0_0_7.zip (https)
MD5: 7B3D165B68B4E66D7EFCF54B25E08115
SHA256: DC794679CFDEA57AC532E11BC338F6823EECC26A36CB844B29EF15F93B6BA1C1

This new version of re-search.py has a build-in regular expression for bitcoin addresses, together with a Python function to validate the address.

re-search_V0_0_7.zip (https)
MD5: 38EBBC6B45476AA2FB03DC9604D2F7EE
SHA256: 7BE3B986126C3E40A886A66A08EA360EEE01A29F064F2D3235A1311C4FB4E45E

When I used my re-search.py tool to extract Bitcoin addresses from the latest WCry samples, I found a small bug. This version is a bugfix (bug introduced in version 0.0.4).

re-search_V0_0_5.zip (https)
MD5: A03CBBA9F2C5900A368BC064D3CC3D00
SHA256: 940B12CA8E3ADCC0266BC788B5A7AE2C830115BDB9FC04C3A7A178FDD7D44F02

We had to crack a password protected ZIP file, to discover that just few hours later, we would fly to Dubai for our NVISO team building event.

This inspired me to update my zipdump.py tool. This tool can handle password protected ZIP files. Using default password “infected”, or a password that can be provided with option -p.

In this new version, you can provide a list of password in a text file using option -P. Turns out that this simple dictionary attack just using Python is surprisingly quick (at least to me): 8000 passwords per second on an average machine.

zipdump_v0_0_6.zip (https)
MD5: B605DEABFC5458488B6487B1E9104085
SHA256: DDC2CE94D250CBDE62AD1EBE650654E4A50C51F97CADF412B16A553242819772

This version has one new option: -G or –grepall.

re-search_V0_0_4.zip (https)
MD5: 965C484CC5BF447B390BA4E176698972
SHA256: D2F3A52F7590CD38E796B6F6209FC87A1BD6451F1787010557FA39E25AFDBC2F

This new version of oledump.py adds some extra features for YARA rule scanning.

oledump.py declares 2 external variables that can be used in your YARA rules.

External variable streamname is a string with the stream name, as printed in oledump’s report.

External variable VBA is a boolean that is set to true when the data to scan is VBA source code. Previous versions of oledump would scan the raw stream content with YARA, but this new version also decompresses all streams with VBA macros, and concatenates them together to scan them after all streams have been scanned.

Example of a rule using external variable VBA:

rule VBA_Autorun
{
    strings:
        $a = "AutoExec" nocase fullword
        $b = "AutoOpen" nocase fullword
        $c = "DocumentOpen" nocase fullword
        $d = "AutoExit" nocase fullword
        $e = "AutoClose" nocase fullword
        $f = "Document_Close" nocase fullword
        $g = "DocumentBeforeClose" nocase fullword
        $h = "Document_Open" nocase fullword
        $i = "Document_BeforeClose" nocase fullword
        $j = "Auto_Open" nocase fullword
        $k = "Workbook_Open" nocase fullword
        $l = "Workbook_Activate" nocase fullword
        $m = "Auto_Close" nocase fullword
        $n = "Workbook_Close" nocase fullword
    condition:
        VBA and any of ($*)
}

The condition of this rule is true when external variable VBA is true and when at least one of the strings are found:

This rule is included in a new set of YARA rules I included with oledump.py: vba.yara.

I made a video to illustrate this:

And there is also a new plugin: plugin_str_sub. It tries to de-obfuscate strings with padded characters:

oledump_V0_0_27.zip (https)
MD5: A6C6728E20AE46A4FECC5F3976AF33BF
SHA256: 54FE550D5102A0E9428F6BD9B5170B50797EDA2076601634519CDBB574004A3C

I just updated the manual of this version, to explain here documents.

cut-bytes_V0_0_5.zip (https)
MD5: B20B9758D50C846CD0E0AEB9E0B15101
SHA256: B12D1E1C510ED4CC820C5D2F62897DF71E567B0D3B23AC36653236D30104157F

A very small update to re-search.py: I added a regular expression for strings to the library:

re-search_V0_0_3.zip (https)
MD5: 6C4F59C4BA5DAC1D16D3E09D1E333FD0
SHA256: BFB019F1350F7D63FB3704322F62894A4B17D8EE03CC186156F2A97045E47F58

I added a feature similar to “here files” to translate.py. It’s something I already did in xor-kpa.py.

In stead of using an input filename, the content can also be passed in the argument. To achieve this, precede the text with character #.
If the text to pass via the argument contains control characters or non-printable characters, hexadecimal (#h#) or base64 (#b#) can be used.

Example:
translate.py #h#89B5B4AEFDB4AEFDBCFDAEB8BEAFB8A9FC “byte ^0xDD”
Output:
This is a secret!

translate_v2_4_0.zip (https)
MD5: B33830C68D8A8A7534AF178243658E70
SHA256: A01AB10FCE42664869C4E31DB1AB2E1E0237172D0AE9685549A09BF866D7F885

This new version of rtfdump.py adds object extraction (-E) and can also handle objects obfuscated with \dde0000…

rtfdump_V0_0_5.zip (https)
MD5: 14475C70D992FB72306D5F83815DDE19
SHA256: A26A60536509BA7CF55FF1876E8BC3A6DBA43F1EF8841F159D55411FD11B5078