Didier Stevens

This new update can produce JSON output for each part (option–jsonoutput).

emldump_V0_0_13.zip (http)
MD5: 083C21C2E7EA265947E3D2060A739376
SHA256: 2812EFFCBD9BDCA2634210678C1F2508216E099D94531E5FF29BFE32B3B12B65

This is an update linked to option -f l to find PKZIP records.

When option -E all is used, field externalattributes is parsed now:

zipdump_v0_0_28.zip (http)
MD5: 288DBCFACB42E6563F417E46BD6081BC
SHA256: 4C3AD3A49FCFC1B5A680EAE80CE129A67912BCC03402EC9F46D08F902BC512A1

This update to emldump.py adds a new feature to fix (-F) some obfuscations.

For the moment, only one obfuscation method is fixed (many are already ignored with option -f –filter), used in polyglot PDF/Word files.

emldump_V0_0_12.zip (http)
MD5: 3847B92460C0485E1238C47C29EF9DE1
SHA256: AFDFB8E78AE7DE56F50EA73D69705B6DACB425FFBD40D6997D64C7C75E3D8A0D

Some new options for my tool sortcanon.py to handle more inputs.

A bit of context: when one sorts a list of IPv4 addresses as text, one gets a result as follows. Take this list:

Just sorting this gives this result:

The IPv4 address starting with 185 comes first, because by default, sorting is string based and digit 1 comes before digit 3.

With sortcanon, one can provide a Python function that will be used to interpret the input and achieve the desired sorting. There are a couple of builtin functions, like ipv4. This is the result:

This time, the IPv4 address starting with 185 comes last, because it has the highest most significant byte.

Recently, I had to sort some files where with extra data, like IPv4 addresses with port numbers. Something like this list:

But this did not work:

Because the function that parses IPv4 addresses, does not expect a port number.

I could create a custom function to handle this, but I pursued another solution. I added an option to select the part of the line, that will be used for sorting, with a regular expression. This is done with option -s (select). Like this:

Regular expression “^([^ ]+) ” selects all characters from the beginning of the line (^) until the first space character (excluded). This selection is stored in a capture group (), and the ipv4 sorting function takes this capture group as input, in stead of the complete line.

The list I selected as example, has some duplicate IPv4 addresses:

If I use option -u (unique), duplicate lines are removed:

But of course the lines with identical IPv4 address 53… remain, because the lines themselves are different (different port number).

This is the desired result, most of the time. But I had an exceptional case, where I had to drop duplicate IPv4 addresses, but still keep one port number. This can be done with option –selectoptions u:

sortcanon_V0_0_3.zip (http)
MD5: CF742211DCF5AD893B882658980E6998
SHA256: 44DECFCDCA4966F8A8A2B1172EFA6B706294935C20D6A12C5A68F5D395396A77

This is a bug fix release.

zipdump_v0_0_27.zip (http)
MD5: 91A26333FB6E2FF23A37462B5031A62F
SHA256: 99E628622C5D3F3AD957C7A41264850A4FA267E46DE8F8E1AF61C684774C0850

In this new version, new features/updates are:

• Update to statistics to include longest strings (also hexadecimal and base64)
• Write option: ziphashdir and alphanumvir
• Brute-force password cracking

zipdump_v0_0_26.zip (http)
MD5: 5F6C82CD17D587D201D59A4B535F3702
SHA256: 90D0F0C1FA238DA9FBC6B7100B8EC01B0E155A0BBF22613B2BA22D5190ABF4DF

This update brings an new plugin: plugin_vba_dir.py (there are no changes to oledump).

This plugin parses the records found in the vba/dir stream to display project, references and modules information

oledump_V0_0_75.zip (http)
MD5: FB0F82B3B29883707A399B99C894EF08
SHA256: D357E48D827822D15C9C22C0B5204924FBA9FC59104818C9824AD149FE6F6249

Some changes to the translate option: now it supports this format (like some of my other tools):

i=codec[:error],o=codec[:error]

i= is input and o= is output. If you don’t specify an error handling mode, strict will be used.

An example of the format is: i=utf16,o=latin:ignore
This will read binary data in utf16 strict mode, and convert it to binary data in ANSI (latin) and ignore all utf16 characters that can not be represented in latin.

zipdump_v0_0_25.zip (http)
MD5: 141BCA65BF89E0561B42901598406113
SHA256: 54E23B4E7A3EB1B31394FCCC32F6509CFB448E0D917615C4C05E431784E70978

I added support for label * (wildcard label).

dnsresolver_V0_0_3.zip (http)
MD5: 18958CEEB8CD62B50D6533A477008649
SHA256: E8BB634C9D5562D640D23AA426948D166977193931794E67761F1BCD2436466E

This new version of 1768.py brings an option to try out all 256 xor keys if a non-standard XOR key is used to encode the configuration.

Like this sample (key !):

1768_v0_0_18.zip (http)
MD5: 323D6D20483257D76D7F9DAD07AAF630
SHA256: 653CB75FF59C27FB9A2FD651DDE2EC81A4F577F7F9050353CB0B75DF6CA95773