Didier Stevens

Sunday 1 September 2024

Overview of Content Published in August

Filed under: Announcement — Didier Stevens @ 15:03
Here is an overview of content I published in August:

SANS ISC Diary entries:

Thursday 29 August 2024

Overview of Content Published in July

Filed under: Announcement — Didier Stevens @ 16:55
Here is an overview of content I published in July:

Blog posts: SANS ISC Diary entries:

Saturday 13 July 2024

Update: cut-bytes.py Version 0.0.17

Filed under: My Software,Update — Didier Stevens @ 15:09

–prefix and –suffix can now also be filenames.

cut-bytes_V0_0_17.zip (http)
MD5: 86D0692C6303248639A740E7A2AC4525
SHA256: D4FCFBD2305D7E5E97AB993741DF95B4565A882B0CD7DBA061D09578A1DDADA7

Thursday 11 July 2024

Update: oledump.py Version 0.0.77

Filed under: My Software,Update — Didier Stevens @ 19:59

This is an update for plugin plugin_biff.py.

Protected xls files (workbook protection, sheet protection) are protected with a password, but are not encrypted.

The password is hashed to a 16-bit hash called verifier, such a short hash gives ample opportunity for hash collisions.

I calculated passwords for all possible hash values (32768, or 0x8000) mostly with letters and digits, some with special characters (verifier table). This verifier table is not a rainbow table, because the table contains all possible hash values and a corresponding password.

If a verifier can not be cracked with a provided password list, the password will be taken from the verifier list.

Example: this spreadsheet has a sheet protected with password azeqsdwxc, which is not in the embedded password list (obtained from John The Ripper); thus the password from the verifier table is taken (bbbbhz):

Passwords azeqsdwxc and bbbbhz both hash to the same verifier value (0xd9b1), thus there is a hash collision, and both passwords can be used to unprotect the sheet.

oledump_V0_0_77.zip (http)
MD5: CC8E3BB7BFA8D6312F8371DADE414EE4
SHA256: 08A097FB2491072043BFD4032BEBC4B2994AEF94B99F3C68EFAEB56004AE7ECE

Sunday 7 July 2024

Update: hash.py Version 0.0.13

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bugfix release for @files.

hash_V0_0_13.zip (http)
MD5: 43419BBB95FC1321EC6098AE369DEC26
SHA256: 88BD3A7B71BB2C8579F49E76E8069E7A5A4B23DCF1DB1716E5E2C9F78BFF6D5B

Saturday 6 July 2024

Overview of Content Published in June

Filed under: Announcement — Didier Stevens @ 8:28
Here is an overview of content I published in June:

Blog posts: SANS ISC Diary entries:

Tuesday 18 June 2024

Update: emldump.py Version 0.0.14

Filed under: My Software,Update — Didier Stevens @ 11:36

This small update for emldump adds support for UTF8 files that start with a BOM.

emldump_V0_0_14.zip (http)
MD5: 6DBA97A55A9BE0D94131F1F381868236
SHA256: 99E1254011C6738FC44E559B4A29A8D40C79822A946F853D12EF23E035CEE97B

Saturday 15 June 2024

Update: python-per-line.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 10:55

New option -O allows to use a function that receives a object per line as argument.

Like option -n, option -O is used to invoke a single Python function taking one argument, but this time the argument is an object in stead of a string. The object has several properties: item is the line (string), left is the previous line, right is the next line, index is equal to the line counter – 1.

python-per-line_V0_0_12.zip (http)
MD5: 16ADE95E968CAE357D1725659224FA0B
SHA256: 1B8D1D8B27A5F5D66FBAB5BACD0594B6A08E96EC03D0BAE08C616A3C172BFD0B

Friday 14 June 2024

MyJSON Tools

Filed under: My Software — Didier Stevens @ 0:00

I created a page with an intro to and overview of my MyJSON tools.

Thursday 13 June 2024

Update: InteractiveSieve Version 0.9.3.0

Filed under: Uncategorized — Didier Stevens @ 0:00

New features in this version of InteractiveSieve are:

Load and Split

With Load and Split; you can load a CSV file and split rows that have a field that contains more than one value, separated by a separator character.

Take this example:

IP,Count,Methods
10.0.0.220,5,GET
10.0.0.45,13554,GET|POST
10.0.0.135,54302,GET|HEAD|POST

Fields in column Methods can have more than one value: GET, POST and/or HEAD. These values are separated by a pipe | character.

Simply loading this CSV file in InteractiveSieve gives this:

While using Load and Split with separator | for column 3 (Methods) gives this:

Ignore Comments

The Options dialog has now a field “Ignore comments”:

This can be used to ignore each line that starts with the given line-comment character.

Take this CSV file for example:

#Produced 2024/06/01
IP,Count,Methods
10.0.0.220,5,GET
10.0.0.45,13554,GET|POST
#Extra comment
10.0.0.135,54302,GET|HEAD|POST

When loaded in InteractiveSieve without “Ignore comments” character, the result is this:

And providing line-comment character # gives this:

Show

The Show command in the right-click menu for a row gives this dialog:

Sum

The Sum command in the right-click menu for a cell can be used to sum the numerical values of that column. There is no need to convert the text to numbers first.

Group

And finally, there’s the Group command in the right-click menu for a column.

This is a bit the opposite of Load and Split.

Take this CSV file for example:

Let’s say I want to group Methods by IP address. First I specify that column IP is the index:

Next I select column Methods to Group:

And then I specify the separator (~ in this example):

The original values can be restored with Restore from group:

InteractiveSieve_V_0_9_3_0.zip (http)
MD5: 09FE2F374A789EDA8B9BC2A9DFE9E732
SHA256: A3AA9790772466953A3C37785C7F18E0B0201BC1CABEB8D12F674E0BDBF0FDA2

« Previous PageNext Page »

Blog at WordPress.com.