Didier Stevens

Friday 28 October 2022

The Making Of: qa-squeaky-toys.docm

Filed under: Hacking — Didier Stevens @ 0:00

qa-squeaky-toys.docm is a challenge I made for CSCBE 2022.

It’s a Word document with VBA code. But the VBA code has been “cleaned” by an anti-virus.

I was inspired by a real maldoc cleaned by a real anti-virus: “Maldoc Cleaned by Anti-Virus“.

Here is how I made this challenge.

I created a .docm file with the following vba code:

I extracted the vbaProject.bin file from the OOXML file (.docm).

First, I removed all the compiled VBA code from stream 3. -s 3c selects the compiled code stored in VBA stream 3.

I open a copy of vbaProject.bin with a binary editor, and search for the bytes of the compiled code. And I set them all to 0x00.

Then at position 0x40 inside that stream, I write this ASCII test: “Cleaned by your favorite anti-virus!”.

Next I will shorten the compressed VBA source code. This is the compressed VBA source code (selected with 3v):

Value F4B0 is a little-endian integer: 0xB0F4. B are some flags, F4 is the length of the chunk of compressed VBA code. F4 hexadecimal is 244 decimal. I shorten this by 206 bytes. Thus I replace F4 with 26 (with a binary editor).

The result is that now, only the first line is readable, followed by some gibberish:

And to get rid of the gibberisch, I also shorten the length of the stream. It is 1380 bytes long:

That’s 64 05 00 00 (representation for a 32-bit little-endian unsigned integer).

I subtract 204, thus 1380 – 204 = 1176. Or 98 04 00 00. I use again the binary editor to make this change.

Result:

How did I find the values to subtract? Educated guessing and trial and error. Why 2 different subtractions? Because that was also the case in the original sample that inspired me.

Monday 24 October 2022

Update: byte-stats.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of byte-stats.py, my tool to generate statistics for (binary) data, comes with an update to report the longest:

  • printable string (ASCII bytes between 0x20 and 0x7E included)
  • hexadecimal string (ASCII hexadecimal digits, not checking if the length is an even number)
  • BASE64 strings (ASCII BASE64 digits without padding character =, not checking if the length is a multiple of 4)
byte-stats_V0_0_9.zip (http)
MD5: 9187073EB63DE78BDACA1A3AB096DD19
SHA256: 6BC1F8A6FDAA4E8484B6C86E38E214BCBF24AB20F80C92D8AEE3C5EA402D2F0C

Saturday 22 October 2022

Quickpost: Testing A Lemon Battery

Filed under: Hardware,Quickpost — Didier Stevens @ 21:59

In a chat with my colleagues, we were joking about charging smartphones with a lemon battery.

And I actually wanted to know what magnitude of electrical energy we were talking about.

So I connected a lemon battery to an electronic load:

I took a lemon, inserted a zinc and copper piece of metal (a couple centimeters deep) and connected an electronic load to draw 1 mA of current.

I let it run for a couple of hours until no more measurable current flowed.

The electronic load dissipated 0,034 Wh of electrical energy over that period. Hence, we can assume that the lemon battery delivered 0,034 Wh.

I’m sure the lemon battery could deliver more energy, by “resetting” it: cleaning the electrodes, inserting them in another place in the lemon, …

After a bit of searching through the web, I’m going to assume that a typical smartphone nowadays has a battery of 10 Wh. So we would need 294 times (10 Wh / 0,034 Wh) the electrical energy delivered by my lemon battery to charge a smartphone.

Except that, the 0,9 V that the lemon battery does deliver, is by far not enough to be able to charge via the USB interface. We need 5V, so, 5,555… lemon batteries connected in series.

On the screenshot above, you can also see that 37 mAh was measured. Notice that you can not compare this to the mAh rating of a (smartphone) battery, because both values involve different voltages.

Comparing this to a button cell like a CR2032 (Dutch Wikipedia article, because there’s no English Wikipedia article): the CR2032 has a 225 mAh electrical charge (on average) and a 2.0 discharge voltage. That’s 225 mAh * 2.0 V = 450 mWh. Or 13 times more than my lemon battery (34 mWh).

Here are more pictures of the lemon after the experiment (one week later):


Quickpost info

Update: rtfdump.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 11:35

This version adds support for ZIP files encrypted with AES, via the pyzipper module.

rtfdump_V0_0_12.zip (http)
MD5: C3D4F69908A49265E3877D4338462534
SHA256: A40CC2744DE2D4C5956F5FD306357E7E105EC693B8BEA6E7E006C48EC78055BB

Thursday 13 October 2022

Update: base64dump.py Version 0.0.24

Filed under: My Software,Update — Didier Stevens @ 19:02

This is a small update, to add extra statistical information for decoded items.

base64dump_V0_0_24.zip (http)
MD5: 47FDC47A9235CEF2DF95D1FC12BC166E
SHA256: FAF376E267CE6937BAB7544EA4AF9DD40499886992E7DA3855C16C73C02276B1

Saturday 8 October 2022

Quickpost: Standby Power Consumption Of An Old Linear Power Supply

Filed under: Hardware,Quickpost — Didier Stevens @ 11:41

In my blog post “Quickpost: Standby Power Consumption Of My USB Chargers (120V vs 230V)“, I looked at the power consumption of several of my USB chargers in standby mode (e.g., not connected to a device to be charged).

These are switched-mode power supplies.

They consume considerably less standby power than linear power supplies, like this one:

These contain a transformer to go from a high voltage (AC) to a low voltage (AC), and then contain some electronic components, for example a diode bridge and capacitors, to convert the low voltage AC electricity into DC.

I tested this old power supply I had lying around, and it consumed 1.6836 Wh when tested with my power meter during one hour:

That’s 14,75 kWh for a year. Which is about 10 times more than my worst switched power supply tested here.

So, if you are planning to follow the advice of energy experts here in Europe (and watch out, quite a few are not experts at all, just echo chambers) to reduce your electric energy consumption and save money, consider the following points (their idea is to unplug chargers you don’t use).

  1. Start with your linear power supplies, they consume the most (a tip to recognize them: they are heavy compared to the switched-mode ones, because of the transformer; and they are old)
  2. If you are going to do this daily, take into account mechanical wear and tear. Like on the pins of the power plug, the cables …
  3. To avoid that extra wear and tear, you can plug your power supplies into a power-strip with a switch
  4. I have a laptop power brick that regularly cause the power plug to spark when I plug it into a socket. That’s also something you want to avoid.

Quickpost info

Friday 7 October 2022

Overview of Content Published in September

Filed under: Announcement — Didier Stevens @ 16:42
Here is an overview of content I published in September:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries:

Wednesday 28 September 2022

Update: rtfdump.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 21:40

This new version of rtfdump, my tool to analyze RTF files, brings json output for options -O and -F.

rtfdump_V0_0_11.zip (http)
MD5: AFC884082B251BF288B05203DD5D4F69
SHA256: CB3984924137897F75E62C3A835BB9197CBF1DDBD6BCFB3E18423999B06A36C8

Sunday 25 September 2022

Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3

Filed under: Beta,My Software,Update — Didier Stevens @ 20:10

Here’s a new beta version of my tool pngdump.py, a tool to analyze PNG files.

I took a look at all files on MalwareBazaar with a PNG tag, and made updates to pngdump.py to handle them.

I found 3 types of “PNG” files.

First, files spoofing PNG files: files that are not PNG files, but have a .png extension.

Like .exe and .rar files:

Second, valid PNG files with an appended payload:

Third, invalid PNG files. For example, PNG files with the right record structure, but where the Zlib compressed image is replaced by an RC4 encrypted payload (IcedID):

I also have other samples, but that’s for another blog post.

Beta version 0.0.3 is available on GitHub.

Thursday 22 September 2022

Quickpost: Tuning The Electric Energy Consumption Of My TV

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

TLDR: reducing the sound volume level of our TV has no (significant) impact on its electric energy consumption, but reducing the back-lighting does.

Here in Belgium, mainstream media is full of news with tips to reduce energy consumption.

Some good tips, some bad tips … That’s mainstream media for you 🙂

Recently, there was an article with the following tip: “reduce the sound volume level of your TV to save energy” … (I’m not linking to this article).

It is true that a speaker (and the audio amplifier) requires power. And that there is a positive correlation between electric energy consumption and sound volume level. Large speakers can draw quite some amps…

But I was a little doubtful that lowering the sound volume level of our TV with a view clicks, would have a significant/measurable impact. Because some time ago, I already made measurements, and our TV drew 120 Watt maximum. So I did not expect a big impact.

Anyways, one has to make measurements to know if there is a (significant) impact or not.

We have a 55 inch QLED Samsung TV from 2018. The test protocol I worked out is the following: start to play a long movie (LoTR) and measure the electric energy consumption during one hour exactly (with a GW Instek GPM-8310 digital power meter). Don’t touch the TV or remote while testing is going on, and make sure that no dynamic settings are enabled that can influence the electric energy consumption (like ambient light based brightness control).

I measured at 3 sound volume levels: 20, 19 and muted. And I did this twice.

Here are the results:

Sound levelElectric energy consumption (Wh)
20117,74
19117,74
0 (muted)117,66

For our TV, there’s no difference between a sound volume level of 20 and 19.

And by completely muting the TV, we save 0,08 Watts. That’s a very small amount. To put that in perspective, we would have to watch 125 hours of muted TV to power a 10 Watt LED light-bulb for 1 hour.

Of course, that’s for our TV. If you have a TV with a powerful soundbar and extra speakers, your measurements will be totally different.

While going through all the settings of our TV, there is one thing I noticed: the back-lighting setting was set to its maximum (20).

I reduced the back-lighting to 10 and measured again. That made a significant change: 77,666 Wh in stead of 117,74 Wh (both at sound volume level 20, our usual setting). That’s a 34% reduction in electric energy consumption. That’s a significant reduction, but …, don’t forget that the back-lighting setting happened to be at its maximum.

We will keep it like that for the moment, and see if we still enjoy watching TV.


Quickpost info
« Previous PageNext Page »

Blog at WordPress.com.