Didier Stevens

Usage: translate.py [options] [file-in] [file-out] command [script]
Translate bytes according to a Python expression

Example: translate.py -o svchost.exe.dec svchost.exe 'byte ^ 0x10'
"byte" is the current byte in the file, 'byte ^ 0x10' does an XOR 0x10
Extra functions:
  rol(byte, count)
  ror(byte, count)
  shl(bytes, count)
  shr(bytes, count)
  IFF(expression, valueTrue, valueFalse)
  Sani1(byte)
  Sani2(byte)
  ZlibD(bytes)
  ZlibRawD(bytes)
  GzipD(bytes)
Variable "position" is an index into the input file, starting at 0

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -o OUTPUT, --output=OUTPUT
                        Output file (default is stdout)
  -s SCRIPT, --script=SCRIPT
                        Script with definitions to include
  -f, --fullread        Full read of the file
  -r REGEX, --regex=REGEX
                        Regex to search input file for and apply function to
  -R FILTERREGEX, --filterregex=FILTERREGEX
                        Regex to filter input file for and apply function to
  -e EXECUTE, --execute=EXECUTE
                        Commands to execute
  -2 SECONDBYTESTREAM, --secondbytestream=SECONDBYTESTREAM
                        Second bytestream
  -l, --literalfilenames
                        Do not interpret filenames
  -m, --man             print manual

Manual:

Translate.py is a Python script to perform bitwise operations on files
(like XOR, ROL/ROR, ...). You specify the bitwise operation to perform
as a Python expression, and pass it as a command-line argument.

translate.py malware -o malware.decoded "byte ^ 0x10"
This will read file malware, perform XOR 0x10 on each byte (this is,
expressed in Python: byte ^ 0x10), and write the result to file
malware.decoded.

byte is a variable containing the current byte from the input file.
Your expression has to evaluate to the modified byte. When your
expression evaluates to None, no byte will be written to output. This
can be used to delete bytes from the input.

For complex manipulation, you can define your own functions in a
script file and load this with translate.py, like this:

translate.py malware -o malware.decoded "Process(byte)" process.py
process.py must contain the definition of function Process. Function
Process must return the modified byte.

Another variable is also available: position. This variable contains
the position of the current byte in the input file, starting from 0.

If only part of the file has to be manipulated, while leaving the rest
unchanged, you can do it like this:

    def Process(byte):
        if position >= 0x10 and position < 0x20:
            return byte ^ 0x10
        else:
            return byte

This example will perform an XOR 0x10 operation from the 17th byte
till the 32nd byte included. All other bytes remain unchanged.

Because Python has built-in shift operators (<< and >>) but no rotate
operators, I've defined 2 rotate functions that operate on a byte: rol
(rotate left) and ror (rotate right). They accept 2 arguments: the
byte to rotate and the number of bit positions to rotate. For example,
rol(0x01, 2) gives 0x04.

translate.py malware -o malware.decoded "rol(byte, 2)"

Another function I defined is IFF (the IF Function): IFF(expression,
valueTrue, valueFalse). This function allows you to write conditional
code without an if statement. When expression evaluates to True, IFF
returns valueTrue, otherwise it returns valueFalse.

And yet 2 other functions I defined are Sani1 and Sani2. They can help
you with input/output sanitization: Sani1 accepts a byte as input and
returns the same byte, except if it is a control character. All
control characters (except VT, LF and CR) are replaced by a space
character (0x20). Sani2 is like Sani1, but sanitizes even more bytes:
it sanitizes control characters like Sani1, and also all bytes equal
to 0x80 and higher.

translate.py malware -o malware.decoded "IFF(position >= 0x10 and
position < 0x20, byte ^ 0x10, byte)"

By default this program translates individual bytes via the provided
Python expression. With option -f (fullread), translate.py reads the
input file as one byte sequence and passes it to the function
specified by the expression. This function needs to take one string as
an argument and return one string (the translated file).

Option -r (regex) uses a regular expression to search through the file
and then calls the provided function with a match argument for each
matched string. The return value of the function (a string) is used to
replace the matched string.
Option -R (filterregex) is similar to option -r (regex), except that
it does not operate on the complete file, but on the file filtered for
the regex.

Here are 2 examples with a regex. The input file (test-ah.txt)
contains the following: 1234&H41&H42&H43&H444321

The first command will search for strings &Hxx and replace them with
the character represented in ASCII by hexadecimal number xx:
translate.py -r "&H(..)" test-ah.txt "lambda m: chr(int(m.groups()[0],
16))"
Output: 1234ABCD4321

The second command is exactly the same as the first command, except
that it uses option -R in stead or -r:
translate.py -R "&H(..)" test-ah.txt "lambda m: chr(int(m.groups()[0],
16))"
Output: ABCD

Option -e (execute) is used to execute Python commands before the
command is executed. This can, for example, be used to import modules.
Here is an example to decompress a Flash file (.swf):
 translate.py -f -e "import zlib" sample.swf "lambda b:
zlib.decompress(b[8:])"

You can use build-in function ZlibD too, and ZlibRawD for inflating
without header, and GzipD for gzip decompression.

Build-in function Xor can be used for Xor decoding with a multi-byte
key, like in this example:

Example:
 translate.py -f #h#320700130717 "lambda data: Xor(data, b'abc')"
Output:
 Secret

A second file can be used as input with option -2. The value of the
current byte of the second input file is stored in variable byte2
(this too advances byte per byte together with the primary input
file).

Example:
 translate.py -2 #021230 #Scbpbt "byte + byte2 - 0x30"
Output:
 Secret

In stead of using an input filename, the content can also be passed in
the argument. To achieve this, prefix the text with character #.
If the text to pass via the argument contains control characters or
non-printable characters, hexadecimal (#h#) or base64 (#b#) can be
used.

Example:
 translate.py #h#89B5B4AEFDB4AEFDBCFDAEB8BEAFB8A9FC "byte ^0xDD"
Output:
 This is a secret!

File arguments that start with #e# are a notational convention to use
expressions to generate data. An expression is a single
function/string or the concatenation of several functions/strings
(using character + as concatenation operator).
Strings can be characters enclosed by single quotes ('example') or
hexadecimal strings prefixed by 0x (0xBEEF).
4 functions are available: random, loremipsum, repeat and chr.

Function random takes exactly one argument: an integer (with value 1
or more). Integers can be specified using decimal notation or
hexadecimal notation (prefix 0x).
The random function generates a sequence of bytes with a random value
(between 0 and 255), the argument specifies how many bytes need to be
generated. Remark that the random number generator that is used is
just the Python random number generator, not a cryptographic random
number generator.

Example:

tool.py #e#random(100)

will make the tool process data consisting of a sequence of 100 random
bytes.

Function loremipsum takes exactly one argument: an integer (with value
1 or more).
The loremipsum function generates "lorem ipsum" text (fake latin), the
argument specifies the number of sentences to generate.

Example: #e#loremipsum(2) generates this text:
Ipsum commodo proin pulvinar hac vel nunc dignissim neque eget odio
erat magna lorem urna cursus fusce facilisis porttitor congue eleifend
taciti. Turpis duis suscipit facilisi tristique dictum praesent
natoque sem mi egestas venenatis per dui sit sodales est condimentum
habitasse ipsum phasellus non bibendum hendrerit.

Function chr takes one argument or two arguments.
chr with one argument takes an integer between 0 and 255, and
generates a single byte with the value specified by the integer.
chr with two arguments takes two integers between 0 and 255, and
generates a byte sequence with the values specified by the integers.
For example #e#chr(0x41,0x45) generates data ABCDE.

Function repeat takes two arguments: an integer (with value 1 or more)
and a byte sequence. This byte sequence can be a quoted string of
characters (single quotes), like 'ABCDE' or an hexadecimal string
prefixed with 0x, like 0x4142434445.
The repeat function will create a sequence of bytes consisting of the
provided byte sequence (the second argument) repeated as many times as
specified by the first argument.
For example, #e#repeat(3, 'AB') generates byte sequence ABABAB.

When more than one function needs to be used, the byte sequences
generated by the functions can be concatenated with the + operator.
For example, #e#repeat(10,0xFF)+random(100) will generate a byte
sequence of 10 FF bytes followed by 100 random bytes.

To prevent the tool from processing file arguments with wildcard
characters or special initial characters (@ and #) differently, but to
process them as normal files, use option --literalfilenames.

translate_v2_5_12.zip (http)
MD5: 4B0C79AF8A1D41BA735C5030912E6C28
SHA256: 899109A9D787D6781AEB0569330A01709063BB3FD58F4AED068A57951B230F88