Didier Stevens


Usage: translate.py [options] [file-in] [file-out] command [script]
Translate bytes according to a Python expression

Example: translate.py -o svchost.exe.dec svchost.exe 'byte ^ 0x10'
"byte" is the current byte in the file, 'byte ^ 0x10' does an X0R 0x10
Extra functions:
  rol(byte, count)
  ror(byte, count)
  IFF(expression, valueTrue, valueFalse)
Variable "position" is an index into the input file, starting at 0

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -o OUTPUT, --output=OUTPUT
                        Output file (default is stdout)
  -s SCRIPT, --script=SCRIPT
                        Script with definitions to include
  -f, --fullread        Full read of the file
  -r REGEX, --regex=REGEX
                        Regex to search input file for and apply function to
                        Regex to filter input file for and apply function to
  -e EXECUTE, --execute=EXECUTE
                        Commands to execute
                        Second bytestream
  -m, --man             print manual


Translate.py is a Python script to perform bitwise operations on files
(like XOR, ROL/ROR, ...). You specify the bitwise operation to perform
as a Python expression, and pass it as a command-line argument.

translate.py malware -o malware.decoded "byte ^ 0x10"
This will read file malware, perform XOR 0x10 on each byte (this is,
expressed in Python: byte ^ 0x10), and write the result to file

byte is a variable containing the current byte from the input file.
Your expression has to evaluate to the modified byte. For complex
manipulation, you can define your own functions in a script file and
load this with translate.py, like this:

translate.py malware -o malware.decoded "Process(byte)" process.py
process.py must contain the definition of function Process. Function
Process must return the modified byte.

Another variable is also available: position. This variable contains
the position of the current byte in the input file, starting from 0.

If only part of the file has to be manipulated, while leaving the rest
unchanged, you can do it like this:

    def Process(byte):
        if position >= 0x10 and position < 0x20:
            return byte ^ 0x10
            return byte

This example will perform an XOR 0x10 operation from the 17th byte
till the 32nd byte included. All other bytes remain unchanged.

Because Python has built-in shift operators (<< and >>) but no rotate
operators, I've defined 2 rotate functions that operate on a byte: rol
(rotate left) and ror (rotate right). They accept 2 arguments: the
byte to rotate and the number of bit positions to rotate. For example,
rol(0x01, 2) gives 0x04.

translate.py malware -o malware.decoded "rol(byte, 2)"

Another function I defined is IFF (the IF Function): IFF(expression,
valueTrue, valueFalse). This function allows you to write conditional
code without an if statement. When expression evaluates to True, IFF
returns valueTrue, otherwise it returns valueFalse.

And yet 2 other functions I defined are Sani1 and Sani2. They can help
you with input/output sanitization: Sani1 accepts a byte as input and
returns the same byte, except if it is a control character. All
control characters (except VT, LF and CR) are replaced by a space
character (0x20). Sani2 is like Sani1, but sanitizes even more bytes:
it sanitizes control characters like Sani1, and also all bytes equal
to 0x80 and higher.

translate.py malware -o malware.decoded "IFF(position >= 0x10 and
position < 0x20, byte ^ 0x10, byte)"

By default this program translates individual bytes via the provided
Python expression. With option -f (fullread), translate.py reads the
input file as one byte sequence and passes it to the function
specified by the expression. This function needs to take one string as
an argument and return one string (the translated file).

Option -r (regex) uses a regular expression to search through the file
and then calls the provided function with a match argument for each
matched string. The return value of the function (a string) is used to
replace the matched string.
Option -R (filterregex) is similar to option -r (regex), except that
it does not operate on the complete file, but on the file filtered for
the regex.

Here are 2 examples with a regex. The input file (test-ah.txt)
contains the following: 1234&H41&H42&H43&H444321

The first command will search for strings &Hxx and replace them with
the character represented in ASCII by hexadecimal number xx:
translate.py -r "&H(..)" test-ah.txt "lambda m: chr(int(m.groups()[0],
Output: 1234ABCD4321

The second command is exactly the same as the first command, except
that it uses option -R in stead or -r:
translate.py -R "&H(..)" test-ah.txt "lambda m: chr(int(m.groups()[0],
Output: ABCD

Option -e (execute) is used to execute Python commands before the
command is executed. This can, for example, be used to import modules.
Here is an example to decompress a Flash file (.swf):
 translate.py -f -e "import zlib" sample.swf "lambda b:
You can use build in function ZlibD too, and GzipD for gzip

A second file can be used as input with option -2. The value of the
current byte of the second input file is stored in variable byte2
(this too advances byte per byte together with the primary input

 translate.py -2 #021230 #Scbpbt "byte + byte2 - 0x30"

In stead of using an input filename, the content can also be passed in
the argument. To achieve this, precede the text with character #.
If the text to pass via the argument contains control characters or
non-printable characters, hexadecimal (#h#) or base64 (#b#) can be

 translate.py #h#89B5B4AEFDB4AEFDBCFDAEB8BEAFB8A9FC "byte ^0xDD"
 This is a secret!

translate_v2_5_4.zip (https)
MD5: C07B37F7AFA0386315843E6A493721C1
SHA256: A2203C643FC8BC64A98DCA3EE1F9444BE16F5D5C2036AC0200A6BA657786C5EC


  1. This is _very_ inefficient:
    def rol(byte, count):
    while count > 0:
    byte = (byte <> 7) & 0xFF
    count -= 1
    return byte

    This should work faster:
    def rol(byte, count):
    byte = (byte <> (8 – count)) & 0xFF
    return byte

    Comment by io — Thursday 10 July 2008 @ 15:58

  2. I believe you wanted to write this:

    def rol(byte, count):
    byte = (byte << count | byte >> (8 – count)) & 0xFF
    return byte

    You’ll be surprised by the gain in performance: about 10%
    Translating a 3MB file with the original ROL (rolling 4 bits) takes 168 seconds, translating the same file with the faster ROL takes 155 seconds.

    There is a huge overhead in the translation of each byte by the eval function:
    outbyte = eval(command)

    For every byte, Python has to parse, compile and execute the command. Parsing and compiling takes much more time than the loop in the original ROL command. This is _very_ ineffecient, but _very_ flexible. You can provide your own Python expression without having to edit the translate program.

    I used a loop in the ROL and ROR commands for didactic reasons. Manipulating bits is very foreign for most people, even programmers. I believe my version is more readable and understandable, and thus extendable by other people.

    But you’re right, removing inner loops adds to the performance. But in this specific case, most CPU cycles go to the eval function, and not to the loop.

    Anyways, thanks for your comment, I’ll have to think about how to include your code. Maybe I can leave the original ROL and use your code for the ROR 😉

    Comment by Didier Stevens — Thursday 10 July 2008 @ 21:05

  3. I think the posting process somehow managed to steal some of my text (especially since the first function is copy&pasted from your post), but yes, that’s what I wanted to write. 🙂

    And _especially_ for didactic reasons I think the code should be as good as possible, since other people are learning from it. The folks who don’t understand bit operations should probably stay away from decryption & malware analysis altogether… might do more harm than good. 😉

    As for the optimality of the rest of the code, I’ve only skimmed it I’m affraid. I was actually looking for an efficient way of doing ROL/ROR in .py, and that’s how I stumbled over your code. I have plenty of experience with Python, and by accident I work in the malware anlysis industry myself. 🙂 Getting back to the efficiency issue, I’m probably going to write a ROL/ROR module in C/asm to make it efficient enough. That code might even be worth including…


    Comment by io — Friday 11 July 2008 @ 12:27

  4. hi,

    this is nice … thanks

    Comment by sanjeev — Wednesday 21 April 2010 @ 10:40

  5. Hey Didier,

    I used the code from translate to build a Mcafee .BUP file decoder. Here’s the code:

    # Mcafee .BUP File XOR converter
    # Based on Didier Stevens “Translate.py”
    # https://blog.didierstevens.com/programs/translate/
    # Usage: nobup.py file.bup
    import sys

    if len(sys.argv) != 2:
    print ‘usage: ./nobup.py file.bup’
    encoded = open(sys.argv[1], ‘rb’)
    bup = (sys.argv[1] + ‘.decoded.bin’)
    decoded = open(bup, ‘wb’)
    command = ‘byte ^ 0x6A’
    position = 0
    while True:
    inbyte = encoded.read(1)
    if not inbyte:
    byte = ord(inbyte)
    outbyte = eval(command)
    position += 1

    Comment by Lucas Lyon — Saturday 10 July 2010 @ 2:22

  6. […] time ago, Chris John Riley reminded me of a program I had written, published … and forgotten: translate.py. Apparently, it is used in SANS […]

    Pingback by Update: translate.py | Didier Stevens — Wednesday 16 July 2014 @ 19:37

  7. […] also decode the downloaded file with my translate program and the IpkfHKQ2Sd […]

    Pingback by Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean) | Didier Stevens — Friday 6 November 2015 @ 0:00

  8. […] Translate is a Python tool to translate files; you give it a Python expression that converts the input file byte per byte to the output file. […]

    Pingback by Update: translate.py V2.1.0 | Didier Stevens — Sunday 8 November 2015 @ 0:01

  9. […] at the ISC Diary I have an entry on Locky JavaScript Deobfuscation. I use my translate tool to perform part of the static […]

    Pingback by Update: translate.py Version 2.2.0 for Locky JavaScript Deobfuscation | Didier Stevens — Sunday 28 February 2016 @ 10:45

  10. […] this update of my translate program, I added support for searching and replacing with regular […]

    Pingback by Update translate.py Version 2.3.0 | Didier Stevens — Tuesday 26 April 2016 @ 0:00

  11. […] needed to decompress the content of a Flash file (.swf). I thought of using my translate.py program with a command to inflate (zlib) the content (minus the header of 8 bytes): lambda b: […]

    Pingback by Update: translate.py Version 2.3.1 | Didier Stevens — Monday 19 September 2016 @ 0:00

  12. […] oledump.py, translate.py, […]

    Pingback by Maldoc VBA: .pub File | Didier Stevens Videos — Tuesday 11 October 2016 @ 10:39

  13. […] added a feature similar to “here files” to translate.py. It’s something I already did in […]

    Pingback by Update: translate.py Version 2.4.0 | Didier Stevens — Sunday 26 February 2017 @ 9:19

  14. […] Windows, where you have no gzip (unless you use Cygwin or a similar solution), you can use my translate.py […]

    Pingback by Gzip Decompression Via Pipes | Didier Stevens — Thursday 4 May 2017 @ 0:00

  15. […] just show how I would have used my translate.py tool to remove the […]

    Pingback by I Will Follow (no, not talking about social media) | Didier Stevens — Thursday 6 July 2017 @ 20:54

  16. […] I analyzed a malicious document send by a reader of the Internet Storm Center, and to decode the payload I wanted to use my tool translate.py. […]

    Pingback by Update: translate.py Version 2.5.0 | Didier Stevens — Monday 31 July 2017 @ 20:17

  17. […] 3 positions to the left) and analyzing the result. To subtract 3 from every byte, we use program translate.py. translate.py takes a file as input and an arithmetic operation: operation “byte – […]

    Pingback by Decoding malware via simple statistical analysis | NVISO LABS – blog — Wednesday 30 August 2017 @ 13:18

  18. […] Office. I will use my zipdump.py tool to extract the XML file with the content, and then use sed or translate.py to strip out XML […]

    Pingback by New Tool: xmldump.py | Didier Stevens — Monday 18 December 2017 @ 0:00

  19. […] to analyze a malicious document, carrying embedded PowerShell scripts with Gzip compression. I use translate.py to do the Gzib decompression as I explained in this blog […]

    Pingback by Update: translate.py Version 2.5.2 | Didier Stevens — Tuesday 30 January 2018 @ 0:00

  20. […] some thinking, I thought I could use my translate program to select every 4th byte (position % 4 == 3) and then calculate byte statistics. But actually, […]

    Pingback by Update: translate.py Version 2.5.3 | Didier Stevens — Sunday 18 February 2018 @ 0:00

  21. […] Tools: translate.py […]

    Pingback by Fileless Input Options – Didier Stevens Videos — Sunday 17 June 2018 @ 22:09

  22. […] once decoded and decompressed, we will end up with another PowerShell script. translate.py has a function (GzipD) to decompress GZip compressed […]

    Pingback by PowerShell Inside a Certificate? – Part 2 – NVISO Labs — Wednesday 1 August 2018 @ 7:18

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.