Decrypting With translate.py

You’ve probably encountered malicious PowerShell scripts with an encrypted payload (shellcode, PowerShellScript, …). Here is an example that I created: Update: this example is on pastebin: https://pastebin.com/QUGiWTHj There are 2 BASE64 strings in this script. The first one (cfr. variable $cfii) is the encryption key. The second one (cfr. variable...

2w

Update: oledump.py Version 0.0.55

This new version of oledump.py brings extra JSON support and a new indicator. Existing option -j (–jsonoutput) produces JSON output: a JSON object with the content of each individual stream (BASE64 encoded). This option (-j) can now be used together with option -v (–vbadecompress) to produce a JSON object with the VBA code (BASE64 encoded) of each...

2w

oledump Indicators

Each stream and storage can have an indicator in oledump.py‘s output: You’ll probably know M and m: they are indicators that appear often. Here is an overview of all possible indicators: M: Macro (attributes and code) m: macro (attributes without code) E: Error (code that throws an error when decompressed) !: Unusual macro (code without attributes)...

2w

Update: translate.py Version 2.5.10

This is a Python 3 bug fix version. translate_v2_5_10.zip (https) MD5: DB9574D664257263C51FE7C74C7B281E SHA256: E8993B3F2C25A92A9F4583636E1CEF79D79649B29FFF56EAA9AF8A30FCF9B9A6

3w

The Qwerty Effect And Passwords

I recently learned about the Qwerty effect on a podcast: baby names are more likely to contain characters (percentual) from the right hand on a Qwerty keyboard than characters from the left hand. This got me wondering: what about passwords? I wrote a Python program and let it run on the rockyou password list: There is a qwerty effect in this list:...

3w

1768 K

According to Wikipedia, 1768 Kelvin is the melting point of the metal cobalt. This tool decodes and dumps the configuration of Cobalt Strike beacons. You can find a sample beacon here. 1768_v0_0_3.zip (https) MD5: 73DB2E96EE5B6427AF6CCE2672F91CB2 SHA256: C06850A132B89F5E8C127E43FD5CC42051706CDF058EB2D688BC8BD3043E6E02

3w

Quickpost: Portable Power

I did some tests to generate electricity (230V AC) with a portable 12V battery (well, it’s 10 Kg). I have a 12V VRLA battery with a capacity of 35,000 mAh. That’s 12V times 35 Ah = 420 Wh. Or equivalent to a 116,667 mAh (420,000 mWh / 3.6 V) USB powerbank. Charging this 12V battery with a 12V battery charger connected to a 230V power outlet takes...

4w

Overview of Content Published in October

Blog posts: Update: oledump.py Version 0.0.54 Quickpost: 4 Bytes To Crash Excel Update: translate.py version 2.5.9 Update: strings.py Version 0.0.5 Pascal Strings Quickpost: VMware OS Version Snapshots YouTube videos: oledump.py: plugin_msg_summary strings.py: Pascal strings Measuring a USB Cable – 4-Wire Method Videoblog posts: oledump.py:...

4w

Quickpost: VMware OS Version Snapshots

Whenever I upgrade the operating system of my virtual machines, I take a snaphot right after the upgrade. This gives me a tree of different OS versions: I give each snapshot a small descriptive name, that starts with the date of the snapshot (YYYYMMDD). This allows me to revert to older versions to experiment with patched vulnerabilities, like...

4w

Update: strings.py Version 0.0.5 Pascal Strings

This new version of strings.py, my tool to extract strings from arbitrary files, adds option -P to add support for Pascal strings. A Pascal string is a string that is internally stored with a length-prefix: an integer that counts the number of characters inside the string. The Unix strings command, and my strings.py tool, can extract Pascal strings...

Oct 2020