Didier Stevens

(blog \'DidierStevens)

Latest articles

Decrypting With translate.py

You’ve probably encountered malicious PowerShell scripts with an encrypted payload (shellcode, PowerShellScript, …). Here is an example that I created: Update: this example is on pastebin: https://pastebin.com/QUGiWTHj There are 2 BASE64 strings in this script. The first one (cfr. variable $cfii) is the encryption key. The second one (cfr. variable...

Update: oledump.py Version 0.0.55

This new version of oledump.py brings extra JSON support and a new indicator. Existing option -j (–jsonoutput) produces JSON output: a JSON object with the content of each individual stream (BASE64 encoded). This option (-j) can now be used together with option -v (–vbadecompress) to produce a JSON object with the VBA code (BASE64 encoded) of each...

oledump Indicators

Each stream and storage can have an indicator in oledump.py‘s output: You’ll probably know M and m: they are indicators that appear often. Here is an overview of all possible indicators: M: Macro (attributes and code) m: macro (attributes without code) E: Error (code that throws an error when decompressed) !: Unusual macro (code without attributes)...

Update: translate.py Version 2.5.10

This is a Python 3 bug fix version. translate_v2_5_10.zip (https) MD5: DB9574D664257263C51FE7C74C7B281E SHA256: E8993B3F2C25A92A9F4583636E1CEF79D79649B29FFF56EAA9AF8A30FCF9B9A6

The Qwerty Effect And Passwords

I recently learned about the Qwerty effect on a podcast: baby names are more likely to contain characters (percentual) from the right hand on a Qwerty keyboard than characters from the left hand. This got me wondering: what about passwords? I wrote a Python program and let it run on the rockyou password list: There is a qwerty effect in this list:...

1768 K

According to Wikipedia, 1768 Kelvin is the melting point of the metal cobalt. This tool decodes and dumps the configuration of Cobalt Strike beacons. You can find a sample beacon here. 1768_v0_0_3.zip (https) MD5: 73DB2E96EE5B6427AF6CCE2672F91CB2 SHA256: C06850A132B89F5E8C127E43FD5CC42051706CDF058EB2D688BC8BD3043E6E02

Quickpost: Portable Power

I did some tests to generate electricity (230V AC) with a portable 12V battery (well, it’s 10 Kg). I have a 12V VRLA battery with a capacity of 35,000 mAh. That’s 12V times 35 Ah = 420 Wh. Or equivalent to a 116,667 mAh (420,000 mWh / 3.6 V) USB powerbank. Charging this 12V battery with a 12V battery charger connected to a 230V power outlet takes...

Overview of Content Published in October

Blog posts: Update: oledump.py Version 0.0.54 Quickpost: 4 Bytes To Crash Excel Update: translate.py version 2.5.9 Update: strings.py Version 0.0.5 Pascal Strings Quickpost: VMware OS Version Snapshots YouTube videos: oledump.py: plugin_msg_summary strings.py: Pascal strings Measuring a USB Cable – 4-Wire Method Videoblog posts: oledump.py:...

Quickpost: VMware OS Version Snapshots

Whenever I upgrade the operating system of my virtual machines, I take a snaphot right after the upgrade. This gives me a tree of different OS versions: I give each snapshot a small descriptive name, that starts with the date of the snapshot (YYYYMMDD). This allows me to revert to older versions to experiment with patched vulnerabilities, like...

Update: strings.py Version 0.0.5 Pascal Strings

This new version of strings.py, my tool to extract strings from arbitrary files, adds option -P to add support for Pascal strings. A Pascal string is a string that is internally stored with a length-prefix: an integer that counts the number of characters inside the string. The Unix strings command, and my strings.py tool, can extract Pascal strings...

Discover, share and read the best on the web

Subscribe to RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters! Get unfiltered news feeds or filter them to your liking.

Get Inoreader
Inoreader - Subscribe to RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters!