My Software Archives | Forensic Blogs

March 30, 2020 by Didier Stevens

Update: msoffcrypto-crack.py Version 0.0.5

This new version of msoffcrypto-crack.py, a tool to crack encrypted MS Office documents, comes with a new option to generated a password dictionary based on the filename of the document.

Option -p allows the user to provide a dictionary file. Use value #f to generate a dictionary based on the filename: This will generate a dictionary of all possible substrings of the filename.

I had to analyze an encrypted spreadsheet yesterday, and the password was in the name, like this:

msoffcrypto-crack_V0_0_5.zip (https)
MD5: 1514DA367DCFF7051AB117266CE65BD3
SHA256: FEEFDD89134083EA19936494C8FCBD05804B3B9C0D4C5FBAFE06578D466B50AE

March 28, 2020 by Didier Stevens

Update: oledump.py Version 0.0.49

This new version of oledump comes with an update to plugin_biff by @JohnLaTwC to improve formula parsing.

oledump_V0_0_49.zip (https)
MD5: 1EF0B466A80C034F10770F8A235EBE7B
SHA256: BD8CAD9EDB99B6063A9A36B8B83EB3416484CEC244A01CA2F08BB032402FF147

March 26, 2020 by Didier Stevens

Carving PE Files With pecheck.py

I added a feature to my tool pecheck.py to help extract embedded PE files from any host file: -l –locate.

pecheck.py expects a PE file as input, but if you use option -l P, it will read any file an look for embedded PE files by searching for a DOS header (MZ) followed by a PE header, that can then be parsed by pefile without errors.

Like in this example, where I created a PNG file with a 32-bit and a 64-bit DLL appended:

One PE file can then be selected for further analysis:

Or for extraction:

Here is a video with more details: