You are browsing the archive for Software Releases.

Hunting for a better hex dump tool

January 23, 2017 in, Reversing, Software Releases

Many command line tools are written with an ancient 80×25 terminal size in mind and as such their output is often limited (at least, for a current standard). This is quite amazing that a concept of writing tools destined for such a small terminal is so omnipresent given the fact high resolution computer screens, as well as dual- and multi- monitor setups are now such a common thing.

With this in mind a few years ago I coded a simple hex dump tool which I now use quite often – it gives me a better output than a typical hexdump, and… it was a fun exercise to do. The script is written in perl, fully portable (no dependencies) and… it can for sure be a) buggy b) improved in many ways – use at your own risk 🙂

The idea that I came with was based on a large amount of unused space I have observed on my terminal (one that I use on Windows). It is typically at least 140×50 and even more, when needed. As such, the 80 columns used by the standard hex dump tool leaves an empty space of at least 70 characters…

Let’s have a look at cygwin’s hexdump ran in a canonical mode:

I had an idea that this gap could be utilized to present more data. So, my script prints the output similar to the canonical output of hexdump, plus a bonus. The bonus includes:

  • the data decimal offset
  • extracted strings (both ANSI and wide) that start within the current line

The output looks like this:

Isn’t that cool?

You can immediately copy many of the strings to clipboard w/o using strings tool.

This is how to run the script:

perl <filename>
perl -s <filename>
perl -S <filename>
-s - extract strings
-S - extract strings, and skip output lines w/o strings

You can download the script here.

If you find any bugs or run into any issue, please let me know.

DeXRAY 1.7 – ccSubSdk files – part 2

September 18, 2016 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

I have added a buggy routine that attempts to interpret the content of the decrypted ccSubSdk files; this is based purely on looking at the file properties – at first I noticed that there are many GUID-like values that appear in the files many times and across many files. Then looking at the layout I tried to split the data by using these GUIDs as dividers – this was helpful and led to a better understanding of how these chunks are structured. Some patterns started emerging and in the end the serialization character of the file layout became more apparent. Walking through trial-and-error I put together a raw parser that attempts to make a better sense of the data records.

The tool stores the hexadecimal dumps of the interpreted data in .met files that are now accompanying all decrypted out files for both submission.idx and actual submission files. You will find errors in some of the output files, but atm it’s the best it can do. Work in progress 🙂

The output is tagged using  ‘###’ f.ex.:

### GUID
      21 A3 05 3F B7 43 78 45 93 C8 CD C5 F6 4A 14 9A  !..?.CxE.....J..
      22 00 00 00                                      "...

      01 00 00 00                                      ....

      01 00 00 00                                      ....

      13 00 00 00                                      ....

      4D 72 43 6C 65 61 6E 20 53 75 62 6D 69 73 73 69  MrClean Submissi
      6F 6E 00                                         on.

      MrClean Submission

The following identifiers are now being used:

  • STRING-A – String ANSI
  • STRING-W – String Wide (Unicode-16LE)
  • BLOB – binary blob
  • GUID – 16 bytes long GUID-like data

The latest version of DeXRAY can be found here.