keyboardcrunch/unhide.py

## unhide.py
#!/usr/bin/python3

"""
./oledump.py -p plugin_biff --pluginoptions "-o bound -a" sample.xls
  1:      4096 '\x05DocumentSummaryInformation'
  2:       236 '\x05SummaryInformation'
  3:    104629 'Workbook'
               Plugin: BIFF plugin
                 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible
                 ' 00000000: CA D9 00 00 00 00 06 00  \xca\xd9......'
                  00000008: 53 68 65 65 74 31        Sheet1
                 0085     18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden
                 ' 00000000: DE 0D 01 00 02 01 0A 00  \xde.......'
                  00000008: 54 36 55 31 61 35 47 6C  T6U1a5Gl
                  00000010: 38 4C                    8L

./unhide.py -hex "DE 0D 01 00 02 01 0A 00" -file sample.xls
original :	DE 0D 01 00 02 01 0A 00
patched  :	DE 0D 01 00 00 01 0A 00

"""

def patch(filename, hexstring):
    fixed = list(hexstring)
    fixed[13] = "0"
    fixed = "".join(fixed)

    badbytes = bytearray.fromhex(hexstring)
    fixbytes = bytearray.fromhex(fixed)

    fh = open(filename, 'r+b')
    s = fh.read()
    try:
        found = s.find(badbytes)
        fh.seek(found)
        fh.write(fixbytes)
        fh.close()
        print("original :\t" + hexstring)
        print("patched  :\t" + fixed)
    except:
        print("'%s'  not found in file!\r\nThis workbook may already be patched." % hexstring)

if __name__ == "__main__":
    import os
    import sys
    import argparse

    parser = argparse.ArgumentParser(description='The Excel workbook unhider.',
                                    epilog='Example: ./unhide.py -hex "DE 0D 01 00 02 01 0A 00" -file sample.xls')
    parser.add_argument('-hex', action='store', type=str, help='hex string for hidden macro sheet', required=True)
    parser.add_argument('-file', action='store', type=str, help="file to patch", required=True)

    args = parser.parse_args()

    if not os.path.exists(args.file):
        print('Specified file cannot be found!')
        sys.exit()
    else:
        filename = args.file
        hexstring = args.hex
        patch(filename, hexstring)
	#!/usr/bin/python3

	"""
	./oledump.py -p plugin_biff --pluginoptions "-o bound -a" sample.xls
	1: 4096 '\x05DocumentSummaryInformation'
	2: 236 '\x05SummaryInformation'
	3: 104629 'Workbook'
	Plugin: BIFF plugin
	0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible
	' 00000000: CA D9 00 00 00 00 06 00 \xca\xd9......'
	00000008: 53 68 65 65 74 31 Sheet1
	0085 18 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, very hidden
	' 00000000: DE 0D 01 00 02 01 0A 00 \xde.......'
	00000008: 54 36 55 31 61 35 47 6C T6U1a5Gl
	00000010: 38 4C 8L

	./unhide.py -hex "DE 0D 01 00 02 01 0A 00" -file sample.xls
	original : DE 0D 01 00 02 01 0A 00
	patched : DE 0D 01 00 00 01 0A 00

	"""

	def patch(filename, hexstring):
	fixed = list(hexstring)
	fixed[13] = "0"
	fixed = "".join(fixed)

	badbytes = bytearray.fromhex(hexstring)
	fixbytes = bytearray.fromhex(fixed)

	fh = open(filename, 'r+b')
	s = fh.read()
	try:
	found = s.find(badbytes)
	fh.seek(found)
	fh.write(fixbytes)
	fh.close()
	print("original :\t" + hexstring)
	print("patched :\t" + fixed)
	except:
	print("'%s' not found in file!\r\nThis workbook may already be patched." % hexstring)

	if __name__ == "__main__":
	import os
	import sys
	import argparse

	parser = argparse.ArgumentParser(description='The Excel workbook unhider.',
	epilog='Example: ./unhide.py -hex "DE 0D 01 00 02 01 0A 00" -file sample.xls')
	parser.add_argument('-hex', action='store', type=str, help='hex string for hidden macro sheet', required=True)
	parser.add_argument('-file', action='store', type=str, help="file to patch", required=True)

	args = parser.parse_args()

	if not os.path.exists(args.file):
	print('Specified file cannot be found!')
	sys.exit()
	else:
	filename = args.file
	hexstring = args.hex
	patch(filename, hexstring)