rxwx/decode.py Secret

## decode.py
from oletools.olevba import VBA_Parser
import uuid
import re
import sys
import os

X64_CHUNKS_REG = re.compile(r'\#If\s+Win64(.*?)\#Else', re.S | re.I)
X86_CHUNKS_REG = re.compile(r'\#Else\s+?Dim(.*?)\#End', re.S | re.I)
UUID_REG = re.compile(r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}', re.I)

def dump_shellcode(filename, buf, arch):
    out = b''
    if arch == 'x64':
        reg = X64_CHUNKS_REG
    else:
        reg = X86_CHUNKS_REG

    for chunk in re.findall(reg, buf):
        for u in re.findall(UUID_REG, chunk):
            out += uuid.UUID(u).bytes_le

    outfile = 'shellcode_{}_{}.bin'.format(filename, arch)
    with open(outfile, 'wb') as f:
        f.write(out)

    print("Wrote {} shellcode to: {}".format(arch, outfile))

if (len(sys.argv) != 2):
    print(' Usage: dump.py <file.doc>')
    sys.exit(1)

vbaparser = VBA_Parser(sys.argv[1])
basename = os.path.basename(sys.argv[1])

for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
    print(vba_code)
    dump_shellcode(basename, vba_code, 'x86')
    dump_shellcode(basename, vba_code, 'x64')
	from oletools.olevba import VBA_Parser
	import uuid
	import re
	import sys
	import os

	X64_CHUNKS_REG = re.compile(r'\#If\s+Win64(.*?)\#Else', re.S \| re.I)
	X86_CHUNKS_REG = re.compile(r'\#Else\s+?Dim(.*?)\#End', re.S \| re.I)
	UUID_REG = re.compile(r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}', re.I)

	def dump_shellcode(filename, buf, arch):
	out = b''
	if arch == 'x64':
	reg = X64_CHUNKS_REG
	else:
	reg = X86_CHUNKS_REG

	for chunk in re.findall(reg, buf):
	for u in re.findall(UUID_REG, chunk):
	out += uuid.UUID(u).bytes_le

	outfile = 'shellcode_{}_{}.bin'.format(filename, arch)
	with open(outfile, 'wb') as f:
	f.write(out)

	print("Wrote {} shellcode to: {}".format(arch, outfile))

	if (len(sys.argv) != 2):
	print(' Usage: dump.py <file.doc>')
	sys.exit(1)

	vbaparser = VBA_Parser(sys.argv[1])
	basename = os.path.basename(sys.argv[1])

	for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
	print(vba_code)
	dump_shellcode(basename, vba_code, 'x86')
	dump_shellcode(basename, vba_code, 'x64')